A roundup of the top news stories in information security this week, including security updates issued by Microsoft, Adobe and Google, a new vocabulary framework released by NIST, and a study that points to women in infosec feeling empowered in their roles.
Security Researcher Pleads Not Guilty to Kronos Trojan Charges
Marcus Hutchins, the security researcher, arrested at the Las Vegas airport following the Black Hat and DEF CON conference for his alleged ties to the Kronos banking Trojan, has pleaded not guilty. His bail was set to $30,000, but Hutchins had to spend the weekend in jail since his payment couldn’t be made before the clerk’s office closed on Friday. Following his release on Monday, Hutchins will remain in the U.S. with GPS monitoring and face a six-count federal indictment in Wisconsin.
UK Issues Cybersecurity Guidelines for Smart Cars
The British government has issued a new set of guidelines designed to ensure that automakers pay attention to cybersecurity. According to UK Transport Minister Lord Callahan, the goal is to provide “all parties involved in the manufacturing and supply chain … with a consistent set of guidelines.” Comprised of eight basic principles, the guidelines may prompt the U.S. to take a similar action.
BUG BOUNTY REWARD
Teenager Scores $10k for Google Vulnerability
A high school student has earned $10,000 for discovering a vulnerability that if exploited could have allowed an attacker to access an internal Google website and ultimately obtain sensitive data. Ezequiel Pereira, who aspires to be a cybersecurity researcher, came across the bug when he was toying around with some Google services, such as the company’s popular Burp Suite vulnerability scanner.
Survey: Women in Security Feel Empowered
A new survey of female security professionals indicates that many feel empowered in their jobs. Titled “Women in Cybersecurity: A Progressive Movement,” respondents in the study, shared that they consider themselves valuable members of the team. When asked what excites them most about working in the cybersecurity industry, 73% cited that they enjoyed solving complex problems the most.
Class Action Lawsuit Alleges Disney Tracks Children Via Apps
A class action lawsuit brought against the Walt Disney Company claims that the company’s apps fail to safeguard children’s information. Filed on Thursday in the San Francisco/Oakland division of the U.S. District Court, the suit claims the company and Upsight, an analytics and marketing platform for mobile apps, violated the FTC’s Children’s Online Privacy Protection Act (COPPA).
New Cybersecurity Definition Guidance Released by NIST
To provide enterprises with a common vocabulary to describe cybersecurity work by category, specialty area, and work role, NIST has released the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. According to the report, “The NICE Framework supports consistent organizational and sector communication for cybersecurity education, training, and workforce development.”
Microsoft Addresses 48 Flaws in August Patch Tuesday Release
It’s every security manager’s favorite time of the month as Microsoft has once again released their latest security update. In this month’s edition of Patch Tuesday, the computing giant as issued fixes for 48 security issues in six of its main product categories. Only three of the vulnerabilities became public before they were patched, but Microsoft did not detect any of them being leveraged by attackers before their fix.
Google Fixes 10 Critical Bugs in Android Update
In its latest Android security update, Google has addressed 10 critical remote code executive vulnerabilities. The security bulletin also highlights a number of flaws that received a “High” severity rating, in addition to two “Moderate” vulnerabilities that were addressed. According to the security bulletin, the most critical security vulnerability is located in the media framework.
Firefox Update Features 3 Fixes for Critical Bugs
The latest security update issued by Mozilla addresses a total of 29 vulnerabilities in its popular Firefox browser. Of the flaws patched by the company, three were given a critical rating. If triggered, one of the critical bugs could have caused the browser to crash, which would then allow an attacker to execute arbitrary code. The other two critical bugs were use-after-free flaws that could have resulted in exploitable crashes.
“Secret” Bug Bounty Features a $250K Top Prize
Bugcrowd is recruiting for a “secret” customer program that’s giving whitehats the ability to win a top reward of $250,000. While rewards of this amount are typically offered by the Googles and Microsofts of the world, this private program is considered a trending “hybrid approach” that more organizations seem to be taking, according to Bugcrowd. This invite-only program is intended for researchers with virtualization experience as the top prize will be paid out for flaws resulting in code execution in a virtualization platform.