Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation.
Certainly, many big companies have struggled with cyberattacks in recent years. But Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
It’s 2016 and hacking is all around us. What was a pastime for curious, smart nerds became big business for the underworld, and a lucrative tool in the arsenal of nations. Everyone is hacking everyone, trying each other’s defenses, constantly looking for weaknesses, for loopholes.
Yet contrary to popular belief, not all hackers are bad—and in fact, some are working hard to fix fundamental security problems, while challenging the implicit, blind trust we often place in flawed technology. In a sense, hackers are the immune system for our connected society, forcing us to fix things, or demand something better. Can these hackers actually be the heroes of this fast-changing world? I think so.
Source: Vice Magazine
Uber’s business model is based on a simple notion: Why employ drivers full time when you can hire them more efficiently as freelancers? It’s no surprise, then, that the company’s come to the same conclusion on cybersecurity, recruiting an army of gig-economy hackers who are paid by the exploit instead of by the hour.
On Tuesday, Uber announced that it’s officially launching a “bug bounty” program that will pay independent security researchers thousands of dollars in rewards for finding hackable bugs in its apps and websites. That makes the ride-sharing firm the latest tech giant to adopt the strategy of crowdsourcing the auditing of its code to shore it up against less benevolent hackers. Finding a bug that could deface Uber’s homepage or expose users’ email addresses earns $5,000, for instance, while one that could fully take over Uber accounts or run malicious code on an Uber production server can earn as much as $10,000.
On Wednesday the Department of Defense announced that it’s launching a “Hack the Pentagon” pilot program to pay independent security researchers who disclose bugs in the Pentagon’s public-facing websites, and to eventually roll out the initiative to the DoD’s less public targets including its applications and even its networks. The DoD hasn’t yet named which of its websites are part of the program or how much it plans to pay for bug reports. But the announcement nonetheless represents the first time the U.S. federal government has launched a bug bounty program. This is an acknowledgement that even an agency with the Pentagon’s significant cybersecurity resources and expensive contractors doesn’t have enough eyes to find all its hackable vulnerabilities.
Source: Wired
Are squirrels a bigger threat to the power grid than hackers?:
They can strike at almost any moment – gnawing through the insulation guarding power lines or burrowing into substations in risky missions that can leave thousands without power at a time. The bushy-tailed rodent has even sparked economic mayhem: Back in 1987, a rogue squirrel took out the power to a NASDAQ computer center for nearly an hour and half, stopping an estimated 20 million shares from being traded, according to the New York Times.
The critters are such a big problem that the American Public Power Association even tracks the blackouts they cause with its own “Squirrel Index.”
Feds Prod Automakers to Play Nice With Hackers:
The Department of Transportation and its automotive safety branch, the National Highway Traffic and Safety Administration, are waking up to the threat of hackable vulnerabilities in Internet-connected cars and trucks. Now they’re nudging the auto giants that make those vehicles to wake up, too—starting with a mandate to listen more closely to the security researchers who expose their products’ hackable flaws.
Source: Wired
As automative cybersecurity has become an increasingly heated concern, security researchers and auto giants have been locked in an uneasy standoff. Now one Detroit mega-carmaker has taken a first baby step toward cooperating with friendly car hackers, asking for their help in identifying and fixing its vehicles’ security bugs.
Earlier this week, General Motors quietly launched a vulnerability submission program that allows security researchers to submit information about hackable vulnerabilities in GM automobiles and rest assured that—as long as they follow a few guidelines—they’ll be thanked rather than hit with a lawsuit.
Source: Wired