Google bets on Alphabet rebrand; ICANN accounts compromised; Microsoft boosts bug bounty to US$100K

Google has announced a large-scale corporate restructure that will see the organisation become a subsidiary of a newly created parent company, Alphabet Inc.

Google co-founder Larry Page detailed the restructure on the Google company blog.

“Our company is operating well today, but we think we can make it cleaner and more accountable. So we are creating a new company, called Alphabet,” Page wrote.

Page described Alphabet as “mostly a collection of companies”. Google will become a wholly owned subsidiary of Alphabet.

Page said that existing Google companies that “are pretty far afield of our main internet products” — giving the example of subsidiary Calico — will be moved out from under Google and sit directly under Alphabet.

“Fundamentally, we believe this allows us more management scale, as we can run things independently that aren’t very related,” Page wrote.

Page will be the CEO of the newly created Alphabet, while Google’s other co-founder, Sergey Brin, will be Alphabet’s president.

“Alphabet is about businesses prospering through strong leaders and independence. In general, our model is to have a strong CEO who runs each business, with Sergey and me in service to them as needed,” Page wrote.

ICANN accounts compromised

Usernames and encrypted passwords for ICANN’s public website have been stolen, the organisation has revealed.

A statement posted on the ICANN website last week said: “ICANN has reason to believe that within the last week, usernames/email addresses and encrypted passwords for profile accounts created on the ICANN.org public website were obtained by an unauthorized person.”

The profile accounts in question contain “user preferences for the website, public bios, interests, newsletter subscriptions”.

“There is no evidence that any profile accounts were accessed or that any internal ICANN systems were accessed without authorization,” the statement said.

“While investigations are ongoing, the encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider,” it said.

The organisation claimed that the stolen encrypted passwords are “not easy to reverse”, but said as a precaution it was requiring all users reset their passwords.

“Most importantly, if you have used the same password on other websites or services, you should change it immediately on those other websites or services,” the ICANN statement said.

ICANN also said, “No operational information, financial data or IANA [Internet Assigned Numbers Authority] systems were involved.”

In other online security news, Fairfax reported that a British software engineer discovered he could harvest Facebook users’ data on a mass scale by abusing a Facebook function that allows anyone to find a person’s account by typing that person’s mobile phone number into Facebook’s search box.

The software engineer — Reza Moaiandin — reportedly used an algorithm to generate thousands of possible mobile numbers, ran them through Facebook’s API to discover any accounts those numbers were associated with and was then able to harvest more information on the resultant users from their profiles.

According to Fairfax, Facebook denied this constituted a “security loophole”, as the data that was accessed was designated to be public.

Microsoft doubles Defense Bounty to US$100K

Microsoft has made several changes to its vulnerability and exploit bounty programs, in one case doubling the reward to US$100,000.

As part of its bounty programs, Microsoft offers direct payments for reports of certain types of vulnerabilities and exploitation techniques. These programs provide a way to harness the collective intelligence and capabilities of security researchers to help further protect customers, Microsoft said.

As of 5 August, Microsoft has expanded its ‘Online Services Bug Bounty’ program to include Microsoft Account. And for a short while, the company is offering bonus rewards under this particular bounty program.

“To kick off the addition of Microsoft Account in the Online Services Bug Bounty program, between August 5 and October 5 2015, qualified submissions of authentication vulnerabilities are eligible ‘double bounties’, for a maximum of $30,000 USD,” the company said on its Technet site.

The company has also decoupled its ‘Mitigation Bypass Bounty’ and ‘Bounty for Defense’ programs, and raised the potential reward for the ‘Bounty for Defense’ from US$50,000 to US$100,000.

The bounty programs carry a bunch of conditions, so aspiring vulnerability researchers should read up on those before they get hacking.

Image courtesy Google