Tag Archive for: good

New gold standard to protect good faith hackers

/in


Bug bounty programme operator and ethical hacking platform HackerOne has launched a Gold Standard Safe Harbour (GSSH) statement for its customers to help them demonstrate that they can and will protect ethical hackers from liability when hacking in good faith.

Any vulnerability disclosure policy or operational bug bounty programme should already include a safe harbour statement to outline the legal protections ethical hackers can expect, but HackerOne believes that by creating a standardised boilerplate, customers can swiftly adopt a short, broad and easily understood standard, and hackers no longer have to parse the different terms and conditions of multiple different statements.

“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and chief hacking officer at HackerOne.

“We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programmes. When hackers are happy and engaged, organisations achieve better attack resistance.”

The GSSH is being road-tested by three HackerOne customers, travel agency Kayak, GitLab, and Yahoo, to “demonstrate their commitment to protecting good faith security research” and boosting hacker engagement with their respective bug bounty schemes.

Kayak chief scientist Matthias Keller said: “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty programme.

This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”

Dominic Couture, staff security engineer for application security at GitLab, added: “GitLab is pleased to adopt the Gold Standard Safe Harbour statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”

HackerOne’s next, as yet unreleased, Hacker Report found that over 50% of ethical hackers have discovered a vulnerability that they have not reported, for reasons…

Source…

Tips for Creating Good Passwords

/in


Memorize these tips and tricks to create strong passwords and protect your online accounts

You already know to avoid using common, easy-to-guess passwords for your online accounts, but creating unique, strong passwords is easier said than done. Putting in the extra work for password security is worth it, though. Why? “Without a strong password, you are making it easier for an attacker to steal from your bank account, read your health records and impersonate you on social media,” says Brian Contos, chief security officer at Phosphorus Cybersecurity.

With everything going online, including banking and even digital wallets, cyber security is more important than ever. Hackers get more advanced every day, and much of our personal information lives online, putting our privacy and safety at risk. Reports show that about 33% of Americans have experienced an identity theft attempt, and in 2021, losses from identity theft in the U.S. totaled $5.8 billion. To keep your information safe, it’s essential to know how to be secure online.

If your favorite password shows up on this easy-to-crack passwords list, it’s time to change it. Luckily, we can help you get started. Follow these expert-approved tips for creating good passwords—and remembering them. And be sure to read up on other important online security issues, including how to tell if your computer has been hacked, what phishing is and how to avoid online scams.

How to create a strong password

Good passwords have several features in common: length, complexity, uniqueness and unfamiliarity. For the best password security, make sure your passwords have all these characteristics to deter hackers and protect yourself from doxxing and other digital attacks. Remember, each website will have different requirements that you will have to follow for making passwords, like using both uppercase and lowercase letters or including a symbol or number.

Make sure your password is long enough

When it comes to creating good passwords, longer is typically better. “Shoot for at least 15 characters,” Contos says.

Attackers use an automated software tool to try passwords until one works, but longer passwords are harder for the software…

Source…

Justice Dept. says ‘good faith researchers’ no longer will face hacking charges

/in


The U.S. Justice Department on Thursday said it would not use the country’s long-standing anti-hacking law to prosecute researchers who are trying to identify security flaws, a move that provides both protection and further validation for a craft still villainized by many officials, companies and the general public.

In a news release and five-page policy statement issued to federal prosecutors, top Justice officials said local U.S. attorneys should not bring charges when “good faith” researchers exceed “authorized access,” a vague phrase from the 1986 Computer Fraud and Abuse Act (CFAA) that has been interpreted to cover such routine practices as automated downloads of Web content.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

The guidance defines good faith to mean research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.

Companies can still sue those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state prosecutors tend to follow federal guidance when their laws are similar.

Well-intentioned hackers in the past were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.

In 2019, a mobile voting company, Voatz, referred to the FBI a Michigan college student who was researching its app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and he emailed their customers about it.

In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that examined the publicly available source code of a government website and then warned the state that it was exposing the Social Security numbers of 100,000 educators.

The Justice Department did…

Source…

Immutable Copies Are Only As Good As Your Validation

/in


May 23, 2022

Stan Wilkins

A system can always be replaced, but the files and objects that comprise the application and the data that makes it useful can fall victim to all sorts of decay, neglect, or abuse in a modern system. And that is why we did backups to tape subsystems, or even tape libraries and then virtual tape libraries based on disk drives for so many years. And for those who cannot afford to have downtime or lost data, the IBM i base has been fortunate to have some of the best high availability clustering ever invented.

With ransomware and malware attacks on the rise, it is more important than ever to create immutable copies of data – a snapshot of the information in the machine that cannot be tampered with. This capability is built into IBM’s FlashSystem arrays, and is increasingly used by IBM i customers to create snapshots of their data that can be used in the event of an attack or some other kind of data corrupting event.

We have talked to a lot of IBM i customers who are interested in or are making immutable copies using their FlashSystem arrays, and they think it is fine to do an immutable copy of the system every hour and stack them up. And if they get hacked and someone, for instance, tries to encrypt their archived data – a common attack method these days – then the practice is to keep going back into the archive of immutable copies by hand until one of them works, until one of the copies is not infected.

We don’t like that approach. And that is why we have come up with a safe guarded copy methodology that we call CopyAssure. With CopyAssure, we are perfectly happy that customers make lots of immutable copies of their key data. But we believe that as you make these immutable copies, you have to perform the extra set of steps and make sure that this immutable copy is valid and can be put back onto a recovered system in the event of a disaster or an attack.

This means every immutable that gets taken is validated at the time it was taken, automatically made available, added to a partition and the IBM i OS booted up and then the integrity of the database and…

Source…