STE WILLIAMS

The embattled credit monitoring agency will provide taxpayer identification verification and fraud prevention services to the federal tax agency.

Equifax has received a $7.25 million contract from the Internal Revenue Service (IRS) to verify the identities of taxpayers and provide fraud prevention services, according to a Politico report.

The credit monitoring agency, which has been under siege by consumers and legislators since it disclosed its massive breach of sensitive personally identifiable information on up to 145.5 million Americans, was awarded the deal under a no-bid contract on Sept. 30, which marks the end of the fiscal year for the federal government. Equifax disclosed its breach on July 29.

Legislators took the IRS to task for its decision to issue a contract to Equifax. “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,” Orrin Hatch, (R-Utah) and Senate Finance chairman, was quoted in Politico.

Read more about the IRS contract here.

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/equifax-lands-$725-million-contract-with-irs/d/d-id/1330055?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google’s campaign to make HTTPS security ubiquitous has been underscored once again by the news that it is to implement HSTS preload on 45 Top-Level Domains (TLDs) it controls as part of its domain registrar business.

There are several strands to this story, beginning with the little-known fact that Google has since 2015 been a registrar for generic Top-Level Domains, such as, .ads, .here, .meme, .ing, .rsvp, .fly, and .app, to name only a few.

The next is HSTS (HTTP Strict Transport Security), first adopted by Chrome 4 in 2009, which is incorporated into all major browsers.

HSTS is a way for a website to insist that browsers connect to it using the encrypted HTTPS protocol, instead of insecure HTTP. A browser attempting to visit http://nakedsecurity.sophos.com, for example, is forwarded to a URL that uses HTTPS and told to add the site to its list of sites that should always be accessed using HTTPS. From then on the browser will always use HTTPS for that site, no matter what.

The user doesn’t have to do anything, regardless of whether they reached the site through a bookmark, a link, or simply by typing HTTP in the address bar.

The only flaw in this scheme is that browsers can still reach an insecure HTTP URL the first time they connect to a site, opening a small window for attackers to carry out Man-in-The-Middle, cookie hijacking and encryption downgrade attacks such as the well-publicised Poodle SSLv3 attack discovered by Google researchers in 2014.

HSTS preload solves this by pre-loading a list of HSTS domains into the browser itself, closing that window entirely.

Best of all, this preloading can be applied to entire TLDs, not just domains and sub-domains, which means it becomes automatic for everyone registering any domain name ending in that TLD.

As Google states:

Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

Because HSTS preload lists can take months to update in browsers, setting it by TLD has the added advantage of making HSTS instantaneous for new websites that use them.

Google extending HSTS preload to 45 TLDs in the coming months is therefore bigger news than it might sound: millions of new sites registered under each TLD will now have HTTPS enforced (and domain owners will have to configure their websites to work over HTTPS or they won’t work.)

Uptake remains a hurdle: too many sites still don’t bother with HTTPS, something Google has tried counter with recent initiatives such as Chrome marking non-HTTPS sites as “insecure”, a sort of large-scale shaming campaign.

Another barrier is cost, which explains why Google has backed the Let’s Encrypt certificate authority which offers free certificates (even if it turned out that phishing sites were also availing themselves of this).

In the end, the biggest ally in making HTTPS universal could simply be the changing expectations of web users who have started to grasp the importance of web security for their own well-being.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8SToWwxI6tQ/

You might remember how, in January, Google started shaming sites that don’t use encryption when dealing with passwords or credit cards.

That was just a first step. Get ready for the screws to be tightened down yet again on sites that fail to scramble the data that flows between you and the websites your visit.

Namely, in a few weeks, the “Not secure” label is going to spring up in two additional, common scenarios: when users enter any data at all on an HTTP page, and on all HTTP pages visited in Incognito mode.

The stronger push toward HTTPS is coming in Google Chrome 62, due to ship on 17 October for Mac/Windows/Linux. An update of Chrome OS will arrive a week later.

As Google explained in April, these next steps toward more connection security are necessary because we need everything we type into a website to be private as it flies across the internet to its destination (and to be sure that destination is the one we think it is), not just passwords and credit cards:

Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.

Likewise, the Not secure label makes sense for Google’s Incognito mode, given that Incognito users very likely expect privacy, according to Emily Schechter from the Chrome Security Team. Incognito mode or no, they aren’t getting that privacy if they’re on an HTTP page, she said.

HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode.

This is just the latest stick in Google’s years’ long carrot-and-stick battle to get sites to encrypt. One of the earliest sticks was an announcement the company made in 2014 about sites getting a better chance of ranking well in Google searches if they use encryption.

At the time Naked Security’s Mark Stockley said it might prove to be an inflection point for web security and, three years later, he thinks it was:

Making security a ranking signal for searches was a clear sign that Google meant business. Before the announcement marketing departments had no reason to talk about HTTPS, now it’s on everyone’s SEO [Search Engine Optimisation] checklist.

Last month, Google moved its focus beyond HTTP and zeroed in on yet another protocol that lacks security: FTP (File Transfer Protocol). By the time Chrome 63 is released in December, all FTP resources will be marked as “Not secure” in the browser’s address bar.

Plus, earlier this month, Google announced that it will use HSTS (HTTP Strict Transport Security) preloading to make encryption mandatory for sites using any of 45 Top-Level Domains it’s controlled since 2015 as part of its domain registrar business.

That’s a big deal: it means that browsers will come pre-loaded with instructions that force them to use HTTPS to communicate with millions of sites, even if users click on links that start with http://.

In other, good-for-users news, Google is reportedly planning to block what’s known as tab-under behavior in Chrome.

According to Bleeping Computer, which says it’s seen a relevant Google document, “tab-under” behavior is what Google calls it when a site duplicates the page you’re reading in another tab and then shows an ad in the tab you’re looking at. Tab-under is a money-making ploy by advertisers: the payoff is revenue from ad impressions and redirection fees, but users don’t like it. Google engineers are reportedly looking at three ways to block tab-unders, and the first place we’ll see the new blocking will be in Chrome Canary.

But back to the encrypt-everything crusade: it’s been going on a while now, ramping up particularly during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state. In 2014, Google itself went full out when it started forcing Gmail users to use HTTPS.

At that time, only 50% of the web requests handled by Google servers were encrypted.

That meant that some of the web’s most trafficked locations were vulnerable. The percentage of encrypted sites has gradually climbed over the past three years. By March 2016, Google’s Transparency Report said that it was securing 75% of the non-YouTube internet traffic it handled.

As far as the overall percentage of encryption goes, a report released by the Electronic Frontier Foundation in February said that half of all web traffic is now encrypted.

We’re not at full encryption yet, but as the screw turns it is slowly becoming the rule rather than the exception.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/12v7lstqOr8/

Indian antivirus and endpoint vendor Seqrite claims the nation’s internet registry has suffered a data breach, but the registry’s parent organisation says while it was attacked the information obtained was trivial.

Seqrite says its researchers noticed “an advertisement on DarkNet announcing secret access to the servers and database dump of over 6000 Indian businesses – ISPs, Government and private organisations.” The researchers say they then posed as an interested buyer and the advertisers provided screen shots that indicate the data comes from the Indian Registry for Internet Names and Numbers (IRINN), India’s issuer of IP addresses.

Seqrite, also known as Quick Heal Technologies, says buyers who’d like to see the data need only hand over 15 Bitcoin. The company says the data is sufficiently detailed that the dark web vendor is “offering network takedown of affected organizations for an unspecified amount” and “claims to have the ability to tamper the IP allocation pool, which could result in a serious outage or Denial of Service.”

The company also says the information it’s seen could lead to disruption of “Internet IP allocation and affect Internet services in India.”

The National Internet Exchange of India (NIXI), which oversees IRIN, is having none of that. A statement it sent to media said “There was an attempt to penetrate the system and hacker was able to collect some basic profile information of the contact persons of some of the affiliates which was displayed by him on the darknet.” The statement adds that “existing security protocol of NIXI is robust and capable of countering such attacks. However, following this breach, security protocol has been further strengthened and review of existing infrastructure has also been initiated.”

The Register has asked Seqrite to further explain the nature of the data it has seen, and how it might facilitate either denial of service attacks or represent a threat to the internet in India. If the company responds, we will update this story. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/ndian_registry_for_internet_names_and_numbers_attack_allegation_by_seqrite/

VB2017 Some bulletproof hosting (BPH) operations – wellspring of all manner of online villainy – are moving their operations to the disputed territories of eastern Ukraine and Transnistria on the Moldovan border.

BPH is often sold through darknet bazaars. These services sit at the centre of long-lasting, large-scale and profitable cybercrime campaigns.

One of the most infamous BPH operations, the Russian Business Network (RBN), pioneered the market a decade ago and became notorious for phishing, spam, malware distribution and even child abuse material. The crooks behind the network understood Border Gateway Protocol (BGP), peering, routing, and how these technologies could be used to hide their core infrastructure while providing connectivity to clients. Its founder was long rumoured to be the nephew of a high-ranking St Petersburg politician.

The network has supposedly been offline since 2007.

However, new research by Dhia Mahjoub, of Cisco Umbrella (OpenDNS), and Jason Passwaters, of Intel 471, has revealed that some of those involved in the RBN are still up to their old tricks. The business model of BPH is very much alive and well, evolving into separate strands to maintain its position as a key enabler of cybercrime.

One service cited by the work is a cloud proxy network that abuses the services of legitimate providers including AWS and TenCent. The product offered by “Alexander” (Yalishanda) typically costs $250/month/domain and maintains operations by cycling through an enormous number of providers – 230 in just nine days, according to the researchers. Alex – who may have been affiliated with the RBN – was resident in Beijing and associated with a bar in 2008. These days he operates out of Vladivostok in far-eastern Russia.

Another provider, Boris, plies a bot-based flux proxy content delivery network for criminals as his flagship product with nameservers hosted mainly across Iranian IP addresses. Boris has operated out of Ukraine since 2010 and is still in business despite being raided three times, the researchers said.

“Corruption plays a massive role,” according to Passwaters. “The original RBN crew are still in business.”

Takedown operations are rarely successful. For example, a suspect in the high-profile Avalanche takedown, a combined industry and government op that look years to put together, was freed within 24 hours.

Mahjoub added that part of the problem is that the activities of BPH firms may not be illegal in the countries they operate. “Not all the activity is bad,” he said. “There is some legit hosting going on.”

Operating out of political hotspots gives some BPH operations another shield against takedown attempts. One reseller uses data centres and providers in Lugansk, a separatist region of eastern Ukraine, while several schemes are based in Transnistria, a breakaway region between Ukraine and the River Dniester, Moldova.

There are 15 main BPH operations on the darknet. Most operate from either Russia, Ukraine or Moldova.

The research was based on exclusive access to vetted closed underground forums combined with large-scale analysis of network traffic and telemetry. Network and actor-centric perspectives are needed to unpick the activities of BPH operations, the researchers argue.

Their research was presented at the Virus Bulletin conference in Madrid on Wednesday in a talk titled BPH exposed – RBN never left, they just adapted and evolved. Did you?. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/bulletproof_hosting/

The National Cyber Security Centre responded to 590 “significant attacks” over the last year including WannaCry, MPs’ email addresses being targeted due to weak passwords and various threats to other large organisations.

The body was created in October last year, bringing together previously separate parts of government, MI5 and GCHQ. Its aim is to support and advise the public and private sectors on how to avoid computer security threats.

Over that time the body said it has also managed to reduce the time phishing sites are hosted for in the UK from 27 hours to less than an hour.

Other measures introduced include getting government departments to adopt the Domain-based Message Authentication Reporting and Conformance protocol (DMARC) to combat fake emails by validating whether the communications come from the said organisation.

Something we hope Home Sec Amber Rudd has set up.

DMARC has already prevented a huge number of potential attacks – for example, blocking at 120,000 emails from a spoof @gov.uk address.

Other measures include setting up a filtering service to stop government systems verging onto malicious websites by using data gathered from commercial partners and GCHQ.

Undoubtedly WannaCry was the biggest threat the unit responded to over the last 12 months. The outbreak led to “the first ministerial COBRA meeting following a cyber attack,” said the report.

WannaCry affected more than 100 countries, including Spanish telecoms and German rail networks. In total, 47 NHS trusts were affected in the UK. More than 230,000 computers were hit globally.

Ciaran Martin, CEO of the NCSC, said: “The UK faces threats from across the globe on a daily basis and while we have brought together unprecedented expertise to defend the UK, it’s not a question of ‘if’ cyber attacks will happen, it’s a matter of when.

“The NCSC’s first duty is to manage and mitigate against attacks. Our anniversary report shows the progress we have made working with government, industry and individuals to create a truly lasting national asset.

Public sector bods including police, the NHS and local authorities have named the growing threat of ransomware one of their biggest areas of concern next year. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/ncsc_responded_to_590_significant_attacks_last_year/

VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other’s infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday.

The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly difficult for security researchers, according to Kaspersky Lab.

Threat intelligence depends on spotting patterns and tools that point towards a particular threat actor. Related work allows researchers to infer a hacking group’s targets and objectives before advising clients about the risk they face. This process falls down now that threat actors are hacking each other and taking over tools, infrastructure and even victims.

A presentation, headlined Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell, explored these challenges.

Juan Andres Guerrero-Saade and Costin Raiu, both from Kaspersky Lab, explained the attribution problems that can arise when one hacking group exploits another’s seemingly closed-source toolkit or infrastructure. Quizzed on this point by El Reg, the pair said to date there was no example of an intel agency backdating another foreign hacking group’s malware.

Cyber-expionage groups are busy instead stealing each other’s tools, repurposing exploits, and compromising the same infrastructure, they said. Reuse of fragments of other’s tools is more common than wholesale theft and repurposing of third-party APTs.

What are they up to?

There are two main attack vectors. First, passive attacks that involve intercepting other groups’ data in transit, for example as it moves between victims and command and control servers. The second (active) approach involves hacking into another threat actor’s malicious infrastructure, an approach much more likely to risk detection but which also brings potential rewards.

An active attack would allow a hacker to extract information on a regular basis, monitor its target and its target’s victims or even insert its own implants or mount attacks while throwing the finger of blame towards the initial attacker. The success of active attacks depends largely on the target (e.g. another intel agency) making operational security mistakes.

Kaspersky researchers have come across two examples of backdoors installed in another hacking group’s command-and-control infrastructure.

One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while probing a hacked website used by Crouching Yeti, a Russian-language hacking crew.

Last year a website put together by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian, Chinese and South Korean-organisations, it said.

In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). This server was the starting point for the discovery of the Equation Group, linked by the leaks of former NSA sysadmin Edward Snowden to an elite NSA hacking crew. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/fog_of_cyberwar/

What’s This?

There are three primary techniques to trick users into thinking a website link is real: URL shorteners, URL doppelgangers, and URL redirects.

I was at a client’s office the other day and the security team was discussing their latest round of spearphishing attacks: a PDF delivered in email with an embedded bit.ly link that appeared authentic but took users to a phony site. Luckily, the team was alerted and quickly got the word out to employees. But, as for blocking URL shortened links via email? Good luck! They’re quite useful and therefore still commonly used. Unfortunately, since URL-shortening services were put in place, scammers and crooks have been using them to conceal counterfeit websites. All technology is a two-edged sword, useful for both good and evil.

There are three primary techniques used to trick users into thinking a website link is real:

Trick #1: URL Shorteners

There are many URL shortening services like bit.ly, x.co, goo.gl, tiny.cc. These shortening web apps take a long complex URL line, such as https://f5.com/labs/articles/threat-intelligence/cyber-security/russian-hackers-face-to-face, and shrink it down to something more convenient and easily sharable, such as http://bit.ly/2wbw48P.

Shortened URLs are especially handy when using Twitter, which limits tweets to 140 characters, because some URLs would consume the entire message. They’re perfect for including in emails that solicit the user to click on a link that leads them to a malicious site (drive-by download, phishing site, scam). The text of the email message is often designed to fool the user into thinking the link is trustworthy since they see so many links come in this way. A common trick is to imitate an email from the IT department to get users to click on a link to change their password, which leads to a site that steals their password.

Some URL shortening services do basic testing and blocking of known malicious sites but, in general, they’re found to be far from perfect. URL shortening is still a very popular technique, used by both script kiddies as well as advanced persistant threats (APTs). A recent report on the Russian hacking and disinformation campaigns notes the use of the tiny.cc URL shortening service. If it works, why change tactics?

Trick #2 URL Doppelgangers

If you remember the Russian Hacker case I wrote about in June 2017, one of the techniques they used was an email ploy that looked like exactly like this:

Subject: PayPaI Cash Give-Away
From: Friend CashGiveAway at PaypaI dot com
Reply-To: cheapercommunications at yahoo dot com PayPaI
Congradulations You were chosen from over 30,000 contestants for our
$500.00 cash give-away from PayPaI. If you are already a member simply click
the link below to Accept the Cash Give-Away. Even if you are not a PayPaI member
you can sign-up for Free, and still accept the $500.00 Cash Give-Away today!
Amount: $500.00
Note: Enter Your Info Below To Accept.
To Process: Click link below or copy and paste into browser window.
https://www.paypaI.com/prq/id=H1aDsq-6vwg7w1YaVZjb.hGJmz0uOz6pb.omew

Notice how, in the email font shown, “paypal” appears to end with a lowercase “l”, but it’s actually an uppercase “I”.

This difference is obvious when we look at that last line in a different font:

That’s a trick for creating deceptive URLs that goes back decades. In this case, the site “Paypai.com” was being hosted by a server in Moscow and was collecting PayPal logins to be used in credit card laundering.

Another way to create a misleading URL is to use homographs, which leverage Punycode2 encoding to falsify the name. F5 Labs recently featured a detailed story on homograph attacks and how they’re pulled off.

Trick #3: URL Redirects

The last common URL obfuscation technique involves bouncing off a web application vulnerability in a legitimate site. Many sites provide the capability to do URL redirects or forwards. For example, perhaps you’re on an investment site and at some point, your session gets automatically transferred to a bank site. The investment website itself is using web application tools to perform the redirect, which often can look like:

http://investingsite.com/redirect.php?url=http://nicebanksite.com

A phisher could then hijack this mechanism to redirect users to a fake site. However, an untrained user might only notice the start of the URL, which shows the real site (which is redirecting). Furthermore, the phisher could combine techniques, adding URL shortening to further mask the final destination, like so:

http://investingsite.com/redirect.php?url= http://bitly.com/98K8eH

Make sure your organization’s websites aren’t susceptible to these kinds of external URL redirects. You don’t want to be a hacker’s tool that is unwittingly participating in someone else’s scheme. Worse, you don’t want your own customers and users to be lured away from your site to booby-trapped imitation sites.

This particular problem used to part of the OWASP Top 10 web vulnerabilities called Unvalidated Redirects and Forwards and is often tested for as part of a web application vulnerability test. This vulnerability can also be a lot more subtle, buried in app functions that aren’t apparent in a normal web session, but still found and exploited.

As always, making your users aware of these attack methods can go a long way towards helping them spot phishes and scams. Having a quick and easy way for users to report these kinds of attacks, coupled with a rapid response gives you the ability to block and warn everyone else on specific attacks. It’s also a good idea to look at a multi-layered defense, including several layers of web and mail filtering, as well as strong authentication since login credentials are often what are stolen in these attacks. Lastly, make sure you’re not part of the problem by testing your own websites for unvalidated URL redirection vulnerabilities.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/url-obfuscation-still-a-phishers-phriend/a/d-id/1330027?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Gal Beniamini of Google Project Zero recently published a proof-of-concept for a remote code execution (RCE) vulnerability present in the Broadcom 802.11k Wi-Fi hardware, running firmware version BCM4355C0.

The flaw affects a number of smartphones, including the iPhone 7 and some Android devices, as well as smart TVs running tvOS.

This vulnerability (CVE-2017-11120) doesn’t need the victim to take any action aside from connecting to a rogue Wi-Fi network owned by the attacker—there’s no app that needs to be installed or phishy link that needs clicking. Once the victim connects their devices to the rogue network, the attacker can install a backdoor onto the victim’s device that gives them full read and write access to its firmware.

Not a big surprise then that Google Android gave this vulnerability the highest rating, Critical, in its September 5 security bulletin.

Researchers working on this vulnerability were able to confirm that it exists on the iPhone 7 and Galaxy S7 Edge firmware. It’s believed that it’s also present in all versions of iOS up to 10.3.3. Details weren’t published until 25 September 2017, by which date fixes for iOS, tvOS and Android had been made available.

This vulnerability has a number of similarities to another Broadcom flaw discovered earlier this year by Beniamini – colloquially called BroadPwn. NakedSecurity’s own Paul Ducklin did a remarkable job with a deep dive into BroadPwn and how it worked, so why not pour yourself a coffee and give that a read too.

Thankfully the fix for this serious problem is pretty simple for most users: update now.

Both BroadPwn and this yet-to-be-named vulnerability (The Return of BroadPwn?) serve as a reminder that keeping your mobile devices up-to-date is your first line of defense against potentially devastating RCEs. And in the case of this bug in particular, it’s also a warning about the dangers of connecting your devices to just any old public Wi-Fi.

Not sure if your device is affected? Some of the devices that should patch right away are below.

Update the following Apple products to the latest release (25 September release as of this writing)

• iPhone 5s or later
• iPad Air or later
• iPod Touch 6th generation or later
• Apple TV 4th generation

This vulnerability is addressed in the 2017-09-05 security patch for Android.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HIJsAs8cK70/

The second-in-command at the US Department of Justice says every business should have its own program to let third-party researchers find and report bugs.

Speaking at the Cambridge Cyber Summit in Boston today, Deputy Attorney General Rod Rosenstein said bug bounty and white-hat research programs will help companies avoid large-scale network breaches and data thefts.

“Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity,” Rosenstein told attendees. “All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system.”

Rosenstein recommended execs and other senior staff in the audience push their companies to look into setting up their own programs where both internal and third-party security can test and report security flaws back to the company and its tech suppliers, potentially closing holes before they can be exploited by hackers.

Deputy AG Rosenstein calls for law to require encryption backdoors

READ MORE

He noted the DoJ already has its own guide for organizations on how to set up a bug-reporting platform. The hope, Rosenstein said, was that commercial outfits make themselves and the hardware and software they use more secure. and avoid breaches that the Feds would have to investigate.

“Many organizations find that the amount you can learn from ‘crowdsourcing’ your search for vulnerabilities in a controlled way is well worth it,” Rosenstein said.

“The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises.”

At the same time, Rosenstein also talked up the need for policies that many developers argue will make software and hardware platforms much less secure: breakable encryption. The Deputy AG doubled down on his earlier calls to give investigators backdoors to decrypt data transmissions and stored info.

“We in law enforcement have no desire to undermine encryption. But the advent of ‘warrant-proof’ encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed for over two centuries,” Rosenstein said.

“Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.”

So open your doors to white hats before hackers find a way to break in. And then put in a backdoor anyway for black hats to find. Perfect sense. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/04/rosenstein_to_corporate_america_open_your_doors_to_white_hats/