#CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties

Thursday, April 19, 2018

social networks Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case of Facebook, they pay millions of dollars every year to investigators and bug hunters to detect security flaws in their products and infrastructure, in order to minimize the risk of being subject to specific attacks. Though, after the Cambridge Analytica scandal, the company has launched a new type of bug bounty to compensate those that report "data abuse" on their platform. Through the new program 'Data Abuse Bounty', Facebook will ask third parties to help them find application developers who are misusing their data. "Certain actors can maliciously gather and abuse Facebook user’s data even when security vulnerabilities do not exist. This program has the intention of protecting us against abuse", according to the publication carried out by the company.

This program is the first of its class in the industry, where the focus is on the misuse of the users’ data by application developers. The report submitted to Facebook by the analysts should involve at least 10,000 Facebook users and explain not only how the data was collected, but also how it was abused, and additionally about the fact that the problem was not known about by other means beforehand. On the other side, Facebook has also facilitated a platform where it offers social network users all of the information which they have been collecting about a particular user; measures which without a doubt are necessary in a moment where many people are distrusting the internet giants.


More information available at Facebook

Highlighted news


Russia wants to block Telegram after the denial of an encryption key

anti-doping Anti-doping imagen The Russian media and internet regulator has asked a court to block the Telegram encrypted messaging application after the company refused to give their encryption keys to the state authorities. The regulator, known as Roskomnadzor, filed the suit in Moscow district court. The suit, which still has not been issued, contains a "request to restrict access to the information services in the Russian territory" from the application, they said in a statement. In other words, the government wants to block the application so that it does not work in the country. The suit comes after the Russian State security service, the FSB (before known as the KGB) called for the Dubai-based application developer to hand over their encryption keys, of which Russia claims is a legal suit. The entrepreneur and founder of the company, Pavel Durov refused to do so and thus, the Russian government took Telegram to court.

More information available at the ZDNet

The GCHQ director from the United Kingdom has confirmed an important cyberattack against the Islamic State

EI-ISAC According to the head of GCHQ, the attack was launched in collaboration with the ministry of defense from the United Kingdom and has disrupted Islamic State operations. The British Intelligence believes that this is the first time that "they have systematically and persistently degraded an opponent’s online efforts as part of wider military campaign". Fleming explained that the cyber-experts from the United Kingdom have taken action to disrupt the online activities and networks from the Islamic State, and to discourage individuals or groups. "These operations have made a significant contribution to the coalition’s efforts to suppress the Daesh propaganda, they have obstructed their ability to coordinate attacks and have protected the coalition forces in the battlefield", said the head pf GCHQ to the audience in the conference in Manchester.

More information available at Security Affairs

News from the rest of the week


Microsoft adds anti-ransomware protection and recovery tools to Office 365

Microsoft has launched a series of new tools to protect their Office 365 Home and 365 Personal clients from a large range of cyber-threats, which includes ransomware. Kirk Koenigsbauer, Microsoft Office Corporate Vice President, said that the underwriters of these two Office suites will receive additional measures in order to protect against ransomware, threats based upon email addresses, greater password protection and the advanced link verification of Office products.

More information available at SC Magazine

A bug in Microsoft Outlook allows Windows’ passwords to be stolen easily

The Microsoft Outlook (CVE-2018-0950) vunerability could allow attackers to steal confidential information, including the credentials of the user’s Windows login screen, simply convincing the victims to preview an email with Microsoft Outlook, without the need from additional interaction from the user. The vuneralbility would reside in a form in which Microsoft Outlook shows the content of the remotely located OLE when you preview a RTF email (enriched text formatting) and which automatically starts the SMB connections.

More information available at CMU

Your Windows could be compromised only by just visiting a website

Microsoft has patched up five critical vulnerabilities in Windows Graphics Component which reside in the improper handling of embedded sources within the library of Window sources and which affect all of the versions from the operating Windows systems so far. An attacker can trick a user in order to open up a malicious archive or a website specifically deisgned with a maliscious source, and that if you open it in a web browser, it would give control of the affected system to the attacker.

More information available at The Hacker News

Other news


Threat actors search for the Drupalgeddon2 vulnerability

More information available at Security Affairs

3.3 million dollars stolen from the Coinsecure’s main base

More information available at Security Affairs

New code injection technique utilized by APT33 is named Early Bird to avoid detection through antimalware tools

More information available at Security Affairs

No comments:

Post a Comment