Home Business IT Security Bug hunters help keep the internet safe
Bug hunters help keep the internet safe Featured

What do you do for a living daddy? I wear a big black hat, patrol the information superhighway hunting down big bad bugs and terminate them with extreme prejudice son. Is that hard daddy? Aw shucks son you just got to be able to type faster than the bad guys…

It seems black hats are once again in demand as companies like Google seek out hackers to break their code paying Sergey Glazunov $10,000 for identifying a UXSS vulnerability in Chrome 21 as part of nearly $30K paid out for discovering such vulnerabilities fixed in Chrome 22. Mozilla started the trend in 2004 to prove newbie Firefox was safe and is reported to have paid out in excess of $750,000 in bounties.

Veracode says bug bounty programs are more popular than ever with companies including Google, Mozilla, PayPal, Etsy and Facebook offering bounties up to $60K to hackers to find critical vulnerabilities in their programs. Google increased the total reward pot for “Pwnium” – its Chrome hacking contest to $3,141,590 – that’s a lot of bugs to kill. Facebook is more austere with bounties from $500 to $10,000. YouTube will pay up to $20,000.

And it is not just busting program bugs but busting security systems – as the thinking goes who better than a hacker to beat a hacker?

Adobe, Apple and Microsoft don’t actively offer bounties but MS’s Bluehat security program pays up to $250,000 to “security professionals” who can develop the best counter attacks.

Veracode stated that a majority of mobile app developers fail to achieve compliance/security on their first review. Of course they want to sell their services but spend some time at their web site and you will wonder if it is ever safe to surf the net again – especially from your mobile device.

Their focus is presently on mobile application risks where they review the top 10 mobility App security issues. These include:

1. Activity monitoring and data retrieval mainly via spyware which can monitor and intercept: Messaging; audio calls and open mic recording; video and stills; location; contact list; call history; browsing history, text input and stored data files.

2. Unauthorised dialling, SMS and payments by switching a phone to premium rate calls and SMS messages. The dialling Trojan can also run up the victim’s phone bill and use a legitimate telco to collect their ill-gotten gains for them.

3. Unauthorised network connectivity (exfiltration or command and control) where such programs can turn on the microphone or camera and download data files at a certain time

4. UI impersonation – think of it as doing banking and a pop up screen that looks legitimate (i.e. the same as your own bank) asks you to click on something that sends details to the attacker.

5. System modification like root kit modification that may make later attacks easier (like the Botnet attacks).

6. Logic or time bombs that trigger malicious activity based on a specific event or time.

7. Sensitive data leakage sending location, Owner ID, device ID, authentication credentials or authorisation tokens to the attacker.

8. Unsafe sensitive data storage such as PIN numbers and passwords stored in plain text in contact managers.

9. Unsafe sensitive data transmission over Wi-Fi, especially public Wi-Fi.

10. Hardcoded password/keys can be used by developers as backdoors and attackers can reverse engineer Apps and compromise system security.

Yes Toto we are not in Kansas any more and all these issues really do exist in the wild and are continual problems mainly for Android and less so for Windows 8 Phone and iOS.  

AVG’s main prediction for 2013 is that Cybercriminals will target cloud and mobile as their growth areas.

But mobile is just the latest frontier – all net/note/PC and Mac devices connecting to the cloud have similar issues that need protection. According to AVG’s Michael McKinnon:  

1. online advertising will become even more aggressively personalised as data is the new “black gold”. Advertisers will use browser tracking, social media trawling and geo-location to identify individual users, build a profile and serve them customised advertisements – all without the need for their consent. See iTWire article for more on this.

2. Cloud security will be compromised  - well-known cloud systems such as Dropbox, SkyDrive(MS), Cloud Drive (Amazon) and Google Drive have reportedly been attacked by malware, and we will see an increase in attacks against such systems from Denial of Service (DoS) /Distributed Denial of Service (DDoS) attacks that simply deny users access to their files.

3. Android as the world’s most popular mobile operating system is now the prime target for smartphone and tablet malware. Threats will become more sophisticated and use polymorphic code that mutates to avoid detection by traditional app store security.

4. Infected websites targeting all OS will also increase with the growing popularity of “commercial’ exploit kits such as Blackhole - don’t trust built-in security systems.

5. Mobile-to-computer threats: Increased connectivity between mobile devices and all OS's combined with the growing Bring Your Own Device trend will make it much easier for malware and viruses to spread across business and home networks. We also expect to register more attacks that target PC and mobile internet banking apps. These multi-factor authentication attacks will be stealthier, more polished and more location-oriented.

Opinion: None - I ain't coming out from under my safe, comfortable rock for anyone! But to be serious its time to install premium paid virus protection on all your devices especially if they have internet access.

 

FREE CLOUD BACKUPS MANAGEMENT WEBINAR

Are your technicians spending too much time just managing your clients cloud backups?

Backups are an important part of any IT business but they should not consume more than their fair share of time and money.

Discover how to reduce the amount of time & money spent managing your Cloud Backups during this Free Webinar.

REGISTER FOR FREE WEBINAR!

FREE NETWORKING SERVICES CASE STUDY

As one of the world’s largest social networking services, Facebook handles a lot of user information, and requires input from an astounding range of stakeholders 24 hours a day, 7 days a week — from both inside and outside the business.

Discover how Facebook was helped to connect remote employees, vendors, consultants, and partners to applications and web services quickly and reliably - without risking sensitive data.

GET CASE STUDY!

GET THE IT BUDGET YOU WANT

Explore your Network Treasure Trove to get the IT Budget you want

With Australian businesses projected to spend over $78.7 Billion why does it feel like you can never get the budget you need?.

In most cases your budget will get approved because the proposals are not only technically correct, but also provide good, credible evidence on how the spend aligns with key business objectives.

Did you know that your Network Monitoring tool can help you build a comprehensive business case without an MBA?

HERE ARE 8 TIPS TO GET THE IT BUDGET YOU WANT.

CLICK HERE!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Connect

 

 

 

 

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities