Security

UK Ministry of Defence: We won't prosecute bug bounty hunters – oh btw, we now have one of those

'Better late than never' opines industry bod


The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script.

The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

New guidance published on the GOV.UK pages for the MoD exhorts bug-hunters to submit only "benign, non-destructive, proof of concepts".

"The MOD affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on a MOD service or system, where the researcher has acted in good faith and in accordance with this disclosure policy," it stated.

Lest anyone gets the idea that running Nessus across MoD websites is going to lead to a bumper payday, the guidance also says that reporting folk should not "use high-intensity invasive or destructive scanning tools to find vulnerabilities." Phishing MoD staff is also out of bounds.

Oddly enough, the ministry is explicitly uninterested in hearing about "TLS configuration weaknesses", including the "presence of TLS1.0 support" or "weak cipher suite support". Microsoft, among many others, recommends killing off TLS1.0 in favour of version 1.2, though the MoD runs a large number of legacy systems only capable of using legacy protocols.

The MoD is rather far behind its governmental peers, with France having devised a similar scheme called YesWeHack last year. Singapore and America's defence ministries, meanwhile, have been running bug bounties for years.

Jake Moore of infosec biz Eset mused to El Reg: "Bug bounties are an essential way of testing security and can save organisations a huge financial strain in the long run. Having an internal department constantly test the security of an organisation is of course a necessity but bounties allow it so the whole technology community can effectively become your distributed dedicated full time CISO, offering better protection."

"To my surprise," he continued, echoing El Reg's feelings, "I previously would have assumed the MOD would already have had a vulnerability disclosure policy in place as such schemes are vital in modern day threat hunting. However, better late than never, even if it does mean they had to swallow their pride and offer it out."

Neither Microsoft nor HackerOne responded to The Register's invitations to comment. Hopefully they'll be a bit more forthcoming when actual white hats start tinkering and testing. ®

Send us news
19 Comments

<i>Battlefield 2042</i>: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

Another terrible launch, but DICE is already working on improvements

The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

Continue reading

American diplomats' iPhones reportedly compromised by NSO Group intrusion software

Reuters claims nine State Department employees outside the US had their devices hacked

The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

Continue reading

Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

All together now - R, A, N, S, O...

A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

"We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

Continue reading

Feds charge two men with claiming ownership of others' songs to steal YouTube royalty payments

Alleged scheme said to have netted $20m since 2017

The US Attorney's Office of Arizona on Wednesday announced the indictment of two men on charges that they defrauded musicians and associated companies by claiming more than $20m in royalty payments for songs played on YouTube.

The 30-count indictment against Jose Teran, 36, of Scottsdale, Arizona, and Webster Batista, 38, of Doral, Florida, was returned by a grand jury on November 16, 2021. It accuses the two men of conspiracy, wire fraud, transactional money laundering, and aggravated identity theft in connection with a scheme to steal YouTube payments.

"In short, Batista and Teran, as individuals and through various entities that they operate and control, fraudulently claimed to have the legal rights to monetize a music library of more than 50,000 songs," the indictment [PDF] alleges.

Continue reading

Hot not-Spot-bot spot: The code behind Xiaomi's CyberDog? Ubuntu

Your four-legged open-source friend? CIMON says 'Maybe'

Linux fans rejoice: the smarts running behind Xiaomi's Not-Spot, CyberDog, emanate from none other than Ubuntu 18.04.

The Register asked Canonical why not something a little fresher, such as 20.04, and were told by robotics product manager, Gabriel Aguiar Noury, that "the operating system is running 18.04 rather than 20.04 because they are using Jetson, and 18.04 is more compatible for the approach the team had in mind."

The CyberDog bounded onto the global stage in August and represented the company's first foray into the world of quadruped robotics.

Continue reading

What will life in orbit look like after the ISS? NASA hands out new space station contracts

The end is coming, and nobody wants a homeless 'naut

NASA has splashed the cash on design contracts for space stations and a multibillion-dollar job for more Artemis boosters.

With the days of the International Space Station (ISS) numbered, NASA is looking to maintain an uninterrupted US presence in low-Earth orbit. Although Axiom Space has plans to build from the ISS, the $415.6m award is about developing space station designs and "other commercial destinations in space."

Blue Origin, which has partnered with Sierra Space to develop the Orbital Reef, received $130m. Nanoracks, which is working on a commercial low-Earth orbit destination called "Starlab" (with Voyager Space and Lockheed Martin), received $160m, and Northrop Grumman's Cygnus-based station received $125.6m. The Cygnus currently does duty as a freighter for the ISS.

Continue reading

Why your external monitor looks awful on Arm-based Macs, the open source fix – and the guy who wrote it

Q&A with the developer of BetterDummy: from macOS secrets to his motivations

Interview Folks who use Apple Silicon-powered Macs with some third-party monitors are disappointed with the results: text and icons can appear too tiny or blurry, or the available resolutions are lower than what the displays are capable of.

It took an open source programmer working in his spare time to come up with a workaround that doesn't involve purchasing a hardware dongle to fix what is a macOS limitation.

István Tóth lives in Hungary, and called his fix BetterDummy. It works by creating a virtual display in software and then mirroring that virtual display to the real one, to coax macOS into playing ball. The latest version, 1.0.12, was released just a few days ago, and the code is free and MIT licensed.

Continue reading

Chill out to the sounds of an expert typing on a variety of mechanical keyboards

A truly rare groove

Discerning writers and programmers know that keyboards matter. It's mostly the feel, but the best feel tends to come from mechanical key switches and they make a noise as they activate.

That feeling goes hand in hand with a chorus of soft clicks… and thanks to custom keyboard guru Taeha "Nathan" Kim and weirdo label Trunk Records, you can relax to 43 minutes and 24 seconds of soothing sounds from 13 rare and limited-edition mechanical keyboards.

Your correspondent is a bit of a fan of devices like this (this piece was typed on a 1991 IBM Model M; accept no substitute) – but no such brash, commonplace kit features on the album. Instead you can luxuriate to the Alps switches of a 1987 Apple Standard (why, yes, I do happen to have one of those too, but the linear cursor keys hinder daily use), and an M0110A from a Mac Plus, as well as more exotic kit.

Continue reading

Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website

Don't just install the patch, change your router passwords too

Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.

The vulns rely on authenticated access to affected devices so aren't an immediate threat. They do, however, allow someone with remote access to the router to pwn the device's underlying OS, threatening the security of data passing through the router.

Helpfully, Netgear itself publishes default login credentials for "most" of its products on its website. If you haven't been into your Netgear router's admin panel and changed these default creds, you're at increased risk.

Continue reading

Not only was the UK Financial Ombudsman Service's Workday system months late, 38 IT workers' jobs are at risk

Questions remain over data warehouse dependencies and redundancies

The UK's Financial Ombudsman Service (FOS) has gone live on Workday finance and HR systems around three months later than planned, drawing questions over an interdependent data warehouse project.

At the same time, the process has seen IT roles marked for redundancy and set to be transferred to a service supplier.

The watchdog was set up by Parliament in 2001 to resolve complaints between financial businesses and their customers. This week, Workday published a statement boasting that the implementation of its software at the FOS had gone live.

Continue reading

AWS previews SDKs for Rust, Kotlin, Swift, and Amplify Studio for rapid web apps

Plus: Why company foresees growth of Rust, already widely used internally

Re:invent AWS previewed new developer resources at its Re:invent conference, including new SDKs for Rust, Swift, and Kotlin, as well as Amplify Studio for rapid web applications, integrated with the Figma design tool.

The SDKs provide a language wrapper for APIs to AWS services. Existing SDKs target JavaScript, Python, PHP, .NET (C#), Ruby, Java, Go, Node.js, and C++. Now three more were this week added. Kotlin is the official language for Android and runs primarily on the JVM (Java Virtual Machine). Swift is Apple's language for iOS and macOS, and can also be used on a server. Rust is the language developed by Mozilla to be nearly as fast as C but with memory safety and other modern features.

"Rust has a lot of use internally as well, we've seen it become adopted quite rapidly within AWS and within Amazon," Ken Exner, GM for AWS Developer Tools, told The Register. "EC2 uses it, S3 uses it, CloudFront, DynamoDB."

Continue reading