Security News for the Week Ending November 15, 2019
Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week
Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions. Of those, 327 were categorized as priority 1. These payouts are an additional way for companies to do software testing beyond what they do internally. Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is? Source: Bleeping Computer.
National Privacy Bill Introduced
I may have to eat these words. But I doubt it will become law. HR 4978, the Online Privacy Act, has been introduced.
The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.
You, of course, get “free” services because you are the product.
The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have. Any bets on whether it becomes law? Source: The Internet Patrol.
Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers
White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event. They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices. Just shows that IoT devices are not so secure. Source: Security Week
Court Rules The Fourth Amendment Applies, Even to the Government
A Massachusetts court has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border. This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason. The case is likely to be appealed to the Supremes, so stay tuned. Source: The Register
Trusted Platform Module (TPM) Fails with TPM-Fail Attack
The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type. Not only does this affect computers, but it also affects many IoT devices that have security. There are patches available from the TPM vendors. Source: Bleeping Computer.