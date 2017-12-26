Security: Insecurity, DARPA, Oversight, Uber’s Bug Bounty
Lack of IT staff leaving companies exposed to hacker attacks [iophk: "very few companies even have an IT staff, usually just Microsoft resellers"]
According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met.
DARPA Triggers Development of The ‘Unhackable’ Computer Morpheus With $3.6 Million
DARPA (Defense Advanced Research Project Agency), who gave us the early version of the internet is now trying to fix a major problem – computers vulnerable to cyber attacks.
Securing the internet of things will be no easy task
As I testified before House Oversight’s IT subcommittee in early October, many recent, major breaches could have been eliminated or dramatically reduced if some fundamental principles of cyber hygiene had been followed, including constant patching, least privileged, encryption, micro-segmentation and multi-factor authentication.
How I Got Paid $0 From the Uber Security Bug Bounty
So now it’s a completely verified critical security vulnerability, with working POC that will harvest usernames and passwords from an Uber mobile endpoint, and SSL-protected with Uber’s signed certificate. The Uber development team gets involved, and additionally verifies that yes, they can execute arbitrary JavaScript code from any *.cloudfront.net host, so these are three distinct critical severity security issues: reflected XSS, HTML content injection, and a CSP that allows execution of arbitrary JavaScript from any *.cloudfront.net host.
[...]
Followed by locking and then closing without payment all of my submitted security reports, so that they can’t be viewed or publicly disclosed.
