Security Roundup - 2018-01-25
HackerOne 2018 Hacker Report. HackerOne has produced another version of their report around what drives hackers. Interestingly, while filing bug bounties earns hackers in some countries many times the norm of the average salary there, “to make money” is only the 4th most common reason hackers do what they do, vs first in 2016. Also interesting, 1 in 4 hackers do not report vulnerabilites without a clear channel to disclose. Perhaps similarly to Troy Hunt’s piece on breach notification, they find the hunt and lack of response frustrating, and instead opt to avoid it?
SANS Releases Enterprise Implementation of Bug Bounty Programs. Thinking of starting a bug bounty program? You may want to check out SANS Institutes Enterprise Implementation guide.
More malicious extensions found for Google Chrome. Investigating a suspicious increase in network traffic, security researchers tracked the uptick back to yet another more malicious Chrome extensions. While the extensions themselves may not have malicious, they were able to download and execute commands from some remote JSON. Additionally, another researcher has discovered an extension that is extremely difficult to remove, circumventing normal attempts to either disable or delete.
HackerOne releases Hacker101 Security Course. To further increase the talent pool, HackerOne has also released a free Web Security course. Block off some time for learning!
IoT Botnets work of the minority?. Last year marked the rise of several large botnets powered by IoT devices, and Brian Krebs has opted to talk to Allison Nixon from Flashpoint security about her perspectives on the IoT problem and where are we going.