Kaspersky Lab came out with a rather large piece of news this week. The international software security group used the Black Hat USA Conference in Las Vegas as a launch pad to kick off their new Kaspersky Lab Bug Bounty Program with bug bounty platform provider HackerOne. The first phase of the program is set to run for six months, and is offering $50,000 in bounties to security researchers who are able to find vulnerabilities in the vendor’s two top product offerings for consumers and enterprises, Kaspersky Internet Security and Kaspersky Endpoint Security.
In a Threatpost article on Tuesday, Ryan Naraine, director of the Global Research and Analysis Team U.S. at Kaspersky Lab, expressed the fact that as a security vendor, there is an elevated level of accountability and higher expectations in terms of making sure that their software is up to snuff and as airtight as possible. Bug bounty programs are taking that a step further. “We should have that higher level of responsibility, and a public bounty program adds to everything we’ve been doing internally,” said Naraine. “This puts our software in front of a lot more eyes and it just makes sense to have a bounty program, and reward researchers for finding bugs.”
That sense of responsibility and attention to detail certainly applies to all security vendors. However, according to HackerOne cofounder and chief technology officer Alex Rice, while bug bounties are growing in popularity among an increasing number of organizations, security vendors are proving a bit slow on the uptake. “Kaspersky Lab is one of the first to go public ahead of others, and it’s an indication of the maturity of their program,” said Rice.
After the first phase of Kaspersky Lab’s bug bounty program is complete, the company will analyze the results to determine next steps and what rewards and additional products should be included in the second phase of the program. In the meantime, Ryan Naraine wants hackers to get busy. “The more bugs we get, the better we are and the better our software is. If you find a bug we want it,” said Naraine.
Now, we turn our attention to a hacking story involving one of the best-known and common forms of sharing news – the press release. This week, Leonid Momotok, a stock trader from Suwanee, Georgia, pleaded guilty to conspiracy to commit wire fraud for his part in a worldwide hacking and trading scheme that took place between February 2010 and August 2015.
The attack, led by a Ukrainian-based hacking ring, involved breaking into and infiltrating the systems of major newswire companies, specifically Business Wire, Marketwired and PR Newswire, and stealing sensitive financial information from roughly 300,000 not-yet-published press releases. The hackers then passed the stolen financial information to investor partners in the U.S., such as Momotok, who were then able to make trades based on the information before the announcements were even made public. A portion of those ill-gotten profits went to the hackers, a handsome payday to the tune of $30 million, which, according to an article by The Register, makes it the single largest insider trading scam to date.
"Using non-public press releases stolen by overseas hackers, Momotok and his group of traders engaged in a brazen scheme that was unprecedented in its scope, impact and sophistication," said Robert Capers, US Attorney for the Eastern District of New York, in a statement. "Today's guilty plea demonstrates our steadfast commitment and preparedness to combating the ever-evolving threat of cybercrime and to protecting the integrity of our financial markets."
Momotok will be sentenced in early December to a maximum of nine years behind bars. Even though the book is now closed on this saga and chalks one up for the ‘good guys’, we still have a long road ahead of us in terms of cybersecurity getting where it needs to be. This was made even clearer by a report recently released by Intel Security in partnership with the Center for Strategic and International Studies (CSIS). The global report, entitled Hacking the Skills Shortage, highlights the talent shortage crisis impacting the cybersecurity industry.
According to the press release, 82 percent of respondents admit to a shortage of cybersecurity skills, with 71 percent of those saying that this shortage is “responsible for direct and measurable damage to organizations whose lack of talent makes them more desirable hacking targets.” Yikes.
The report examines four areas that make up the cybersecurity talent shortage, which include cybersecurity spending, education and training, employer dynamics and government policies. Despite these concrete examples and statistics pointing to massive gaps, flaws or lack of action leading to attacks and/or damages, one of the primary gripes that the report surfaces is the maddeningly sluggish move toward tangible improvement.
“The security industry has talked at length about how to address the storm of hacks and breaches, but government and the private sector haven’t brought enough urgency to solving the cybersecurity talent shortage,” said Chris Young, senior vice president and general manager of Intel Security Group. “To address this workforce crisis, we need to foster new education models, accelerate the availability of training opportunities, and we need to deliver deeper automation so that talent is put to its best use on the front line. Finally, we absolutely must diversify our ranks.”
The steps Young outlines are vital starting points for truly attaining better security tactics and systems. The growing number of attacks and the increased severity of their impacts demands concrete action. For the nitty-gritty details, here is the full report.