10Fold – Security Never Sleeps – 65

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for DOD’s public-facing websites. Cyber criminals in different hemispheres of the globe are working together to improve malicious tools, software, and techniques to carry out cyber attacks researchers have warned. Both government agencies and private firms are looking for new ways to meet the challenges and overcome the many shortages the cyber security industry is facing- one of the growing trends in this regard is the use of gaming software, the element of competition and simple rewards programs to help find security holes, educate about cyber security issues and recruit talent to plug the skills gap that is riddling the industry. Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates.

DOD invites you (well, some of you) to “Hack the Pentagon” this month– Publication: Ars Technica – Reporter name: Sean Gallagher

On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for DOD’s public-facing websites. Called “Hack the Pentagon,” the bounty program will be managed by HackerOne, the disclosure-as-a-service company. Since the Hack the Pentagon pilot, its budget and duration are fairly modest by DOD standards. The Pentagon has budgeted $150,000 for the month-long hunt, which will begin April18st and end byThursday May 12th.


Cybercriminals are overcoming language and timezone barriers to cooperate on making malware more dangerous – Publication: ZDNet – Reporter name: Danny Palmer

Cyber criminals in different hemispheres of the globe are working together to improve malicious tools, software, and techniques to carry out cyber attacks researchers have warned. An investigation by Kaspersky Lab found that cyber criminals situated over 10,000km apart in Brazil and Russia are overcoming substantial time zone differences and language barriers in order to borrow techniques from each other and speed up the development of malware. It signifies evolution of ransomware and other forms malicious software, which not so long ago were developed in complete isolation from one another, resulting in tailored cyberattack techniques.


Meeting cybersecurity challenges through gamification – Publication: TechCrunch – Reporter name: Ben Dickson

When it comes to cybersecurity issues, we always seem to be dealing with either shortages or excess. Everywhere there’s talk of how data breaches are growing in number, size, severity and cost, and there are always too many new security holes, vulnerabilities and attack vectors that need to be fixed. On the other hand, there’s a widening cybersecurity talent gap to fill vacant posts. With the dark shadow of bigger security incidents constantly looming on the horizon, both government agencies and private firms are looking for new ways to meet the challenges and overcome the many shortages the cybersecurity industry is facing. Digital Guardian, a cybersecurity firm that offers namesake data loss prevention (DLP) platform, intends to integrate gaming concepts and mechanics into the daily security practices of firms and organizations.


Hackers use the iOS mobile device management protocol to deliver malware – Publication: ComputerWorld – Reporter name: Lucian Constantin

Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management protocols. Apple’s tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware. The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.