Hasta La Gadget!

Earlier this week, Yahoo was accused of using change in its sofa cushions as compensation for reports of security exploits, but now the whole ordeal has generated enough buzz to bring about change for the internet pioneer. As it turns out, these small prizes (along with rewards such as t-shirts) were paid for out of pocket by Ramses Martinez, the director of Yahoo’s security team, who took a moment today to explain the company’s new — and far more lucrative — bounty program. Moving forward, Yahoo will reward security researchers with payments that range between $150 and $15,000 for issues that it deems “new, unique and / or high-risk.”

The company is still in the early stages of hammering out a new policy, but promises that payments will be determined “by a clear system based on a set of defined elements that capture the severity of the issue.” Yes, these amounts still pale in comparison to the massive sums that Microsoft recently offered, but researchers now have reasonable incentive to inform Yahoo of the exploits, rather than sell them on the black market. According to Martinez, Yahoo’s revised policy will be available by the end of the month, and as a nice gesture, its new reward structure will retroactively apply to all bugs submitted from July 1st onward.

Filed under: Internet

Comments

Source: Yahoo! Developer Network

It was just over two years ago that the paragon of internet privacy, the Tor project, decided to build its own browser by forking Firefox. Wired reports that an exploit of that very same browser has been recently discovered that allowed a number of users’ Windows computers to be infected with malware. Once installed, the code delivered infected machines’ hostnames and MAC addresses to a remote web server in Reston, Virginia, a city located just outside Washington D.C. The browser exploit — a JavaScript vulnerability inherent to Firefox version 17, the version upon which the Tor browser was built — was enabled by a breach of Freedom Hosting servers. In this case, affected Freedom Hosting servers delivered web pages to users with the JavaScript exploit embedded in them.

There’s no direct evidence that the malware comes from the government, but the malware’s command and control IP address is registered to a governmental defense contractor. Plus, the data pulled from infected machines indicates it could be an example of the FBI’s computer and internet protocol address verifier (CIPAV) software first identified by Wired in 2007. CIPAV has been used by the FBI to help identify and catch terrorists, hackers and criminals since 2002, but the exact nature of the software has never been revealed. Regardless, the vulnerability in the browser has been identified and fixed, so users need only update to the newest version of the Tor browser to keep their web traffic away from prying eyes… for now, at least.

Update: To be clear, the Firefox exploit in question was fixed, along with the Tor browser well over a month ago, and any users who have updated since June 26th were not affected.

Filed under: Internet

Comments

Via: Wired

Source: Tor Project, Tor Blog

Recently, Georgia Tech researchers discovered an unusual way to attack iOS: a third-party charger with a hidden computer can install malware when an iOS device is plugged in and unlocked. That won’t be an issue for much longer, however, as Apple has confirmed that iOS 7 beta 4 and future releases contain a fix. While the company hasn’t said what that solution is, Georgia Tech’s Billy Lau says that the new OS can tell when it’s plugged into a computer instead of a charger — there shouldn’t be any rude surprises. The dependence on an iOS 7-based fix could leave many users vulnerable until the fall, although the hardware-specific nature of the exploit means it’s unlikely to be a major concern.

Filed under: Cellphones, Tablets, Mobile, Apple

Comments

Source: Reuters

After discovering a longstanding exploit in Android firmware dating back to version 1.6 that allowed malicious developers to circumvent software security measures, Bluebox Security released an Android app this week for users to check whether their phone is still vulnerable to the exploit. Since Bluebox’s report last week, Google acknowledged the issue and released a patch that it says is in the hands of OEMs and already being pushed out by certain manufacturers (Samsung, for one). The app is thankfully free, and should provide some much-needed reassurance to most Android users. Head to the source link below to snag it for yourself.

Filed under: Cellphones, Handhelds, Tablets, Software, Mobile, Google

Comments

Via: Phone Arena

Source: Google Play

Chalk up one more reason to check out Windows 8.1 Preview when it becomes available on June 26th. Today, Microsoft announced that it’ll pay up to $100,000 in cash to those who discover and report novel security exploits within its latest OS revision, along with up to $50,000 in bonus loot for defensive suggestions that relate to the attack. But wait… there’s more. Starting on June 26th and running through July 26th, the Redmond outfit will also pay up to $11,000 toward the discovery of critical vulnerabilities within Internet Explorer 11 Preview (Windows 8.1 Preview). Whether you’re motivated by your bank account or the good of humanity, you can start taking your best shots at Microsoft’s latest code just one week from now.

Filed under: Software, Microsoft

Comments

Via: TechCrunch

Source: Microsoft