Weekly Highlights: Bug Bounties, Encryption, And Security Tools

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

Mozilla is increasing the amount it pays security researchers for bugs from $500 up to $3,000. I personally think that's a very good thing.There has long been a debate about whether or not vendors should pay for security flaws. In my view, the flaws are going to be discovered whether or not a vendor is paying for them. The question is how they will be disclosed and whether or not those flaws will end up putting millions of users at risk - or not.By paying for flaws, what Mozilla is doing is providing an economic model for both security researchers and for itself. For security researchers, a $3,000 payment is not an unreasonable sum in my view and it's more than the $1,337 that Google pays. HP's TippingPoint also pays for security flaws as well though they seem to have a floating scale on payments as far as I can tell.

In a corner of a Panera Bread store, amid the clatter of dinner plates and orders recited over a warbling sound system, a group of men and a woman gathered last week, laptops open.They threw around terms like "botnets" and "onion routers" with ease, talked about microcontrollers and how to crack into a computer database should the need arise to test their own computer defenses.

A Wikileaks editor, deciding not to risk a confrontation with federal agents, skipped a high-profile speaking engagement at a hacker conference here on Saturday.Instead, Jacob Appelbaum, a Seattle-based programmer for the Tor Project, who's involved in the Wikileaks Web site, took over the 1 p.m. ET keynote slot on behalf of co-founder Julian Assange.

Nearly nine years after the publication of FIPS 197, AES encryption remains the de facto standard today for symmetric encryption, and brute-force attacks remain infeasible, at least for the foreseeable future. To date, most attacks methods have focused on weaknesses or characteristics in specific implementations, called "side-channel attacks," not on the algorithm itself.

Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs.

Dell, through its Kace unit, is making available free Web browser security software that works by creating a protective "sandbox" on the desktop to isolate the user's desktop from malware or other harmful actions that might be encountered browsing the Web.

The Internet is set to get a whole lot safer, the security standard DNSSEC is set to be assigned to the Internet's 13 root servers from later today.

Security practitioners diving into cloud computing must make older security tools like IDS work in this new world. In a CSO podcast last week, Stu Wilson, CTO of IDS provider Endace, sought to explain how this older technology is still relevant in enterprise cloud security strategies.

A well-known cryptographic attack could be used by hackers to log into Web applications used by millions of users, according to two security experts who plan to discuss the issue at an upcoming security conference.