Why Bug-Bounty Programs Are Failing Everyone | Massive New Phishing Campaign Targets Microsoft Email Service Users

In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes. [TechWeb]( Follow Dark Reading: [RSS]( August 04, 2022 LATEST SECURITY NEWS & COMMENTARY [Why Bug-Bounty Programs Are Failing Everyone]( In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes. [Massive New Phishing Campaign Targets Microsoft Email Service Users]( The campaign uses adversary-in-the-middle techniques to bypass multifactor authentication, evade detection. [Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks]( SMBs should patch CVE-2022-32548 now to avoid a host of horrors, including complete network compromise, ransomware, state-sponsored attacks, and more. [Thousands of Mobile Apps Leaking Twitter API Keys]( New finding comes amid report of overall surge in threats targeting mobile and IoT devices over the past year. [APT-Like Phishing Threat Mirrors Landing Pages]( By dynamically mirroring an organization’s login page, threat actors are propagating legitimate-looking phishing attacks that encourage victims to offer up access to the corporate crown jewels. [School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project]( The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times. [Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info]( The campaign uses four malicious packages to spread "Volt Stealer" and "Lofy Stealer" malware in the open source npm software package repository. [1,000s of Phishing Attacks Blast Off From InterPlanetary File System]( The peer-to-peer network IPFS offers an ingenious base for cyberattacks and is seeing a stratospheric increase in malicious hosting. [5 Ways Chess Can Inspire Strategic Cybersecurity Thinking]( Rising interest in chess may feed the next generation of cybersecurity experts. [What Women Should Know Before Joining the Cybersecurity Industry]( Three observations about our industry that might help demystify security for women entrants. [Capital One Breach Conviction Exposes Scale of Cloud Entitlement Risk]( To protect against similar attacks, organizations should focus on bringing cloud entitlements and configurations under control. [Patch Now: Atlassian Confluence Bug Under Active Exploit]( Attackers almost immediately leapt on a just-disclosed bug, CVE-2022-26138, affecting Atlassian Confluence, which allows remote, unauthenticated actors unfettered access to Confluence data. [Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat]( Customers across several European countries are urged to update credentials in the wake of the attack that affected a gas-pipeline operator and power company. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [ICYMI: Dark Web Happenings Edition With Evil Corp., MSP Targeting & More]( Dark Reading's digest of other "don't-miss" stories of the week — including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move. [3 Tips for Creating a Security Culture]( Trying to get the whole organization on board with better cybersecurity is much tougher than it may sound. [For Big Tech, Neutrality Is Not an Option — and Never Really Was]( Tech companies play a vital role in global communication, which has profound effects on how politics, policies, and human rights issues play out. [MORE]( EDITORS' CHOICE [Chromium Browsers Allow Data Exfiltration via Bookmark Syncing]( "Bruggling" emerges as a novel technique for pilfering data out from a compromised environment — or for sneaking in malicious code and attack tools. LATEST FROM THE EDGE [Why Layer 8 Is Great]( To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior. LATEST FROM DR TECHNOLOGY [Large Language AI Models Have Real Security Benefits]( Complex neural networks, including GPT-3, can deliver useful cybersecurity capabilities, such as explaining malware and quickly classifying websites, researchers find. WEBINARS - [Malicious Bots: What Enterprises Need to Know]( Bots are launching more complex and targeted attacks such as price scraping, credential stuffing, scalping, and credit card fraud, but many security defenders are still focused on only the most obvious attacks. Automated bot attacks are on the rise, but ... - [Assessing Cyber Risk]( Top executives often ask, "how safe are we from a cyber breach?" But it can be difficult to quantitatively measure cyber risk, and even harder to assess your organization's attack surface. In this webinar, you'll learn how to evaluate your ... [View More Dark Reading Webinars >>]( WHITE PAPERS - [Implementing Zero Trust In Your Enterprise: How to Get Started]( - [6 Elements of a Solid IoT Security Strategy]( - [Five Best Practices for AWS Security Monitoring]( - [Sumo Logic for Continuous Intelligence]( - [Gartner, Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?]( - [AppSec Considerations For Modern Application Development]( - [Endpoint Detection Net Suite Use Cases]( [View More White Papers >>]( FEATURED REPORTS - [Breaches Prompt Changes to Enterprise IR Plans and Processes]( - [6 Elements of a Solid IoT Security Strategy]( - [State of the Cloud: A Security Perspective]( Cloud computing has evolved over the years from a nice-to-have item on the IT wish list to a core technology driving business initiatives. But despite widespread adoption, cloud-based IT systems continue to be saddled with issues related to data security, ... [View More Dark Reading Reports >>]( PRODUCTS & RELEASES [ShiftLeft Appoints Prevention-First, Cybersecurity Visionary and AI/ML Pioneer Stuart McClure as CEO]( [Druva Introduces the Data Resiliency Guarantee of up to $10 Million]( [CompTIA CEO Outlines Initiative to Create the Pre-eminent Destination to Start, Build and ‘Supercharge’ a Tech Career]( [Netskope Acquires Infiot, Will Deliver Fully Integrated, Single-Vendor SASE Platform]( [Manufacturing Sector in 2022 Is More Vulnerable to Account Compromise and Supply Chain Attacks in the Cloud than Other Verticals]( [CREST Defensible Penetration Test Released]( [From Babuk Source Code to Darkside Custom Listings — Exposing a Thriving Ransomware Marketplace on the Dark Web]( [BlackCloak Bolsters Malware Protection With QR Code Scanner and Malicious Calendar Detection Features]( [MORE PRODUCTS & RELEASES]( CURRENT ISSUE [Implementing Zero Trust In Your Enterprise: How to Get Started]( [DOWNLOAD THIS ISSUE]( [VIEW BACK ISSUES]( Dark Reading Weekly -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Weekly Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:ContactDarkReading@informa.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2022]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:ContactDarkReading@informa.com)