One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 939538 |
| Date de publication | 2018-12-07 14:00:00 (vue: 2018-12-07 16:02:38) |
| Titre | Things I Hearted This Week, 7th December 2018 |
| Texte |
It’s December, so you’re either on holiday, wishing you were on holiday, or hoping the next security article you read isn’t related to predictions.
Well, I can’t help you with the holidays, but I can promise there will be no predictions here. It’s just good old-fashioned news of the juiciest news that made my heart flutter
US Postal Service
Ah, the good old USPS was running a weakness that allowed anyone who has an account to view details of around 60 million users, and in some cases modify the account details on their behalf.
Luckily, a security researcher spotted the error about a year ago and notified USPS.
Unluckily, the USPS didn’t respond to the researcher or fix the issue.
Luckily, the researcher reached out to little known cyber-reporter by the name of Brian Krebs who contacted USPS and lo-behold a miracle happened and the issue was fixed in 48 hours!
USPS Site Exposed Data on 60 Million Users | Krebs on Security
This raises the question as to is there anything lesser-known researchers who don’t have the public profile of Brian Krebs can do to help companies fix issues outside of a formally defined bug bounty program?
Back in September, Troy Hunt posted on the very topic on the effectiveness of publicly shaming bad security. And not to say I agree with shaming companies, but when you look at instances like USPS, you do wonder if there is a better way.
The Effectiveness of Publicly Shaming Bad Security | Troy Hunt
GCHQ Reveals it Doesn't Always Tell Firms if Their Software is Vulnerable to Cyber Attacks
In other words, spy agency keeps secrets.
There are four reasons given as to why GCHQ may not disclose flaws, being:
There is no way to fix it
The product is no longer supported
The product is so poorly designed it can never be secure
There is an overriding intelligence requirement that cannot be fulfilled in any other way
I particularly like number 4 as the catch-all clause. You could say there’s an overriding intelligence requirement to almost anything, and refuse to release any details under secrecy laws.
I’m not necessarily bashing GCHQ, governments have been known for stockpiling exploits. They have a particular mission and objective, and this is how they go about fulfilling it. However, it does mean companies should not rely solely on GCHQ or other government agencies for their threat intelligence. Rather, building its own capabilities and threat sharing channels remain necessary.
GCHQ reveals it doesn't always tell firms if their software is vulnerable to cyber attacks. | Sky News
Scamming the Scammers
I don’t think there are many stories more satisfying than when scammers get taken for a ride. This time courtesy of Hacker Fantastic who got contacted by the famous singer Rhianna out of the blue to help her get some money.
Scamming the scammers | Medium, Hacker Fantastic
|
| Envoyé | Oui |
| Condensat | 2018 7th > blogs december envault hearted things week |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.