Daily news digest – 1st October 2013

Organised by the European Union agency for network and information security (ENISA), the campaign for the UK will include poster competitions, an awareness week on behaviour, ethical hacking, viruses and malware, advice on using your home computer as well as social media and email awareness campaigns. Following the various UK-based day and week-long campaigns, and the US cyber security awareness campaign, which also traditionally takes place in the same month in the United States, to make sure no-one misses the point.

I’ve asked in the past what impact awareness days have on the general public and with a prolonged campaign this time, is there going to be sufficient media attention and public awareness of a campaign to actually drive change in behaviour? As a first effort I hope this is successful, but the issue is divided between personal and businesses, and people cross that divide to affect both. I suppose if one person is actually affected then this is a success to an extent, but there will need to be more for this to be carried over into 2014.

Another story which I found to be very amusing this week was in regard to a bug bounty payment by Yahoo of only $12.50 (£7.70) to researchers at High-Tech Bridge. The company said that it was paying the bounty, in the form of a voucher that could be spent in the Yahoo store only, for three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains, which would allow an attacker to compromise any @yahoo.com email account.

According to the researchers, after some wrangling over originality of reporting, Yahoo eventually acknowledged the research and offered the paltry bounty. Ilia Kolochenko, CEO of High-Tech Bridge CEO, said: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”

Considering the likes of Google pay up to $5,000 (£3,000) for a bug, this is a severe slap in the face for original security research especially after the crowd-sourced payment for the breaking of Apple’s Touch ID last week. Also unfortunately for Yahoo, is not going to encourage others to work with them if they are paying such comical amounts for original research. After all if you are a penetration tester, are you going to spend your unpaid time working on something that gives a return of only a few pounds, ask yourself if it is worth it? Then ask how Yahoo will patch those bugs if no-one is out and actively finding them.

Also, last week I attended a roundtable hosted by Silent Circle on the concept of anonymity and a lack
of it online. Following the revelations about Prism from this summer, there was a suggestion that this has destroyed online anonymity, something that we in Europe are “obsessed with”. Speaking to the Guardian, former Microsoft chief privacy adviser Caspar Bowden said that he does not have faith in the security of the software company’s technology and he now only uses open source software where he can examine the underlying code and has not carried a mobile phone for two years.

Some may call this attitude paranoia, others will realise that you have more options than putting tin foil on your head and you can actively live off the grid. Although it depends on what they know about you already as sometimes, we are not all anonymous.