Facebook Launches Security Bug Bounty

Posted by Avik Sarkar On 7/30/2011 05:01:00 pm


Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.
Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.
Facebook Chief Security Officer Joe Sullivan told that "Typically, it's no longer than a day" to fix a bug,

Facebook's Whitehat page for security researchers says: 

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.
"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)
Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.
Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.
Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.
Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.

According To FACEBOOK:- 

Eligibility
To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy:
    ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Remote Code Injection
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if qualifies.

Rewards
  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded
Exclusions
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques


                                                                                                                                                                     -News Sourec (FACEBOOK & Cnet)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2 Hackers Community Hacked By Shadow008

Posted by Avik Sarkar On 7/30/2011 04:34:00 pm

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Stuxnet Clones May Be Used To Hit US

Posted by Avik Sarkar On 7/30/2011 04:17:00 pm


Officials at the US Department of Homeland Security are warning that cybercriminals could create clones of offshoots of the Stuxnet computer worm and attack American power plants, water treatment facilities, and other key parts of the infrastructure, various media outlets have reported.
The self-replicating malware, which was originally detected last July, was used to disrupt nuclear-enrichment programs in Iran, according to Reuters reports on Thursday. Stuxnet reportedly targeted Siemens-branded industrial control systems, exploiting four previously unidentified vulnerabilities in Microsoft Windows in order to seize control of the operating systems.
"Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now," officials from Homeland Security said in a submission to the House Energy and Commerce Committee, reports Telegraph Technology Correspondent Christopher Williams.
"The Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems," they continued, adding that officials would "remain vigilant and continue analysis and mitigation efforts of any derivative malware."
Forensic evidence suggests that Stuxnet, which has been referred to by cybercrime experts as one of if not the most complex computer virus ever determined, could have been the product of a joint operation launched by the US and Israel, Williams said.
According to Reuters, Roberta Stempfley, acting assistant secretary with the Office of Cyber Security and Communications, and Sean McGurk, director of the National Cybersecurity and Communications Integration Center, also testified before a House Energy and Commerce subcommittee on Tuesday.
Furthermore, Dan Goodin of the Register reports that Stempfley and McGurk warned the House Subcommittee on Oversight and Investigations that several different nation states, terrorist networks, organized crime groups, and individuals located within American territory are currently capable "of targeting elements of the US information infrastructure to disrupt, or destroy systems upon which we depend."
Williams reports that similar concerns prompted the British government to invest £650 million (approximately $1 billion) in cybersecurity in 2010.


-News Source (Red Orbit)

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

6 Websites Hacked by Minhal Mehdi

Posted by Avik Sarkar On 7/30/2011 12:23:00 am

Anonymous claims to have breach ManTech International's Network

Posted by Avik Sarkar On 7/29/2011 11:56:00 pm


A tweet sent by the hacker group Anonymous at midnight yesterday claims the group has broken into the network of defense contractor ManTech International and intends to release seized documents within 24 hours.
"ManTech has been owned. Release within 24h," said the Anonymous tweet.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Mac OS X Lion Login Password Vulnerability

Posted by Avik Sarkar On 7/29/2011 05:00:00 pm



A password recovery company has advised users of the Mac OS X Lion to disable the ‘automatic login’ feature of the operating system from Apple (NASDAQ:AAPL) due to a vulnerability that was discovered recently.
The vulnerability of the recently released Mac OS X Lion reportedly exposed the login passwords whenever the Mac is in sleep mode or is locked according to Passware, which provides password recovery software applications to law enforcement organizations. The same issue also affects the earlier version of the OS from Apple, the Snow Leopard.
The company indicated that it was necessary for users of the Mac OS X Lion to connect with the FireWire port of the Mac for them to retrieve the password through direct memory access. Sales of the latest OS from Apple started a week ago at the App Store with a price tag of $30. Apple has pointed out that the Mac OS X Lion provides numerous new features.

Fortunately this issue can be easily resolved by users when they disable the automatic login feature on the Mac OS X Lion. The users can also opt to shut down the computers since the passwords will not be saved in the memory once the computers are turned off. The FireWire port can also be disabled by the users to guard against this vulnerability on the Mac OS X Lion.
The company also indicated that its newest offering, the Passware Kit Forensic will be able to deal with the vulnerability on the Mac OS X Lion since the software will reportedly recover the login password.
When the automatic login feature is disabled, the computer will be secured even if the passwords are recoverable while the Mac is in sleep mode. With the automatic login feature in the Mac OS X Lion, anyone who works on the computer can access the device.
Users will have to type in their password into the computer using their profile in order to disable the automatic login feature of the Mac OS X Lion. Passware has indicated that it has already used the same system of accessing apparently secured data as ut was able to decrypt some hard drives that were encrypted using TrueCrypt and BitLocker.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Netsparker 2.0 Released (Web Application Security Scanner)

Posted by Avik Sarkar On 7/29/2011 05:00:00 pm

Mavituna Security has released V2.0 of its web application security scanner Netsparker. The new version includes 16 new security checks, 15 new features and a variety of minor improvements.
New in V2.0 is a Vulnerability Database with a list of known vulnerabilities for Apache, Tomcat, MSSQL and MySQL. When Netsparker identifies one of these systems, it’ll reference the database and report all known vulnerabilities for that particular version with severity, exploit details and CVE references.

The new security checks performed by Netsparker 2.0 include: SSL checks (Netsparker will report weak ciphers, self-signed SSLs and similar SSL / Certificate related issues), Tomcat default files checks, ASP.NET MVC version disclosure checks and  Mongrel / Nginx version disclosure checks.

The vulnerability engine has also been enhanced:

    * Improved Signature based SQL Injection detection
    * LFI checks improved and coverage increased
    * Attribute-based XSS checks improved
    * PHP source code disclosure checks improved
    * Protocol-based XSS attacks significantly improved
    * ASP.NET / .NET Framework 4 Viewstate support added. MAC Enabled and Encryption issues will also be reported correctly in .NET Framework 4 systems
    * ORACLE SQL Injection checks improved

On a lighter note, Mavituna Security are also proud of the new dramatic splash screen. You can’t beat that!

For more Information About Netsparker 2.0 click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search