CEP Statement on Twitter’s Suspension of Extremist... » New York, NY: The Counter Extremism Project released the following statement in response to Twitter’... RiskIQ accelerates momentum across entire extern... » London, UK: RiskIQ has announced year-over-year bookings growth of 80 percent, dominating the extern... Interserve chooses Sopra Steria to transform ... » London: Sopra Steria has recently signed a major IT managed services contract with Interserve PLC to... Arista expands to next-generation telemetry » SANTA CLARA, Calif: Arista Networks (NYSE:ANET) today announced next-generation telemetry and analyt... VIOLATION OF INNOCENCE » This poem was written in 2007 and since then has been published and republished on Vigilance many ... NSFOCUS continues Middle East commitment in partne... » NSFOCUS IB has confirmed its new partnership with MDS Computers, continuing its expansion into the M... Xceed Group prepares RFIB for IT service growth » London, UK:  London-based Xceed Group has helped RFIB Group Limited to select an Infrastructure as a... Varonis helps Miramax control and secure valuabl... » London, UK: Varonis Systems, Inc. has released details on how Miramax relies on Varonis solutions to... TDSi awards AlertSystems ‘Platinum Partner of th... » Poole: Integrated security manufacturer TDSi has awarded AlertSystems its ‘Platinum Partner of the Y... Virgin Trains welcomes decision to suspend indus... » The union suspended the walk-outs yesterday after Virgin Trains repeated its assurances to the union...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

London, 10th November 2010 - Reports that Barracuda Networks is offering in excess of $3,000 for details of serious bugs in its IT security products is the latest stage in a worrying new trend, says vulnerability and testing security specialist Idappcom.

 

Anthony Haywood, Idappcom’s  CTO, says that even though Barracuda is billing the bug bounty scheme as in the best interests of customer, there is a significant danger that it will attract developers into researching the vendor's products and then offering them to the highest bidder.

"And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers - as well as cybercriminals - now inhabit," he said.

"Whilst even organisations like Google and Mozilla offer juicy sums of money for bugs in their software, you are going to get other vendors following suit. But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector," he added.

The Idappcom CTO went on to say that the bug bounty schemes offered by a growing number of IT players has parallels in the `litigate for free' industry that has sprung up on both side of the Atlantic's legal industry over the last decade or so.

The law firms, he says, argue that their litigate-for-free service is really in the best interests of the consumer, but the problem is that a while new industry has been created, that has ended up pushing insurance premiums up for most businesses.

Someone, somewhere, has to pay for these types of services, and, Haywood observes, the same conclusions apply to the bug bounty programs offered by IT vendors.

The irony of the situation, he explained, is that, as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up `paying' as the tide of malware and other electronic mayhem rises as a result.

"This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that's why we say that they are not in the real interests of our industry," said Haywood.

"In the short term they make a good story - and perhaps even a good event like CanSecWest's Pwn2Own cracking contest in North America - but the bottom line is that it's not in our industry's best interests to offer such large sums of money. For that reason we give a definite thumbs down to such practices," he added.

...Imperva’s Key Security trends for 2011

1.      Man in the Browser (MITB) attacks are a new threat which consumers will face and the hacking industry is widely adopting, especially as many security products are not mature enough yet to deal with this problem.

2.      SmartPhones will be the New Target in 2011

Hackers are using mobile devices (smartphones and tablets) as a new attack platform. With a number of applications on mobile devices (CRM, Salesforce, Access to work emails), these will become more susceptible to attack.

3.      Hackers and Security Side-by-Side in the Cloud

As organization’s IT infrastructure transitions to the cloud, so will the security controls of those organizations. However these services will also become hot targets for hackers, with the popular ones being the most data-rich, the security on these services will need to be tightened immensely.

4.      Insider Threat

With even more job losses set to occur in 2011, there will be more disgruntled employees than ever before. Employees are more likely to want to take information to help them with new jobs or as an act of revenge to pass on to competitors.

5.      Social Networks have started to blur the notion of Privacy and Security

2011 will bring even more confusion when it comes to security and the trust people put in Social Networks

6.      Convergence of regulations over countries

Convergence of regulations amongst the OECD countries will lead to standardising laws on data security and privacy.

7.      Security is becoming part of the Business Process

With the recent acquisitions of MacAfee by Intel and Fortify by HP, corporations are gaining an understanding of the need to apply security throughout the complete process of building a system. Today, cyber security can't be separated from business operations. Security teams need to become business process experts to keep the bad guys disarmed while keeping the good guys productive.

8.      Hackers Feeling the Heat

Proactive security seems to be the new approach for most security practitioners and due to this more hackers will get caught. However, due to the Industrialization of Hacking, hackers will raise their professional bar accordingly, by “buying” other smaller groups or merging, leaving the more sophisticated hackers in business.

9.      Hacktivism Meets Industrialization

Hacktivism as we know it has been very targeted. However, hacktivists are learning from the success of industrialized hackers and will soon follow in their footsteps. The attacks will transition from restricted targets to a wide range of targets.

 

10.      File Security

With Sharepoint being fastest growing product in MS history and data growing at a 60% annual rate file security will become on top of the security. Also with the scope of PCI being enhanced to refer not only to databases and Web apps, but also to files, organizations will need to carefully consider how they protect their files.