Security Leftovers

posted by Roy Schestowitz on Sep 02, 2022

• When disclosure goes wrong. People | Pen Test Partners

  My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons.

  It’s not all bad though. Bug bounties incentivise bringing organisations and independent researchers together, with rewards for researchers efforts. They’re also quite handy for sifting out the dross and allowing organisations to focus on important vulnerabilities.

  Perhaps the hardest part is trying to help VDP people effect change in their organisations when their organisation is patently not interested. Many organisations claim to take customer security seriously, but through inaction and abdication of responsibility they clearly do not. Outsourcing to a bug bounty platform does not relieve said organisation of its responsibility to listen to researchers or its responsibility to fix vulnerabilities.

  It’s not my job to shoot the messenger. It’s not fair or right for a researcher to hold someone in the vendor’s Product Security Incident Response Team (PSIRT) responsible for all of the vendor’s failings. But, if they’re my only available point of contact what choice do I have?

  If I don’t get a sensible response when going through a VDP, if the vulnerability is serious enough I simply go to the top of the organisation.

• Google debuts open source bug bounty programme [Ed: And at the same time Gulag undermines security and helps the NSA]

  Google is calling on hackers to take pot-shots at its open source projects for the first time through a new vulnerability research programme

• 20 free cybersecurity tools you should know about

• New York medical practices hit by “Bl00dy Ransomware Gang”

  In July, a new channel appeared on Telegram called the “Bl00dy Ransomware Gang.” In August, information about alleged victims started to appear. So far, the gang has leaked some data allegedly from three victims in two incidents. In each case, there is some confirmation that the victims may have been attacked, but there is no confirmation from the named victims that this group attacked them. Here’s what we know so far:

• Cybersecurity And Its Importance For Businesses

  It seems that more of our lives are starting to take place online. We use the internet for business, shopping, entertainment, socializing, and so much more. Yet, as we move towards a more virtual world, criminals continue targeting anyone that’s not protected – including small businesses. Small businesses have become an easy target for individuals looking to exploit security vulnerabilities. So what can businesses do to improve their cybersecurity?

  In this article, we’ll focus on cyber security, what it is and why it’s important for businesses. We’ll also look at some of the threats facing businesses and how to protect against them. Some of the solutions are to buy residential proxies, implement staff training and enforce strong passwords.