With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Software round-up of the three top cybersecurity stories of July 2018.
Microsoft $100,000 bounty program
In what seems to be a growing trend, corporations are upping the return to white hackers in exchange for bug reports in their software and services. Microsoft have introduced an updated bug bounty program that boasts a top payment of $100,000.
Microsoft websites that are covered by the bug bounty program include login.windows.net, login.microsoftonline.com, login.live.com, account.live.com, account.windowsazure.com, account.activedirectory.windowsazure.com, credential.activedirectory.windowsazure.com, portal.office.com, and passwordreset.microsoftonline.com.
Now obviously not every bug found will automatically generate a fat-cat cheque from Microsoft or anyone else. The company outlines the submission rules in their updated programme description.
The focus is on private disclosure and quality of the bug submission, but the gist of the program seems designed to allow Microsoft to quietly improve our software and better control any media fall-out, should a finding need to be disclosed publicly.
A bug bounty program that boasts a life-changing reward for top drawer disclosures may be in fact become the preferred route for technology giants with deep pockets and strong brands.
Singapore’s bans internet access in health centres
July also saw Singapore’s response to the June cyberattack on the country’s health systems…in the form of an internet-wide ban at public-facing health centres.
Just last month in June, hackers got away with the health records of more than 1.5 million patients, including those of the country’s Prime Minister, Lee Hsien Loong.
According to SCMP, “authorities said it was a “deliberate, targeted and well-planned” strike.”
In recent months, the region has had to mop up after a number of sizeable cyberattacks. In April this year, almost 400,000 broadband customers had their credit card details stolen. More than 40,000 were accessed without authorisation.
This latest attack has led to an internet-wide ban on healthcare computers in pubic-facing centres. The aim is to prevent future attempts to disrupt systems.
The deputy Prime Minister is reported to have admitted that they should have implemented internet surfing separation.
“This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to attack. This has now been done.,” reports Reuters.
This is what is known as air gapping. Air gapped systems is a great way to harden security. Without internet access, it significantly limits the number of ways attackers can threaten the system.
Of course this approach is not popular with everyone, as not having internet access can hamper productivity, communication, agility and seamless data transfer. And of course there is the story that Kremlin hackers jumped air-gapped computers to target U.S. power grid utilities.
If you are looking for an SMB solution to minimise the risk of cyberattacks, Kerio Control is a robust solution which brings together next-generation firewall capabilities, including a network firewall and router, intrusion detection and prevention , gateway anti-virus, VPN, and web content and application filtering. This will keep your business safe whilst still giving your employees and customers access to the internet.
Reddit hacked: handling the fall-out
The end of July saw Reddit’s public announcement of a data breach.
Reddit boasts around 500 million monthly visitors. Alexa Internet ranks Reddit as the third most visited website in U.S. and the sixth in the world.
Reddit took about a month to pull together its public announcement in which the social news aggregator site explained it was under cyber attack between June 14 and 18.
Employee accounts were compromised, taking advantage of the less-than-perfect two-factor authentication that relies on SMS. The internet giant, as part of its cyberattack update, actually encourages everyone to move to a token-based multi-factor authentication, where a physical token, rather than your phone, is used to authenticate your identity upon login.
Reddit’s announcement admits the attack was serious, but that there is a silver lining. In other words, it could have been so much worse.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” to quote the Reddit attack announcement.
Interesting, Reddit has also launched a “We’re listening” post in r/cybersecurity, inviting comments from users.
They do seem to be doing everything right in the clean-up phase, but it was noticed by some that Reddit, the third biggest U.S. website, only just appointed a head of security a few months ago:
“…we hired our very first Head of Security, and he started 2.5 months ago. I’m not going to out him in this thread for obvious reason, and he has been put through his paces in his first few months. So far he hasn’t quit.”
It was likely that this appointment had something to do with the introduction of the EU privacy bill, GDPR. It will certainly be interesting to see whether the EU receives any complaints about Reddit’s data handling since May 2018.