In the last week we discussed bug bounties with eWeek & Robert Lemos. You can find the full article below. We would love your feedback if you want to share.
Ukrainian hacker admits stealing business press releases for $30M, What they’re NOT telling you -Netragard
The sensationalized stories about the hacking of PR Newswire Association, LLC., Business Wire, and Marketwired, L.P. (the Newswires) are interesting but not entirely complete. The articles that we’ve read so far paint the Newswires as victims of some high-talent criminal hacking group. This might be true if the Newswires actually maintained a strong security posture, but they didn’t. Instead their security posture was insufficiently robust to protect the confidentiality, integrity or availability of the data contained within their networks. We know this because enough telling details about the breach were made public (see the referenced document at the end of this article).
In this article we first provide a critical analysis of the breaches based on public information primarily from the published record. We do make assumptions based on the information provide and our own experience with network penetration to fill in some of the gaps. We call out the issues that we believe allowed the hackers to achieve compromise and cause damage to the Newswires. Later we provide solutions that could have been used (and can be used by others) to prevent this type of breach from happening again. If […]
All of the recent news about Target, Neiman Marcus, and other businesses being hacked might be a surprise to many but it’s no surprise to us. Truth is that practice of security has devolved into a political image focused designed satisfy technically inept regulatory requirements that do little or nothing to protect critical business assets. What’s worse is that many security companies are capitalizing on this devolution rather than providing effective solutions in the spirit of good security. This is especially true with regards to the penetration testing industry.
We all know that money is the lifeblood of business and that a failure to meet regulatory requirements threatens that lifeblood. After all, when a business is not in compliance it runs the risk of being fined or not being allowed to operate. In addition the imaginary expenses associated with true security are often perceived as a financial burden (another lifeblood threat). This is usually because the RoI of good security is only apparent when a would-be compromise is prevented. Too many business managers are of the opinion that “it won’t happen to us” until they become a target and it does. […]
I (Adriel) read an article published by Charles Cooper of c|net regarding small businesses and their apparent near total lack of awareness with regards to security. The article claims that 77% of small- and medium-sized businesses think that they are secure yet 83% of those businesses have no established security plan. These numbers were based on a survey of 1,015 small- and medium-sized businesses that was carried out by the National Cyber Security Alliance and Symantec.
These numbers don’t surprise me at all and, in fact, I think that this false sense of security is an epidemic across businesses of all sizes, not just small-to-medium. The question that people haven’t asked is why does this false sense of security exist in such a profound way? Are people really ok with feeling safe when they are in fact vulnerable? Perhaps they are being lied to and are drinking the Kool-Aid…
What I mean is this. How many software vendors market their products as secure only to have someone identify all sorts of critical vulnerabilities in it later? Have you ever heard a software vendor suggest that their software might not be highly secure? […]