Tag Archive for: loopholes

EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com

/in


The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…

Computer security experts warn against loopholes in Zoom app

/in


HYDERABAD: The Indian Computer Emergency Response Team (CERT-IN) said it had found multiple vulnerabilities on the online meeting platform Zoom. These vulnerabilities could allow a remote user to bypass security restrictions, CERT-IN said.

The attackers could join Zoom meetings without being visible to other participants, obtain audio and video feeds and even disrupt the meetings, CERT-IN said and advised users to upgrade to the latest versions.

CERT-In rated the severity of vulnerabilities as medium, and said the software supporting the Zoom On-Premise meeting connector MMR version could be affected due to the vulnerabilities. These vulnerabilities exist due to improper access control implementation, it said.

CERT-IN works under the Union Ministry of Electronics and Information Technology  and is the nodal agency to deal with cyber security threats like hacking and phishing.

Click on Deccan Chronicle Technology and Science for the latest news and reviews. Follow us on Facebook, Twitter

Source…

UIDAI Invites 20 Top Hackers To Expose Loopholes In Aadhaar’s System

/in


UIDAI has called for empanelment of 20 top white hat hackers to expose any vulnerabilities in its Central Identities Data Repository

In its endeavour to secure Aadhaar data hosted in UIDAI’s CIDR, the UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities, a circular said

The selected candidates will sign non-disclosure agreements with the UIDAI to avoid any breach of sensitive information acquired during the process

The Unique Identification Authority of India (UIDAI) has announced a ‘Bug Bounty’ programme to figure out vulnerabilities in Aadhaar’s data security system.

In a circular, the government arm called for empanelment of 20 top white hat hackers to expose any vulnerabilities in its Central Identities Data Repository (CIDR). 

“In its endeavour to secure Aadhaar data hosted in UIDAI’s CIDR, UIDAI intends to conduct a ‘Bug Bounty’ program along with responsible disclosure of vulnerabilities,” the circular said.

Such initiatives are common and large multinational companies offer monetary compensation in lieu of hackers exposing any vulnerabilities in a system. These initiatives enable companies to plug any loopholes before a negative actor exploits the bug to exploit the weakness.

The circular, which was issued on July 13, did not mention any financial remuneration in lieu of the services.

Elaborating on the eligibility criteria, the UIDAI said that the candidates listed among the top 100 bug bounty leaders on websites such as HackerOne and Bugcrowd would be allowed to participate in the event. Additionally, candidates listed in the bounty programmes conducted by companies such as Microsoft, Google, Facebook and Apple can also participate in the event. 

Apart from that, applicants who have submitted valid bugs or received bounty in the last one year will also be eligible to participate in the initiative. 

The UIDAI has capped the number of participants at 20 to report on the vulnerabilities plaguing the system. The body will form a panel to evaluate the applicants and verify the candidate credentials, and select the candidates accordingly.

The selected candidates will sign non-disclosure agreements…

Source…

German export loopholes help autocratic regimes – Deutsche Welle

/in

Deutsche Welle

German export loopholes help autocratic regimes
Deutsche Welle
As a member of the Freedom Online Coalition, Wong says Germany has made "a very public commitment to promoting human rights online," and should not be allowing technology such as FinSpy to be shipped to countries that might misuse it. One wrong …

and more »

finspy – read more