Hacking & Security

HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On

View more Cybercrime and Hacking news and analysis from Computerworld.com

Poor instrumenting of network sensors, bad SIEM tuning and lack of communication between security team members allows breaches more time to fester

HP released a

Extending an olive branch to the hacker community, Microsoft today announced three bug bounty programs through which the

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows  – Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

On Monday, I asked Mike Reavey, director of Microsoft’s Security Response Center, whether the company was concerned that restricting the offering to beta products might be perceived as a promotional gimmick for Windows 8, which has registered flagging sales and mixed reviews. Reavey said the research gleaned from the bug bounty program may well turn out to be useful in hardening older versions of Windows and IE, but in any case the company was focused on fixing big security issues before releasing these products for broader use.

“These are unique programs, because you don’t see white-market vulnerability brokers incentivizing research on products before they’re released,” Reavey said, referring to bug bounty programs run by companies like iDefense and HP Tipping Point, which pay researchers for critical bugs in third-party software and then work with vendors (including Microsoft) to help fix the problems.

Vulnerability researchers have long dug through beta versions of Microsoft products, only to sit on their findings until the product is officially released. That’s because vulnerability brokers don’t typically pay for bugs in beta versions of popular software. But by tying its offer of up to $11,000 to a 30-day preview window only, Microsoft removes the incentive for researchers to hold onto their findings, said Jeremiah Grossman, chief technology officer for WhiteHat Security Inc.

“When any IE preview edition comes out, researchers will start pounding on it looking for bugs, but but since bug brokers don’t pay for preview vulnerabilities the researchers have to hold on to their bugs and hope that they’re still there when the product is finally released,” Grossman said. “Microsoft really is targeting that window of time with this offering.”

Charlie Miller, a former analyst at the National Security Agency and a security researcher who has found his share of bugs in big name software -most notably Apple’s products), applauded Microsoft for trying to fix flaws in software before most customers start using it.

“The whole industry has evolved over the past few years, so there’s now less of a focus on finding and fixing bugs and more of a focus on making exploitation of bugs more difficult,” said Miller, now a security engineer at Twitter. “Most people don’t care about software betas, and Microsoft is trying to change that, and I think that’s good. They’re trying to get the bugs worked out before the software is in most peoples’ hands.”

Microsoft is launching new programs to get its hands on cutting edge exploits developed by researchers

The better we design the user experience, the more we reduce our risk

Makandra plans to continue providing security updates for the old 2.3.x branch once Ruby on Rails 4.0 is released and official support is ended    

A recently discovered email indicates that the spear phishing campaign from the group behind NetTraveler is still operating, despite being exposed by Kaspersky    

The latest version of the open source office suite brings a number of bug fixes and small improvements. The next release of LibreOffice will be version 4.1, which is expected next month    

A bug in Oracle's build system changed the licensing on the manual pages of MySQL, removing the GPL licence. The bug is being corrected and new all-GPL builds will be available soon    

The OpenMandriva developers have released the first alpha version of OpenMandriva Lx 2013, the first version of the distribution to be released under the governance of the new OpenMandriva Association    

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Another four affect both client and server deployments, one affects the Java installer and one the Javadoc tool that's used to create HTML documentation files.

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Another four affect both client and server deployments, one affects the Java installer and one the Javadoc tool that's used to create HTML documentation files.

Edward Snowden, an American former contractor for the National Security Agency (NSA), came forward as the whistle-blower in one of the biggest internal leaks in U.S. intelligence history now seeking asylum According to the United Nations High Commissioner for Refugees, Snowden would not be given preferential treatment if he were to apply for asylum in Hong Kong.  <!-- adsense --> He

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Google's recent update of its Gmail app made archive the default setting, encouraging its users to save their email, literally, forever.

This may mean a doctor's message about a medical condition, a love note, a conversation about an employer, a neighbor, or with a therapist, may be preserved for decades and, consequently, is left forever at risk.

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.