Connect with us

Technology

Finding vulns is ‘totally useless’ • The Register

Voice Of EU

Published

on

Simply finding vulnerabilities and patching them “is totally useless,” according to Google’s Eduardo Vela, who heads the cloud giant’s product security response team.

“We don’t care about vulnerabilities; we care about exploits,” he told The Register in an exclusive interview. “We expect the vulnerabilities are there, they will get patched, and that’s nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities.”

To this end, Google’s open-source, Kubernetes-based Capture-the-Flag (kCTF) project doesn’t pay researchers a bounty to just find a Linux Kernel vulnerability. Instead, they’ve got to exploit the bug: connect to Google Kubernetes Engine (GKE) instances, hack it, and use the bug to steal the hidden flags. 

The broader community then learns from the exploit and can use this knowledge to try to make the Linux kernel (and the internet in general) more secure. And the bug-hunter potentially earns upwards of $100,000.

“This is why we pay $100,00: It is so much more work, and we learn a lot from these exploits,” Vela said.

Earlier this year, Google increased its reward amounts and today it said it will permanently pay these higher rates – between $20,000 and $91,337 – to researchers who find and exploit on its lab kCTF environment.

This is up from an original $10,000-per-exploit prize pouch, which Vela admitted “did not attract a lot of attention.”

Additionally, as part of the kCTF program, Google is launching new instances with additional bounties to evaluate the latest Linux kernel stable image and experimental mitigations in a custom-built kernel. It will pay an additional $21,000 for exploits that compromise the latest Linux kernel, and that same amount for the experimental mitigations, bringing the total rewards to a maximum of $133,337.

The first set of mitigations target the following exploits: out-of-bounds write on slab, cross-cache attacks, elastic objects and freelist corruption.

And there may be more in the future, according to Vela.

“The whole idea with a VRP is a community effort,” he said, referring to vulnerability rewards programs. In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year.

“We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better,” Vela said. “If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this.”

As organizations’ attack surfaces continue to expand, and the threats themselves grow in sophistication and sheer number, private organizations like Google and Microsoft are paying higher bug bounties while an increasing number of public agencies join in the hunt.

On Independence Day, the US Department of Defense kicked off its own program for reports of vulnerabilities in public-facing systems and applications in partnership with bug bounty platform maker HackerOne.

In fact, that vendor’s most recent report found bounty prices for high and critical vulnerabilities are rising as organizations prioritize high-impact bugs.

The median price of a critical bug jumped 20 percent, from $2,500 in 2020 to $3,000 in 2021, according to HackerOne. Meanwhile, the average bounty price for a critical bug increased 13 percent, and 30 percent for a high-severity bug. 

However, it’s not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. “We are trying to find the right combination to captivate people.” ®

Source link

Technology

Meta takes down ‘influence operations’ run by China and Russia | Meta

Voice Of EU

Published

on

Facebook’s parent company, Meta, has said it has removed a pair of “influence operations” run by China and Russia, which aimed to sway views on the US elections and the war in Ukraine.

The Russian network, the largest the company has disrupted since the war began, targeted audiences across Europe and the UK, and incorporated a “sprawling network” of websites impersonating news websites including the Guardian, according to Meta.

“It presented an unusual combination of sophistication and brute force,” said Meta’s Ben Nimmo and David Agranovich in a blogpost announcing the takedowns. “The spoofed websites and the use of many languages demanded both technical and linguistic investment. The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts.

“Together, these two approaches worked as an attempted smash-and-grab against the information environment, rather than a serious effort to occupy it long term.”

The Russian actors primarily targeted Germany, but also made an impact in France, Italy, Ukraine and the UK, and began operating in May this year. A network of fake websites, including clones of the Guardian, Der Spiegel and Bild, posted original articles criticising Ukraine, Ukrainian refugees and sanctions on Russia. Those articles were then promoted across a vast array of internet services, from Facebook and Instagram, through Twitter, Change.org “and even LiveJournal”, the largely-defunct blogging site.

The fake Guardian website promoted by the group contained a story, supposedly written by Jonathan Freedland, headlined “False Staging in Bucha Revealed”, which purported to reveal that “a bloody provocation with dozens of civilian bodies was prepared by the Ukrainian military to accuse Russia of mass murder” in Bucha. Other than the story itself, the website was a perfect copy of the Guardian’s, right down to up-to-date “most viewed” links and a request to grant permission for cookies.

China’s operation in the US targeted people on both sides of the political spectrum: one wing posted memes attacking Joe Biden and the US left, while another did the same but hit out at the Republican party. Another, posting in Chinese, criticised the US over geopolitical issues, while a fourth targeted residents of the Czech Republic with anti-government memes.

But the operation was largely a flop. “Only the Czech-focused cluster saw some engagement, specifically a few hundred signatures on its petitions on domestic petition websites,” Meta’s report says.

That may, in part, be down to the apparently strong labour rights of the Chinese actors: “These accounts largely stuck to a shift pattern that coincided with a nine-to-five, Monday-to-Friday work schedule during working hours in China – 12 hours ahead of Florida and six hours ahead of Prague,” the report says. “They appear to have had a substantial lunch break, and a much lower level of posting during weekends. This meant that the operation was mostly posting when Americans were sleeping.”

Both influence operations were taken down as violations of Meta’s “coordinated inauthentic behaviour” rule, defined as “coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation”. The company has faced criticism in the past for applying a circular definition of such behaviour to justify takedowns, allowing campaigns run by western lobbyists to operate promote messages using fake groups by arguing that they aren’t using fake accounts to do so – because the accounts haven’t been banned for coordinated inauthentic behaviour.

Source link

Continue Reading

Technology

Hurricane Ian pushes NASA’s Artemis launch into October • The Register

Voice Of EU

Published

on

NASA’s Moon-ward Space Launch System (SLS) rocket will not be blasting off from Earth until late October at the earliest, after the vehicle was rolled back to its hangar to shelter from an incoming hurricane.

Tropical storm Ian is projected to hit Florida, where the SLS lives, over the next few days. Officials began transporting the rocket back to its Vehicle Assembly Building (VAB) on Monday at 2321 ET (0321 UTC, Tuesday) as a precautionary measure. Unfortunately, the move means NASA cannot launch the rocket from the Kennedy Space Center for the next few weeks. 

It’s hoped the SLS rocket will be used in NASA’s Artemis mission to, some time this decade, put the first American woman and another man on the Moon. For now, prior to that return to our natural satellite, the US space agency wants to test the SLS: it’s expected to carry an empty Orion crew capsule up into the Moon’s orbit. The podule will then return to Earth. In future, there’ll be astronauts in the pod.

The hurricane marks another set back to conduct this first-ever flight demonstration of the multi-billion-dollar SLS heavy launch vehicle – NASA’s most powerful rocket to date – that was at one point slated to fly on August 29.

Jim Free, associate administrator for NASA’s Exploration Systems Development Mission Directorate, said there was a slim chance the SLS may launch in late October, and November may be more likely. “We’re not writing it off, but it will be difficult,” he said during a media teleconference briefing on Tuesday.

When weather conditions improve, experts will assess any damage to infrastructure at the center before personnel are safely allowed back on site. Engineers then have to perform checks on the heavy launch vehicle; hardware components may need to be replaced, such as the flight’s batteries before it can be rolled back out on the launchpad. 

Hurricane Ian isn’t the only bad omen NASA has been forced to deal with. Janet Petro, the space center’s director, said a fire had erupted in the VAB. “I’ll also note that approximately at 1145 today, a fire was reported in the Vehicle Assembly Building, employees were evacuated and there were no reported injuries. The VAB is now fire safe, personnel are back inside working and the Artemis vehicle was never at risk,” she said during the briefing. An investigation to uncover the cause of the blaze is underway.

All previous attempts to launch the SLS have been scrubbed due to hydrogen fuel leakage. A team of NASA engineers performed a cryogenic demonstration test to confirm whether repairs made to address leaks were successful or not on September 21.

“The launch director has confirmed all objectives have been met for the cryogenic demonstration test, and teams are now proceeding with critical safety activities and preparations for draining the rocket’s tanks,” NASA previously said in a statement. “After encountering a hydrogen leak early in the loading process, engineers were able to troubleshoot the issue and proceed with the planned activities.” ®

Source link

Continue Reading

Technology

Here’s what workers and students can expect to get

Voice Of EU

Published

on

The cost-of-living crisis loomed large in Budget 2023, with a host of temporary supports announced for businesses, households and students.

The Irish Government has today (27 September) announced a number of measures designed to protect workers and those in higher education as part of the 2023 Budget.

Among the measures being promised are a package of supports for families, households and businesses to help them cover energy bills amid the ongoing inflation crisis. There will also be a cost-of-living package introduced for students, as well as investment plans for education over the coming months.

Remote working and rural development are being invested in too, as part of the Government’s Our Rural Future and National Development plans. There will be a total of €390m allocated to rural and community development, building on projects for remote and hybrid regional workers such as Connected Hubs.

To complement its investment in rural development, the Government is putting aside €218m to progress the roll-out of the high-speed broadband network next year under the National Broadband Plan.

The State is promising that fibre broadband will be made available to an additional 80,000-85,000 premises in 2023. This is designed to help businesses and workers who rely on technology as part of their working lives.

Those working from home can expect a little help covering their energy bills, as the Budget is to provide a €600 electricity credit to ease the cost of energy bills this winter.

All Irish households regardless of whether their occupants work from home or not, will receive this credit. It will be delivered in instalments, with €200 due before Christmas and the remainder due in two separate batches early next year.

In order to protect jobs and dampen the effects of the energy crisis on businesses, the Government is providing up to €10,000 per business per month until spring 2023. This is part of its plan to help employers meet rising energy costs. The temporary scheme will support eligible companies, covering 40pc of the increase in their energy bills.

Criticism

However, critics have said the measures will not be enough to protect jobs. Damien McCarthy, CEO of Kerry’s HR Buddy said that the measures will only save “a small number of businesses” and a “small number of jobs”.

“The number one aim in a cost-of-living crisis should be to protect how people earn their living. For this reason, businesses needed more from this budget in order to survive and protect their workers’ jobs through this crisis. A support that only covers 40pc of an overwhelming problem is not going to save jobs. Employers will still be left with 60pc of the problem and that is only the energy costs problem. Businesses have many other rising costs outside of energy,” he said, adding that the temporary measures would “prolong the pain a while longer, but that’s about it”.

“The fact that the lower VAT rate is not being maintained beyond February is also going to be a huge blow and again put people’s jobs at risk,” McCarthy said.

Higher education supports

For those in higher education, the Budget will attempt to alleviate the pressure of the cost-of-living crisis with a range of temporary grants and supports packages. There will be a once-off €1,000 reduction in the undergraduate student contribution fee for higher education students eligible for the free fees initiative.

There will also be a once-off reduction of up to 33pc in the contribution fee for apprentices, as well as a once-off extra payment for all student maintenance grant recipients. Postgraduate students who qualify for SUSI grants will receive a once-off payment of €1,000, meaning their grant will increase from €3,500 to €4,500.

There will be a further €8m investment in the Student Assistance Fund for the 2022-2023 academic year and more once-off funding for the third-level sector to assist with rising energy costs.

The Government is investing in apprenticeships and skills training programmes in Budget 2023, also. It will provide funding for 4,800 additional apprenticeship places and 4,000 registrations. The State will provide more than 11,000 upskilling and reskilling opportunities for those sectors most impacted by Brexit and more than 2,000 Skillnet places in sectors such as sustainable finance, green-tech and climate.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!