Daily Archives: September 7, 2018

NBlog Sept 8 – chew before swallowing

The Global State of Online Digital Trust is a typical vendor-sponsored piece, a white paper (= marketing promotion in the guise of a 'survey') prepared by Frost & Sullivan for CA Technologies.

I say 'typical' in that they have disclosed hardly any information about the survey method and sample. press release instructs us to see the report for "Full survey methodology details" but unless I'm blind, it looks to me as if someone either 'forgot' to write the materials-and-methods section or casually neglected to incorporate it in the published report.  Oh dear.

A CA marketing VP called it "a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world" whereas the press release referred to it as "The global online survey of 990 consumers, 336 security professionals and 324 business executives across 10 countries". 

We can only guess at how they might have assigned respondents between the three categories e.g. who would not qualify as a 'consumer'? Wouldn't a CISO fall into all three groups? In the report, numbers next to the graphs appear to indicate the sample sizes up to about 990

Last time I checked, there were rather more than 10 countries in the world aside from USA BRA UK FRA GER ITA AUS IND JPN and CHN as listed the report. If I'm interpreting those abbreviations correctly, that's well short of "all over the world".

If indeed the survey was online, that rather suggests the sample only consisted of people from the ten countries who were happy to answer an online survey - which itself implies a degree of trust in online security as well as a willingness to respond to a vendor-sponsored survey. 

It is unclear whether or how the report's conclusions relate to the survey findings ... and they are somewhat predictable given the report sponsor's commercial interests:
"CULTIVATE A CULTURE OF SECURITY Implement data protection policies that are in accordance with the world’s strictest data privacy regulations. Ensure company-wide familiarity with security policies, including among non-technical staff to reduce the risk of data breaches. 
START AT THE TOP Too many business executives see security initiatives as a negative return on investment. Alert the C-Suite to the tangible business impacts of a breach and a loss of consumer trust. 
COVER YOUR BASES Consumers consider both social and technical factors when determining whether to trust an organization; be sure that your organization has the technical foundation in place to mitigate attacks and have a response team ready to minimize damage to consumer trust in the event of a breach. 
KEEP IT SIMPLE Clear communication from organizations around policies and data handling practices is critical for building trust. Far too many organizations overestimate the degree to which consumers can easily manage their personal data online. Present your policies in simple language, and provide important details without overwhelming the consumer."
So they evidently equate "a culture of security" with data protection, data privacy and data breaches. Spot the common factor. A similar bias towards privacy law compliance and the protection of "customer data" is evident in all four paragraphs. That is an important issue, I agree, along with "cybersecurity" (an undefined term ... but I guess they mean IT security) but what about all the rest of information security: trade secrets, intellectual property, business continuity, physical and procedural security, information integrity, blah blah blah?

I freely admit to being heavily prejudiced in favour of both cultural development and management-level security awareness but their emphasis on breach impacts and consumer trust once again betrays a myopic focus on privacy breach incidents, while the conclusion about return on investment seems very suspect to me. I wonder if the survey question/s in that area were unambiguous enough to be interpreted in the same way by all the respondents? Or are the reported differences between the groups of respondents merely indicative of their distinct perspectives and assumptions? Did they even face the same questions? We can't tell since they choose not to disclose the survey questions.

The report introduces the term "Digital trust index". Sounds great, right? A metric concerning trust in, errr, digits? A percentage value relative to, um, what exactly? Oh let me guess, relative to the score conjured out of the air for this, the first report. And unfortunately for the sponsors, the term "Digital Trust Index" is already in use elsewhere.

Overall, a disappointing and essentially pointless read, like most other commercially-sponsored and heavily-promoted "survey" I have read in my career with few exceptions. 

Clearly, I'm a slow learner, stubborn as an old boot. Venting my spleen through this blog is immensely helpful though, along with the vain hope that you might perhaps be persuaded to take a more critical look at the next "survey" that plops onto your screen. Chew it over rather than swallowing whole.

CVE-2018-15552 (theethereumlottery)

The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards.

That’s What Hackers Do – Enterprise Security Weekly #105

This week, Paul and John talk BitSight, SentinelOne, Swimlane, Fortinet, and more! After the Enterprise News, we air some pre-recorded interviews from Black Hat and DEF CON with Mimecast CTO Marc French, Director of Solutions of Synopsys Ofer Maor, CEO of ThreatX Bret Settle, and Willy Leichter of Virsec!


Full Show Notes: https://wiki.securityweekly.com/ES_Episode105


Visit https://www.securityweekly.com/esw for all the latest episodes!


Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!


→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Join us in fighting back against powerful corporations trying to silence news and advocacy organizations

Protest the Protest

This week, Greenpeace—along with Freedom of the Press Foundation and dozens of other advocacy groups—are launching an important campaign called Protect the Protest, which aims to draw attention to dangerous tactic that corporations use all too often to chill the free speech of Americans.

SLAPP suits, or “strategic lawsuits against public participation,” are brought by wealthy individuals or organizations in an attempt to silence critical speech --- powerful people bring these type of libel lawsuits knowing they won’t win on the merits, but they hope they can silence critics by bleeding them dry of resources or bankrupting them altogether.

Greenpeace is the defendant in two particularly egregious lawsuits that we wrote about earlier this year that actually accuse Greenpeace of violating the RICO statute—a law used to go after organized crime—for engaging in routine advocacy. These type of lawsuits chill the speech of non-profit organizations and protesters, and prevent public transparency and accountability of those in power. The suits also directly impact press freedom.

SLAPP suits are particularly dangerous when used against journalists and news organizations. In the past few years, we’ve seen several high profile cases ofextremely wealthy individuals and corporations threaten to sue or actually sue public interest news organizations for libel over stories which they didn’t like.

The non-profit news organization Mother Jones had to fend of an incredibly expensive lawsuit against a billionaire political fundraiser a few years ago that they were worried may ultimately bankrupt the organization. The civil liberties news website Techdirt faced a similar lawsuit that had them contemplating shutting their doors last year. (Both eventually won their cases.)

And of course, billionaire Peter Thiel infamously funded a series of lawsuits that ultimately destroyed Gawker.

The billionaire with the most prolific history of bringing lawsuits against journalists who report critically on him currently occupies the White House. Donald Trump brought over half a dozen SLAPP lawsuits against journalists over his decades in public life and has threatened over a dozen more.

It’s important to emphasize in almost all these cases, the lawsuits were never going to win. Anyone who glanced at the stories in question could tell the speech of the defendants was protected by the First Amendment. The problem is these powerful people often don’t care about winning, they care about inflicting damage. Maybe they will be able to decimate the news outlet by forcing them to spend millions in legal fees. Even if the plaintiff loses, the next time the news outlet will think twice before going forward with an investigation. Or maybe they’ll scare the countless other news organizations who may be planning similar stories.

(Note: while Gawker did lose an invasion of privacy case that eventually bankrupted the company, it had several other libel suits funded by Thiel that were pending, all of which were standard SLAPP suits. The invasion of privacy case would’ve likely been overturned by an appeals court if Gawker had the funding to continue fighting.)

Ultimately, the Protect the Protest campaign is not just about Greenpeace. Luckily, they have an excellent team of lawyers and have decided to very publicly fight back against these dangerous threats. I have no doubt they will prevail. This campaign is about protecting all of the smaller non-profits, the smaller news organizations who will think twice about reporting on people in power due to the fact that they know they may be subject to millions of dollars of litigation for speaking out. And we are proud to stand with them as they expand this fight.

You can find more information about the campaign here, and here’s how you can join the fight.

CVE-2018-16709 (apeosport-v_5070_firmware, apeosport-v_c3375_firmware, apeosport-v_c4475_firmware, apeosport-v_c5576_firmware, apeosport-vi_c3371_firmware, docucentre-iv_c2263_firmware, docucentre-v_3065_firmware, docucentre-v_c2263_firmware, docucentre-vi_c2271_firmware)

Fuji Xerox DocuCentre-V 3065, ApeosPort-VI C3371, ApeosPort-V C4475, ApeosPort-V C3375, DocuCentre-VI C2271, ApeosPort-V C5576, DocuCentre-IV C2263, DocuCentre-V C2263, and ApeosPort-V 5070 devices allow remote attackers to read or write to files via crafted PJL commands.

CVE-2018-16710 (octoprint)

** DISPUTED ** OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough."

CVE-2018-16704 (gleezcms)

An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org.

CVE-2018-16703 (gleez_cms)

A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.

CVE-2016-9044 (webfocus)

An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.

CVE-2017-2795 (marklogic)

An exploitable heap corruption vulnerability exists in the Txo functionality of Antenna House DMC HTMLFilter as used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide malicious XLS file to trigger this vulnerability.

CVE-2017-2792 (marklogic)

An exploitable heap corruption vulnerability exists in the iBldDirInfo functionality of Antenna House DMC HTMLFilter used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can provide a malicious xls file to trigger this vulnerability.

“Shifting Left” Requires Remediation Guidance

Shifting security “left” is about more than simply changing the timing of testing. When security shifts to earlier phases of the development lifecycle, it also changes the players responsible for conducting the testing and addressing the results. In the not-so-distant past, the security team would conduct most security testing late in the software development process, pass the results back “over the wall” to developers, and consider their work done. But with the rise of DevOps, and DevSecOps, finding and fixing security-related defects is a shared responsibility between security and development. In addition, security testing has shifted further left, into the realm of the developer. The development team now has a primary responsibility for security in the development phase, and are responsible for making sure their code gets both scanned and fixed. The security team has more of an oversight role in the development phase, focusing on goals and policy. This is a significant change that requires entirely new tasks, skills, priorities, and mindset. But there is one big blocker to this change: the fact that most developers don’t have secure coding skills. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security. The bottom line is that most developers won’t know what to do with a long list of security flaws.

It follows that if you shift security left, into developer workflows, without adequate training and guidance – you will not create more secure code, but will in fact delay developer timelines and still produce vulnerable code. Shift left only works when developers get the tools and assistance they need to succeed. And a key part of that is remediation guidance. This adds another new task to the security team’s plate: developer training and coaching.

In their recent report, CISO Playbook: Embedding AST in the Software Development Lifecycle, Gartner notes that “organizations can better support AST early in development by prioritizing AST tools and services that integrate into IDEs and produce actionable findings, with an emphasis on the type and quality of information provided to developers. Tools that are fast but contain little guidance on remediation may not achieve the time savings desired, if developers struggle to understand why a vulnerability was introduced and how to fix it.”*

Ultimately, the speed at which you receive security-testing results is meaningless without the guidance needed to address those results.

We have research that supports this idea as well. Each year for our State of Software Security report, we analyze the data accumulated from all the security assessments we have performed the previous year. In our most recent report, we found that organizations that pick up consulting services that offer analysis and advice to developers alongside the scan results show tremendous improvement in fix rates. We looked at the flaws per MB among the organizations that took advantage of remediation coaching, and those that didn’t – both on their first and last scans of the year. The numbers revealed that remediation consulting can contribute to a whopping 88 percent improvement in an organization’s fix rate. Clearly, if developers are given extra resources to accomplish their security goals, they will make progress on the flaw density in their software.

The bottom line is that application security success is about more than finding security flaws; it’s about fixing them. And in a DevOps world, security and development have to work together to ensure that what gets found gets fixed. Make sure your developers are equipped to fix what they find and truly reduce your application security risk.

To get more best practices on embedding security into the development lifecycle, read the entire Gartner report, CISO Playbook: Embedding AST in the Software Development Lifecycle, mentioned above.


*Gartner CISO Playbook: Embedding AST in the Software Development Lifecycle, Ayal Tirosh, Prateek Bhajanka, 13 July 2018

CVE-2018-16657 (debian_linux, kamailio)

In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code.

CVE-2018-0657 (ec-cube_payment_module, gmo-pg_payment_module)

Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.

CVE-2018-0658 (ec-cube_payment_module, gmo-pg_payment_module)

Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

CVE-2018-0649 (compusec, deslock+_pro, internet_security, nod32_antivirus, smart_security, smart_security_premium)

Untrusted search path vulnerability in the installers of multiple Canon IT Solutions Inc. software programs (ESET Smart Security Premium, ESET Internet Security, ESET Smart Security, ESET NOD32 Antivirus, DESlock+ Pro, and CompuSec (all programs except packaged ones)) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2018-0644 (ubuntu_linux)

Buffer overflow in Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-client2) 1:1.4.9+p41-u4jma1 and earlier, Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u4jma1 and earlier, and Ubuntu16.04 ORCA (Online Receipt Computer Advantage) 5.0.0 (panda-client2) 1:2.0.0+p48-u5jma1 and earlier allows authenticated attackers to cause denial-of-service (DoS) condition via unspecified vectors.

IDG Contributor Network: Visibility is key for devops and the hybrid cloud

Cloud has undoubtedly become a key component of successful business in recent years, especially when you consider the race to digitally transform. Across the globe, companies are moving their applications and services to the cloud and are consequently reaping the benefits of lower capex and opex as a result.

However, with this process, cloud migration is only a beginning for any organization’s digital transformation (DX) journey. If harnessed correctly, cloud is a pillar of innovation for DX, and can be a driving force for new business models and use cases that – even a few years ago – weren’t possible. No one knows this better than devops teams; these teams hold the line when it comes to continuous delivery and deployment, and it therefore stands to reason that devops play a crucial role in the digital transformation journey. In practice however, the decision makers in charge of cloud strategies are rarely those in the bowels of the ship.

To read this article in full, please click here