Poly Network is a blockchain system that provides a platform for cross-chain interactive services. It allows authorized homogeneous and heterogeneous public blockchains to connect to Poly Network through an open, transparent admission mechanism and communicate with other blockchains.

Going by the name Mr. White Hat, the hacker stole approximately $600 million in bitcoins from the Poly platform and took control of the user assets. According to Twitter updates the company shared that, less than 48 hours into the hack, the stolen tokens were being returned.

The company first announced the breach on 10th August on its official twitter handle @PolyNetwork2

The post read:

Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s address.

Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

— Poly Network (@PolyNetwork2) August 10, 2021

Twitterati went into a flurry of activity and  #polynetworkhack was the most tweeted hack of the day.

The Poly Network Vulnerability

SlowMist Technology, a company focused on blockchain ecological security analyzed the hack in detail and shared the following:

1. At the center of the attack is the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract that can execute specific cross-chain transactions through the _executeCrossChainTx function.
2. Since the owner of the EthCrossChainData contract is the EthCrossChainManager contract, the EthCrossChainManager contract can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract.
3. The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can perform user-specified cross-chain transactions by calling the _executeCrossChainTx function internally. So, the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function for the _executeCrossChainTx function to execute the call to the EthCrossChainData contract PutCurEpochConPubKeyBytes function to change the keeper role to the address specified attackers.
4. After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.
5. Simply put, the hacker exploited a smart contract vulnerability that is used by the Poly Network platform to exchange crypto coins between blockchains. The hackers managed to strike gold in Ether, a type of bitcoin in addition to 12 different cryptocurrencies in their steal.

DeFi is an attractive platform for the crypto market and rapidly growing with increased acceptance. As the industry captures market share, it is a lucrative target for hackers at it is still in its nascent stage but operates with large financial volumes.

DeFi related hacks total $361 million

According to CipherTrace “Cryptocurrency Crime and Anti-Money Laundering Report, August 2021”, major crypto thefts, hacks, and frauds totaled $681 million by July 21. Revealing insights related to Decentralized Finance hacks and frauds the report pegged the market loss at $361 million, 76% of major hack volume in 2021.

Highlights

• By the end of July 2021, major crypto thefts, hacks, and frauds totaled $681 million
• At $361 million, DeFi-related hacks make up 76% of major hack volume in 2021
• By the end of July 2021, DeFi hacks have already increased more than 2.8X from 2020
• At $113 million, DeFi-related fraud makes up 53% of major fraud volume in 2021
• By the end of July 2021, DeFi fraud have already increased more than 2.7X from 2020

The cryptocurrency market is gaining wider acceptance and is becoming a platform of choice for businesses. The market is still unregularized and not matured. With absence of regulation the platform is vulnerable to security attacks as there is no legal accountability. These incidents are wake up calls where the transactions could have touched billions as touted by the hacker in a Q & A, shared by CipherTrace. As the business volumes spiral upwards so will the stolen assets.

The post Mr. White Hat Controls Poly Network’s User Assets for Fun! appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Feature Writer, CISO MAG

In tandem with technology and deployment, the growth of end-user devices also created multiple attack vectors for cybercriminals. With remote employees accessing corporate networks via multiple devices (both personal and official), attackers are targeting various endpoints to exploit and access enterprise networks.

Let us first examine some attack vectors that hackers commonly target:

1. Shadow IoT

The surge in shadow IoT devices is a growing concern to enterprise network security. According to a survey from Zscaler, most of the enterprise IT teams are not aware of their organization’s IoT traffic, which is creating new IoT-based attack vectors for cybercriminals. Shadow IoT devices are internet-connected devices or sensors used inside an organization without the knowledge of the company’s IT team. A shadow IoT device can be any smart device like personal laptops, smartphones, fitness trackers, and smart home gadgets.

The number of non-business IoT devices connecting to corporate networks increased over the last year. The devices that regularly connect to corporate networks include smart teddy bears (34%), medical devices (44%), electric vehicles (27%), and connected kitchen appliances (43%), Palo Alto’s survey claimed.

2. BYOD/Mobile Devices

The surge in remote work encouraged businesses globally to embrace BYODs (Bring Your Own Devices) concept to work. Some organizations even allowed their employees to use personal devices for office work. BYOD or mobile devices are the most common attack vectors for hackers and can easily become vulnerable when they are unprotected or unmonitored. Increase of such devices only heightens the possibility of cyberthreats.

According to a 2020 BYOD Report, 69% of businesses allowed their employees to use personal devices for work. It is found that the surge of personal devices in the work environment resulted in varied security incidents. 63% of respondents said they encountered data breach incidents, 53% reported unauthorized access to data and systems, and 52% experienced malware infections.

3. Insider Threat

Insiders are not just the present employees, but also former staff, contractors, or business associates, who could potentially breach your endpoint security infrastructure, either by negligence or malicious intent. Insiders have access to the computer systems and intellectual property or data to perform their on-the-job duties. Hence, organizations need to ensure that all the employees are aware of the company’s endpoint security and privacy policies.

According to a Bitglass research, mitigating insider attacks is challenging for an organization’s IT or cybersecurity team since access to legitimate credentials can put the entire enterprise network in danger. Nearly 61% of respondents reported at least one insider attack in the last 12 months. Several organizations admitted that they cannot detect insider threats from personal devices (82%) or the cloud (50%), and 81% of them find it difficult to assess the impact of insider attacks.

4. Unsecure Applications

Employees often download unsecure applications on their work devices without the knowledge of the IT team. With current working conditions, sensitive corporate data is accessed via multiple devices (both personal and professional), which can be exploited by hackers to break into office network systems.

A  cloud and threat research from Netskope reported a surge in the use of risky apps and websites by remote workforce globally, with a 161% increase in visits to high-risk apps and sites by a 64% remote workforce. It also observed that the personal use of managed devices increased by 97%. Organizations need to maintain a proper application control system for better visibility over applications and enforce rules about what employees can and cannot download on office network/device.

Final Note

The global endpoint security market is estimated to register a CAGR of 11.20% and reach a value of $27.83 billion by the end of 2025. Organizations need to implement efficient security solutions in order to maximize their endpoint security across all layers of the network system to defend against evolving endpoint threats.

Is Your Endpoint Device Secure? Take our Endpoint Security Survey and win exciting goodies. Don’t miss out!

Take the Survey Now!

 About the Author

Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.

The post These are the Common Attack Vectors in Endpoint Security appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Feature Writer, CISO MAG

The proliferation of connected devices in consumer, enterprise, and healthcare organizations, and their internal vulnerabilities, have created a security blind spot where cybercriminals can launch a Zero-day attack to compromise devices like webcams, smart TV, routers, printers, and even a smart home.

Here’s a list of 10 severe threats created by connected devices:

1. Smart Security Cameras

It seems cybersecurity issues with smart security cameras alarmed customers after Xiaomi Mijia’s vulnerabilities were exposed. The incident came to light after Dio-V, who owns a Google Nest Hub and several other Xiaomi Mijia cameras around his home, claimed that he received images from other people’s homes, randomly, when he streamed content from his camera to a Google Nest Hub.

“When I load the Xiaomi camera in my Google Home hub, I get stills from other people’s homes,” Dio-V said.

This isn’t the first incident where smart security cameras posed an issue.

Ring, a home security products provider owned by Amazon, was hit by a class-action lawsuit in the U.S. for reports of multiple hacking incidents on its security cameras that left victims traumatized.

Security researchers from cybersecurity firm Bitdefender discovered and reported a flaw in Amazon’s Ring Video Doorbell Pro, which could have given hackers unauthorized access to the user’s Wi-Fi network and potentially to other connected devices on it. At present, all the Ring Doorbell cameras have received a security patch from Amazon to mitigate the issue.

Also, researchers from vulnerability detection firm Tenable discovered seven critical vulnerabilities in Amazon-owned Blink XT2 security camera systems. If exploited, the vulnerabilities could allow hackers to remotely view the camera footage, listen to audio output, and use the infected device to launch distributed denial of service (DDoS) attacks.

In response, Amazon rolled out patches for the vulnerabilities and urged its users to update their devices to firmware version 2.13.11 or later.

2. Hackers can “Faxploit” Connected Fax Machines

Yaniv Balmas and Eyal Itkin, security researchers from Check Point, discovered that fax machines have security vulnerabilities that could possibly allow a hacker to steal data through a company’s network using just a phone line and a fax number. The researchers also demonstrated how they were able to exploit security flaws in a Hewlett Packard all-in-one printer at DEFCON 26 conference.

Describing the potential threat, the researchers said the attackers can send specially created malware coded image files via fax to the targeted networks. The vulnerabilities in the fax machine enable the malware to decode the files and upload these to its memory, which can breach sensitive information or cause disruption across connected networks.

3. Smart TVs

According to the FBI, smart TVs have several overlooked and neglected security issues. It stated that security is an afterthought for several smart TV manufacturers, which makes them vulnerable to different kinds of threats. Hackers can not only control your unsecured TV for changing channels or volume controls, but also stalk your everyday movements and conversations using the integrated camera and microphone.

4. Smart Bulbs can be Hacked

Multiple reports disclosed security vulnerabilities in smart bulbs. According to Murtuza Jadliwala, a research expert at the University of Texas at San Antonio (UTSA),  hackers can compromise infrared-enabled smart bulbs by sending commands via an infrared invisible light emitted from the bulbs to exploit other connected IoT devices existing on the home network.

5. Smart Home is Vulnerable

A Milwaukee-based couple suffered a horrifying incident after their Smart Home setup was hacked by unknown intruders, Fox 6 News reported.

The couple Samantha and Lamont Westmoreland stated that hackers took over their smart home by compromising the connected devices. The attacker played disturbing music from the video system at high-volume while talking to them via a camera in the kitchen, and also changed the room temperature to 90 degrees Fahrenheit by exploiting the thermostat.

Initially, the couple thought it was a technical glitch and changed their passwords, but the issue continued. The duo later changed their network ID, after realizing that someone hacked their Wi-Fi or Nest system.

6. Smartphone’s Microphone Can be Used to Launch Acoustic Side-Channel Attack

Academic researchers from England and Sweden designed a malware that can exploit a smartphone’s microphone to steal the device’s passwords and codes. In their report, “Hearing Your Touch: A New Acoustic Side-Channel on Smartphones,” the researchers claimed that they’ve found the first acoustic side-channel attack that presents what users type on their touch-screen devices.

7. Hackers can Steal Your Identity and Bank Details from a Coffee Machine

Smart coffee machines that are connected to the internet using special apps could be targeted by hackers to steal their owner’s bank or card details.

Vince Steckler, chief executive of security giant Avast, said, smart coffee machines allow owners to control them remotely using their phones. Users can even give the machines vocal commands if they are connected to virtual assistant software such as Amazon’s Alexa.

“Coffee machines are not designed for security.  They are additional vectors to get into your network. And you can’t protect them,” Steckler said in a media statement.

8. Connected Printers

According to security research firm Quocirca, printers that are connected to an organization’s network are the potential vector for cyberattacks. In its report, “Global Print Security Landscape, 2019,” Quocirca addressed the potential security vulnerabilities posed by connected printers.

The report highlighted that 60 percent of businesses in the U.K., U.S., France, and Germany suffered a print-related data breach in 2019, which resulted in a data loss that cost companies an average of more than US$ 400,000.

 9. Smart Speakers Can be Hacked

Wu HuiYu and Qian Wenxiang, security researchers from Tencent Blade, exposed vulnerabilities around smart speakers in a live demonstration at the DEFCON security conference on how to hack a smart speaker. The team used Amazon Echo smart speakers to present their attack program.

The researchers hacked the speaker by adding a malicious device embedded with an attack program.  They also notified their findings to Amazon before the presentation, and Amazon pushed a security patch to fix the issues.

10. Even Internet-Connected Gas Stations are Vulnerable

Researchers at Trend Micro discovered that hackers are targeting internet-connected gas stations to launch IoT-based cyberattacks.

In its report, “The Internet of Things in the Cybercrime Underground,” Trend Micro described how Russian hackers have benefited from the Russian government’s new directive, which mandates to replace all electricity meters in the country with smart meters. Trend Micro stated that hackers in Russian dark web forums requested information on how to exploit smart meters.  Some hackers are even selling altered smart meters in the underground market forums. Researchers also revealed that they’ve seen tutorials on gas pump hacking, including step-by-step procedures on how to hack connected meters.

About the Author

Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.

The post 10 IoT Security Incidents That Make You Feel Less Secure appeared first on CISO MAG | Cyber Security Magazine.

In an official report, the health care provider revealed that an unknown intruder gained access to two employee email accounts multiple times between October 31, 2019, and November 1, 2019, and also on November 6, 2019.

The compromised data includes names, dates of birth, addresses, medical record numbers, health insurance information, and diagnosis information. Alomere Health stated that a few numbers of patients had their social security numbers and driver’s license numbers exposed in the incident. It’s unclear if attackers actually misused any of the compromised data.

“The investigation was unable to determine whether the unauthorized person actually viewed any email or attachment in either account. In an abundance of caution, we reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person,” Alomere Health said in a statement.

The company notified the patients whose information was left vulnerable and offered them free credit monitoring and identity protection services.

“Even though we have no confirmation that patient information was actually viewed by the unauthorized person, or that it has been misused, we mailed letters to patients whose information was found in the accounts,” the statement added.

Cybersecurity experts said hackers are increasingly targeting the Health care industry to steal sensitive medical information and sell it on the black market. A survey from cybersecurity company Carbon Black revealed the rate of cyber-attacks on the healthcare industry appears to be increasing exponentially.

In its survey report, Healthcare Cyber Heists in 2019, Carbon Black disclosed what is happening to Personal Health Information (PHI) that was stolen by cybercriminals. The survey, which involved 20 of the Health care industry’s Chief Information Security Officers (CISOs), found the Health care sector being targeted because of how lucrative PHI is when compared to other personal data like credit card numbers. It’s said that PHI is worth three times more than other personal information since the health information never changes and can be used by cybercriminal groups for extortion or compromise.

The post Data Breach Affects Around 50,000 Patients at Minnesota Hospital appeared first on CISO MAG | Cyber Security Magazine.

The new regulation, the Personal Information Protection and Electronic Documents Act (PIPEDA), went into effect on November 01, 2018. As per the regulation, Canadian companies are required to report all the details of data breaches that occurred within the organization. They also need to notify affected individuals and keep records of all data breaches.

According to the Office of the Privacy Commissioner of Canada’s report, around 680 security breach reports, which is six times the volume received during the same period one year earlier, were received since November 01, 2018. It’s said that the number of Canadians affected by a data breach is more than 28 million, in which 58 percent of reported breaches involved unauthorized access.

“Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket. Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses,” the report stated. “We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack.  This is the correct approach to reporting: there can be a risk of significant harm even when only one person is affected by an incident.”

Cybersecurity experts have opined the Canadian government isn’t doing enough to protect businesses and consumers from data breaches.

A recent survey from Keyfactor, a provider of secure digital identity management solutions, revealed that 87 percent of surveyed cybersecurity pros think that more privacy and security legislation is required to better protect Canada’s businesses and consumers.

According to the survey, 58 percent of respondents think regulators and the Canadian officials are not trying to regulate the security guidance on measures like data encryption. The survey also highlighted that 50 percent of respondents stated that manual and complex processes as their greatest challenge in managing Public Key Infrastructure (PKI) while 43 percent of respondents were concerned about their ability to securely adopt DevOps, cloud, and IoT.

The post Data Breach Reports Increase in Canada after Privacy Law appeared first on CISO MAG | Cyber Security Magazine.

According to the official report, unknown intruders accessed the company’s computer systems that gave them access to the account information of current and ex-customers. The intrusion occurred in late August 2019, but the companies said they became aware of the breach on October 16, 2019.

After its investigation, Web.com stated that attackers accessed nearly 22 million records of current and former users of Network Solutions, Register.com, and Web.com accounts. The exposed information included name, address, phone number, email address, and other details of customer accounts. However, Web.com clarified that no financial information was exposed in the incident.

“We store credit card numbers in a PCI (Payment Card Industry) compliant encryption standard and do not believe your credit card information is vulnerable as a specific result of this incident. That said, it is good practice to monitor your credit card account and we encourage you to notify your credit card provider if you see any suspicious charges,” the statement added.

“We encrypt account passwords and do not believe this information is vulnerable as a specific result of this incident. As an added precautionary measure, customers will be required to reset passwords the next time they log in to their accounts. As with any online service or platform, it is also a good security practice to change passwords often and use a unique password for each service,” a spokesperson of Web.com said.

The companies, Network Solutions, Web.com, and Register.com, stated they’re notifying the affected users via email and their websites, and have also reported the incident to federal authorities for further investigation.

The post Domain Registrar Web.com Hacked! appeared first on CISO MAG | Cyber Security Magazine.

Security researchers found a new malware campaign using WAV audio files to hide their malware. It’s said the attackers are using Steganography to embed the malicious code within the WAV audio files. According to BlackBerry threat researchers’ analysis, each WAV file contains a loader component to decode and execute malicious content embedded in audio files.

Attackers use Steganography as a technique to hide malicious code within the image/audio/text file that is mainly employed by exploiting kits to hide their malvertising traffic.

The researchers also revealed that some of the WAV files contain crypto miner script “XMRig Monero CPU” miner and “Metasploit” code to establish a reverse shell, which is used to gain remote access over the victim networks.

“Attackers deploy CPU miners to steal processing resources and generate revenue from mining cryptocurrency. Cryptocurrency miners are a popular malware payload since they provide financial benefits and aim to operate in the background without the user’s knowledge. An effective cryptocurrency botnet can yield thousands of dollars per month for an attacker,” Blackberry said in a statement.

“This approach allows the attacker to execute code from an otherwise benign file format. These techniques demonstrate that executable content could theoretically be hidden within any file type, provided the attacker does not corrupt the structure and processing of the container format. Adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging,” the statement added.

Cybercriminals are continuously using innovative methods to execute their malicious activities. Recently, Trend Micro stated that cybercriminals are using steganography to infect the targeted systems. It’s believed that the Powload campaign activity was distributing malicious codes since 2018 through fileless methods, steganography techniques, and hijacking email accounts to deliver the information-stealing malware such as Emotet, Bebloh, and Ursnif.

In a similar research, Matthew Rowen, a security researcher from Bromium, discovered ransomware embedded into a downloadable Super Mario image using steganography method. The attackers send emails with an attached spreadsheet that has an embedded malware and a macro. The attachment prompts the user to click on and enable a content link to deploy the malware.

The post Hackers Using Steganography in WAV Audio Files to Hide Malware appeared first on CISO MAG | Cyber Security Magazine.

Reports have emerged stating that the millions of first-generation Amazon Echo devices and even the eighth generation Kindle are susceptible to a Krack WiFi vulnerability. The vulnerability allows hackers to execute a man-in-the-middle attack against a WPA2 protected the network.

Krack, a jazzy abbreviation of Key Reinstallation Attack was first revealed by researchers Mathy Vanhoef and Frank Piessens in 2017. The vulnerability existed in the four-way handshake of the WPA2 protocol, which secured almost all modern Wi-Fi networks at that time.

According to researchers, attackers could have easily exploited the vulnerability by using key reinstallation attack if the victim was within the network. The attack would enable access to details like passwords, email, photos, and even financial data like credit card numbers were among several other personal and sensitive data that was vulnerable.

After the vulnerability was discovered, Amazon had released a patch for affected devices early this year after researchers from ESET informed the Amazon about the vulnerability. But “Krack” has cracked its way open to the surface, and researchers from ESET have discovered and again confirmed that the first-generation Amazon Echo and the eighth generation of Kindle are still affected by “Krack” vulnerability.

“The Echo 1st  generation and Amazon Kindle 8th generation devices were found to be vulnerable to two KRACK vulnerabilities”, ESET researchers stated in their report. “Using Vanhoef’s scripts, we were able to replicate the reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake (CVE-2017-13077) and reinstallation of the group key (GTK) in the four-way handshake (CVE-2017-13078).”

Even though Amazon had patched the vulnerability, the reason why Krack still looms in the air is that several users may not have updated their devices and ESET has urged users to go to the setting of these devices to make sure they are running the latest firmware.

Vulnerabilities in Amazon Echo devices are not a new thing and it has echoed even before. In the last edition of DEFCON security conference researchers Wu HuiYu and Qian Wenxiang gave a live demonstration on how to hack a smart speaker. The team used Amazon Echo smart speakers to present their attack program.

The researchers hacked the speaker by adding a malicious device embedded with an attack program.  “After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and achieve remote eavesdropping,” the researchers said in a media report. “When the attack succeeds, we can control Amazon Echo for eavesdropping and send the voice data through a network to the attacker.”

The post The Krack on Amazon’s Kindle and Echo appeared first on CISO MAG | Cyber Security Magazine.

Cutlet Maker malware was designed in 2017 to spit the cash from ATMs in Germany. In ATM jackpotting, attackers use malware like Cutlet Maker to trick the ATM, by exploiting its vulnerability, to eject the cash.

A joint investigation by Motherboard and the German broadcaster Bayerischer Rundfunk revealed some new details about a series of Jackpotting Attacks. The malware was used to attack multiple ATMs in Germany to steal around US$ 1.5 million during 2017. It’s said that a total of 10 different jackpotting incidents had taken place between February and November 2017, involving Cutlet Maker malware.

According to the investigation findings, the attacked regions include the U.S., Latin America, and Southeast Asia. The Spanish Commercial Bank Santander is one of the highly impacted banks in the 2017 attacks, as it used outdated Windows systems.

“Protecting our customers’ information and the integrity of our physical network is at the core of what we do. Our experts are involved in every stage of product development and operations to protect customers and the bank from fraud and cyber-threats. This focus on protecting our data and operations prevents us from commenting on specific security issues,” a Santander spokesperson said in a statement.

In January 2018, National Cash Register (NCR) Corporation and Diebold Nixdorf, two leading financial self-service providers in the United States, issued warnings against Jackpotting Attacks that make ATMs gush out cash incessantly. The self-service kiosk makers accepted to have informed their clients about the vulnerability. Although there is no available data on the losses due to these incidents, the ATM manufacturers have admitted to the rising cases of jackpotting across the world.

These ATM cyberattacks took off in 2015 in Asia, Europe and Mexico, however, now their new target is the U.S, raising concerns for the U.S. Secret Service, which has advised financial institutions to be cautious. “This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” NCR cautioned.

The post Attackers used “Cutlet Maker” Malware in Jackpotting Attacks on ATMs in Germany appeared first on CISO MAG | Cyber Security Magazine.

HackerOne helps organizations find and fix the potential vulnerabilities before they can be exploited by cybercriminals. The new bug bounty program is part of the Singapore government’s ongoing commitment to protect its citizens and secure government network systems. The hacking challenge will offer a monetary reward to the hackers for discovering and reporting potential vulnerabilities.

The Government has paid out S$25,950 in bounties for discovering 31 vulnerabilities, in which four were considered as High Severity and the remaining 27 were considered as medium/low severity.

Also, GovTech launched its new Vulnerability Disclosure Program (VDP) on the HackerOne platform, inviting security pros to identify and report the vulnerabilities. The Singapore government stated the bug bounty program will run over a period to find security flaws in public-facing government network systems and websites.

The VDP is a part of the Singapore Government’s ongoing commitment to collaborate with the cybersecurity community to build a secure and resilient Smart Nation. In addition to the VDP, GovTech will conduct a third government BBP in November 2019 to continue to strengthen and enhance the cybersecurity of government systems and applications.

“The Singapore Government has been a leader in their adoption of hacker-powered security solutions within the Asia Pacific region, and we are honored to be a part of this journey,” said Fifi Handayani, GovTech’s Program Manager at HackerOne. “Their implementation of both ongoing and time-bound hacker-powered security initiatives demonstrate the maturity of their cybersecurity program and the value they have seen from maximizing hacker engagement to reduce risk.”

In related news, the Monetary Authority of Singapore (MAS) announced the launch of S$30 million (US$22 million) cybersecurity capabilities grant.  The new allocation helps Singapore’s financial institutions strengthen their cyber resilience and upskill local talent through cybersecurity-related training programs like security operations, cyber threat surveillance, computer forensics, malware analysis, and cyberthreat hunting.

The post Singapore Government Patches 31 vulnerabilities found by Ethical Hackers appeared first on CISO MAG | Cyber Security Magazine.