The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

The new Google bug bounty and more: First officer's blog - week 15

A new Google bug bounty, Youtube cutting down on misinformation, and more. Here are the latest stories from the world of cyber risk.

Mike Parkin | September 06, 2022

First Officer’s log, Terrestrial date, 20220905. Officer of the Deck reporting.  

As a support vessel, specializing in integrating communications across a world’s disparate defense systems, we are usually called into action well after a world’s joined the Federation or, at least, well after the first contact team has done their work and moved on to the next assignment and more glory. 

To that end, we have been dispatched to [REDACTED] to help the [REDACTED] integrate their planetary defense systems. As newly added members of the Federation, we need to help them integrate their own systems so that they’ll be able to more effectively fend off hostile forces in this sector. 

Fortunately, with the new communications interface deployed, we should be able to maintain contact throughout the mission. The only question now is who the captain intends to deploy to the surface for this mission. 

We will have to see. 

Cutting down on misinformation 

What happened 

Google released a report on the YouTube accounts it terminated in Q3, revealing that the majority of them were linked to China with a smaller, but still significant, number linked to Russia. The removed channels ranged from more or less spammy channels to ones that were deliberately spreading political propaganda and misinformation. 

Why it matters 

Media platforms like YouTube are in an unusual position. On the one hand, they provide an avenue for anyone to have a voice. This can be a great resource for niche technical information, hobbyists, families, and citizen journalists. But they can also be a platform for outlandish conspiracy theories, misinformation, and state-sponsored propaganda.  

They really have no obligation to give everyone unrestricted access or to assure that they’re not being used to spread potentially dangerous misinformation or propaganda, it is good to see them doing the responsible thing here. After all, there is a difference between uncomfortable facts and outright fabrications presented as facts. 

What they said 

Fake news and misinformation have been hot topics for a while now - so it's no surprise that this story's getting a lot of attention

Google bug bounty for open source

What happened 

Google added bug bounties to several of their open-source software (OSS) projects, making them eligible for researchers to get rewarded for finding issues in the software.  

Why it matters  

Google is involved with a number of high-profile and widely used open-source software projects, and this can only help the ecosystem. One of the advantages of OSS is that with many eyes on the code, vulnerabilities are often identified and fixed before threat actors can exploit them in the wild. By adding bug bounties, there is even more incentive to get eyes on the code which should make these projects even more secure. 

Hopefully, this is a step towards supporting bug bounties on OSS projects that lack large corporate sponsors but are still widely used and heavily leveraged throughout the software development ecosystem. 

What they said

google bug bounty  

When Google makes an announcement, people listen. Here's what people are saying about the new Google bug bounty.

It’s about standards 

What happened 

The Anti-Malware Testing Standards Organization (AMTSO) recently released a set of guidelines to standardize the testing of IoT (Internet of Things) devices. The new standards will hopefully bring improved security to IoT devices in various environments. 

Why it matters  

IoT devices are an often-overlooked part of an organization's environment. While they often have limited computing power, they are still an inviting target to springboard to other systems in the environment. Notably, the controllers that ride herd on the IoT devices themselves. Add in the fact that many of them are difficult, or even impossible, to patch, and they are an inviting target. 

Since these devices often have to rely on external protection, such as network segmentation, dedicated firewalls, etc., and running a variety of operating systems, having a testing standard can only help improve the situation. Given that there are already standards for testing conventional anti-virus and anti-malware applications, it’s past time to apply standards to this specialized space.  

What they said 

IoT is big and getting bigger. People are talking

___________________________________________________________________________________________________________________________

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel