for all software makers, too. One of those is to encourage bug hunters to wear a white hat instead of a black one.
"An overwhelming majority of people have a vested interest in a secure Internet," explained Alex Rice, CTO of HackerOne. "When you make it easy for hackers to do the right thing, the majority will," he told TechNewsWorld.
Adam Ely, co-founder of Bluebox, identified three primary markets for software flaws. The first is bug bounty programs. "This is the easiest place to submit the bug," he told TechNewsWorld.
Moreover, many flaws just aren't worth very much on the second market -- the on line underground. "Most bugs found in bug bounty programs are trivial and have little value to attackers, thus the company's program is more profitable and less work -- though high severity bugs earn more in the black market," Ely said.
Inclined to Be Ethical
The third market -- governments -- can be the most lucrative for a bug hunter, but it's also the most difficult to crack.
"Selling to a government is harder, as it requires the proper contacts and only certain, high severity bugs are of interest," Ely explained. "Those two requirements," he added, "are why most people who find bugs will not be able to go this route." Even if they had an opportunity to sell their findings to the dark side, many wouldn't do so, maintained David Lindsay, a senior security product manager at Coverity. "A lot of researchers want to do the right thing, and even at the expense of money will disclose a vulnerability to a company," he told TechNewsWorld.
That's particularly true for researchers attracted to bounty programs, observed Eduardo Vela Nava, a security engineer with Google, which has a large and successful bug bounty program.
"The target audience of bug bounty programs are researchers who want to keep users safe," he told TechNewsWorld. "They would continue to report the bugs they find with or without a reward."
Snow Days
Kids aren't the only ones who get to stay home on snowy days. Some companies allow their workers to punch in from home on those days also. That can present a security problem for an organization.
While a company's road warriors may have their equipment properly secured from a host of nasty things outside the corporate firewall, workers who only occasionally work from home and use a family machine to do so can pose a risk to a company. That's especially true if they're using VPN software.
"You're giving these home machines that you have no control over access to your corporate network," explained Sergio Galindo, general manager of GFI Software.
"That's one of the scariest things for an IT administrator," he told TechNewsWorld, "allowing a machine into your network that you don't know anything about."
Galindo recommends taking measures to secure computers of employees who need to use a VPN before the snow starts falling.
"You need to make sure there's some agreement in place around anti-virus and some sort of malware protection on that computer," he said.
Virtual Mata Haris
Governments have been using women to coax intelligence from men throughout history, but a group of supporters of Syrian President Bashar al-Assad have brought the ruse into the virtual world.
Using fake Facebook profiles and Skype, members of the group posing as women persuaded some opponents of the Assad regime to download malware that pilfered 7.7 gigabytes of data, some of it exposing insights into military operations against the government.
The pro-Assad hackers would set up a Skype account and choose a female avatar, explained Nart Villeneuve, senior threat intelligence researcher at FireEye. "Then they'd contact these fighters in Syria and engage in flirtatious chats with them," he told TechNewsWorld.
Eventually the "women" would send a picture -- typically clipped from news sites -- of themselves to their targets. Although the picture file had an image extension, it was actually an executable file that displayed a picture as promised, but also planted malware on the target's machine.
An examination by FireEye of the chat sessions between the virtual women and men revealed a common question: What are you running Skype on?
"The reason they did that," Villeneuve said, "was the attackers had a diverse malware arsenal, so if the target was on Android, the attackers could deliver Android malware to them instead of Windows malware."
Source from: http://www.technewsworld.com/
Anda baru saja membaca artikel yang berkategori dengan judul Bug Bounties Entice Researchers to Don White Hats. Anda bisa bookmark halaman ini dengan URL http://sexyforu.blogspot.com/2015/03/bug-bounties-entice-researchers-to-don.html. Terima kasih!
Ditulis oleh:
Unknown - Monday, March 2, 2015
Belum ada komentar untuk "Bug Bounties Entice Researchers to Don White Hats"
Post a Comment