Category Archives: Software Security

The Journey to Data Integrity

In 2017, ‘Fake News’ was crowned word of the year thanks in part to a deteriorating relationship between politicians and the media. Claims and counterclaims could be challenged without the

The post The Journey to Data Integrity appeared first on The Cyber Security Place.

Phishing, Humans Root of Most Healthcare Attacks

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information

The post Phishing, Humans Root of Most Healthcare Attacks appeared first on The Cyber Security Place.

Adobe Releases February 2019 Patch Updates For 75 Vulnerabilities

Welcome back! Adobe has today released its monthly security updates to address a total of 75 security vulnerabilities across its various products, 71 of which resides in Adobe Acrobat and Reader alone. February 2019 patch Tuesday updates address several critical and important vulnerabilities in Adobe Acrobat Reader DC, Adobe Coldfusion, Creative Cloud Desktop Application, and Adobe Flash

New cryptomining malware removes other malware from Linux, then latches onto systems

A script capable of deleting known Linux malware and coin mining software in systems has been discovered by Trend Micro.  It then downloads a cryptocurrency-mining malware as well as install

The post New cryptomining malware removes other malware from Linux, then latches onto systems appeared first on The Cyber Security Place.

Don’t Leave Your Doors Open – Secure Your APIs Now

APIs are the glue that enable two systems to share data or functionality and work together to create new business opportunities, drive integrations, and speed overall development in the process.

The post Don’t Leave Your Doors Open – Secure Your APIs Now appeared first on The Cyber Security Place.

Cybercriminals leverage Google Translate to hide their phishing sites

Attackers are using a new technique that uses Google Translate to hide the real domain of their phishing sites. This phishing technique works more effectively in mobile devices when compared

The post Cybercriminals leverage Google Translate to hide their phishing sites appeared first on The Cyber Security Place.

Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint. It’s Q4 threat report found that banking trojans accounted

The post Ransomware Sees Further Decline, Banking Trojan Use Steps Up appeared first on The Cyber Security Place.

The Benefits of Correctly Deploying a PKI Solution

With new threats to data emerging every day, public key infrastructure (PKI) has become an increasingly larger part of enterprises’ information security and risk management strategies. Research has found that 43% of

The post The Benefits of Correctly Deploying a PKI Solution appeared first on The Cyber Security Place.

Addressing UK Security Concerns in Huawei Products May Take 5 Years, Exec Says

Huawei P10

Huawei’s been having a rough time recently. After the US, New Zealand and Australia prevented the telecom company from working on their 5G mobile networks for fear it would spy for the Chinese government, the European Commission expressed concern over potential backdoors that could threaten national security and lead to a ban. Then, Huawei’s CFO was arrested in Canada over alleged Iran sanctions violations.

Huawei may now face another blow: even though the company committed to invest some $2 billion to assuage UK government security concerns over issues with Huawei products, it may take the company years to get everything in place, writes The Guardian.

Ryan Ding, Huawei’s carrier business group president, said measures needed to ease the concerns, raised in a 2018 Huawei Cyber Security Evaluation Centre Oversight Board annual report mandated by the UK, constitute “a complicated and involved process and will take at least three to five years to see tangible results. We hope the UK government can understand this.”

 “Modern communications networks are complex systems that keep evolving in new and innovative ways,” Ding wrote in a letter to UK MP Norman Lamb, the chairman of the House of Commons Science and Technology Committee. “Enhancing our software engineering capabilities is like replacing components on a high-speed train in motion.”

The report by the oversight board stated that a technical and security evaluation of Huawei products on the UK market revealed a number of issues “leading to new risks in the UK telecommunications networks.”

MI6 chief Alex Younger has also voiced his concern about integrating Chinese companies into the country’s telecom infrastructure.

“We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a very definite position,” Younger said.

Huawei further denied accusations of misappropriating data collected in the UK by handing it over to foreign intelligence agencies.

“Were Huawei ever to engage in malicious behavior, it would not go unnoticed – and it would certainly destroy our business,” Ding said. “For us, it is a matter of security or nothing; there is no third option. We choose to ensure security.”

Best Practices for Choosing Good Security Questions

Security questions can add an extra layer of certainty to your authentication process. Security questions are an alternative way of identifying your customers when they have forgotten their password, entered

The post Best Practices for Choosing Good Security Questions appeared first on The Cyber Security Place.

Speak Up Malware Targets Linux, Mac in New Campaign

Linux servers are the target of a new crypto-mining campaign in which a malware dubbed “Speak Up” implants a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions, according

The post Speak Up Malware Targets Linux, Mac in New Campaign appeared first on The Cyber Security Place.

Phishing has become the root of most cyber-evil

Phishing has become the top cause of data breaches. But with employee education and the right tools, such breaches can be prevented.Companies spend a huge amount of time and billions

The post Phishing has become the root of most cyber-evil appeared first on The Cyber Security Place.

A Hackers Take On Blockchain Security

One of the leading factors of the blockchain—aside from the obvious decentralization—is the high level of security behind it. It’s not uncommon to hear people claim that it is “unhackable.”

The post A Hackers Take On Blockchain Security appeared first on The Cyber Security Place.

Execs Remain Weak Link in Cybersecurity Chain

Despite their high-ranking positions, senior executives are reportedly the weak link in the corporate cybersecurity chain with a new report from The Bunker, which finds that cyber-criminals often target this known

The post Execs Remain Weak Link in Cybersecurity Chain appeared first on The Cyber Security Place.

Can AI Become Our New Cybersecurity Sheriff?

Two hospitals in Ohio and West Virginia turned patients away due to a ransomware attack that led to a system failure. The hospitals could not process any emergency patient requests. Hence,

The post Can AI Become Our New Cybersecurity Sheriff? appeared first on The Cyber Security Place.

Healthcare Cybersecurity Preparedness Tops HHS Priority List

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task

The post Healthcare Cybersecurity Preparedness Tops HHS Priority List appeared first on The Cyber Security Place.

Data security being left behind in digital transformation

Some companies looking to digitally transform are trying to run before walking, putting themselves and their customers at grave cybersecurity risks.Some companies looking to digitally transform are trying to run

The post Data security being left behind in digital transformation appeared first on The Cyber Security Place.

Most IT Pros Share and Reuse Passwords: Report

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according

The post Most IT Pros Share and Reuse Passwords: Report appeared first on The Cyber Security Place.

Web-Based Phishing Threats Pose New Risks to an Organization’s Security

By Atif Mustaq – Chief Executive Officer at SlashNext, Thanks to international coverage of large-scale attacks against enterprises and political campaigns, phishing has become a common fear within organizations of

The post Web-Based Phishing Threats Pose New Risks to an Organization’s Security appeared first on The Cyber Security Place.

Zero-day vulnerability in ‘Total Donations’ plugin could allow attackers to take over WordPress sites

The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations. The plugin’s code contains several design flaws that inherently expose

The post Zero-day vulnerability in ‘Total Donations’ plugin could allow attackers to take over WordPress sites appeared first on The Cyber Security Place.

WordPress’ WSOD protection feature appears half-baked, Garners security doubts

Experts suggest that WordPress’ new feature ‘White Screen Of Death (WSOD) Protection’ can be altered to block security plugins from functioning. The feature is expected to release with WordPress 5.1

The post WordPress’ WSOD protection feature appears half-baked, Garners security doubts appeared first on The Cyber Security Place.

The Story of Manuel’s Java RAT

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant

The post The Story of Manuel’s Java RAT appeared first on The Cyber Security Place.

New Ransomware strain ‘hAnt’ targets Bitcoin mining rigs

The infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antminer L3 rigs used for Litecoin mining. Security experts noted that hAnt comes hidden inside

The post New Ransomware strain ‘hAnt’ targets Bitcoin mining rigs appeared first on The Cyber Security Place.

Unpatched Vulnerabilities Exposes Businesses To Hackers

Are organizations keeping software up to date and maintaining security patches on a scheduled basis? The answer may shock you. According to Veracode’s latest research, most businesses will not patch critical security

The post Unpatched Vulnerabilities Exposes Businesses To Hackers appeared first on The Cyber Security Place.

Code vulnerabilities mean banks are leaving customers open to more outages

Outages at TSB and HSBC illustrate the problem:  any bank attempting to simultaneous update and preserve their current IT infrastructure,  without downtimes or service disruption, faces a monumental task.  Now, Veracode’s

The post Code vulnerabilities mean banks are leaving customers open to more outages appeared first on The Cyber Security Place.

Two Elasticsearch Databases Found Unprotected

After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit. Click

The post Two Elasticsearch Databases Found Unprotected appeared first on The Cyber Security Place.

What sets visionary businesses apart? Running multiple digital initiatives at scale

Organisations can take a giant leap by partnering within their ecosystems to gain access to complementary skills and resources.What does it take to succeed in digital transformation? What does it take

The post What sets visionary businesses apart? Running multiple digital initiatives at scale appeared first on The Cyber Security Place.

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a

New requirements for the secure design and development of modern payment software

The PCI Security Standards Council (PCI SSC) published new requirements for the secure design and development of modern payment software. The PCI Secure Software Standard and the PCI Secure Lifecycle (Secure SLC)

The post New requirements for the secure design and development of modern payment software appeared first on The Cyber Security Place.

Mining malware evades agent-based cloud security solutions

Cloud infrastructures are a growing target for threat actors looking to mine cryptocurrency, as their vast computational power allows them to multiply the mining malware’s effect. Keeping its presence from being noticed

The post Mining malware evades agent-based cloud security solutions appeared first on The Cyber Security Place.

6 Best Practices For Increasing Security In AWS In A Zero Trust World

Enterprises are rapidly accelerating the pace at which they’re moving workloads to Amazon Web Services (AWS) for greater cost, scale and speed advantages. And while AWS leads all others as

The post 6 Best Practices For Increasing Security In AWS In A Zero Trust World appeared first on The Cyber Security Place.

Encryption is key to protecting information as it travels outside the network

A new Vera report reveals stark numbers behind the mounting toll of data breaches triggered by cybercrime and accidents. One of the most recognized and mandated security controls, installed encryption tools protect

The post Encryption is key to protecting information as it travels outside the network appeared first on The Cyber Security Place.

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack

Software Security – Hackable Even When It’s Secure

On a recent call, one of the smartest technical folks I can name said something that made me reach for a notepad, to take the idea down for further development later. He was talking about why some of the systems enterprises believe are secure really aren't, even if they've managed to avoid some of the key issues.

Let me explain this a little deeper, because this thought merits such a discussion.

Think about what you go through if you're testing a web application. I can speak to this type of activity since it was something I focused on for a significant portion of my professional career. Essentially the whole of the problem breaks down to being able to define what the word secure means. Many organizations that I've first-hand witnessed stand up a software security program over the years follow the standard OWASP Top 10. It's relatively easy to understand, it's fairly well maintained, and it's relatively easy to test software against. It's hard to argue with the notion that the OWASP Top 10 is not the standard for determining whether a piece of software is secure or not.

Herein lies the problem. As many of you who do software security testing can testify to, without at least a structured framework (aka checklist) to go against, the testing process becomes never-ending. I don't know about you, but I've never had the luxury of taking all the time I needed, everything always needed to go live yesterday and I or my team was always the speed bump on the way to production readiness. So we first settled on making sure none of the OWASP Top 10 were present in software/applications we tested. Since this created an unreal amount of bugs, we narrowed scope down to just the OWASP Top 2. If we could eliminate injection and cross-site scripting the applications would be significantly more secure, and everything would be better.

Another issue, then. After all that testing, and box-checking, when we were fairly sure the application didn't have remote file includes, cross-site scripting (XSS), SQL Injection or any of that other critical stuff - we allowed the app to go live and it quickly got hacked. The issue this caused for us was not only one of credibility, but also of confusion. How could the app not have any of those critical vulnerabilities but still get easily hacked?!

Now back to the issue at hand.

The fact is that even when you've managed to avoid all the common programming mistakes, and well-known vulnerabilities you can still produce a vulnerable application. Look at what EBay is going through right now. Fact is, even though there may not be any XSS or SQLi in their code - they still have issues allowing people to take over accounts. Why? It's because there is more to securing an application than making sure there aren't any coding mistakes. Fully removing the OWASP Top 10 (good luck with that!) from all your code bases may make your applications more safe than they are now - but it won't make them secure. And therein lies the problem.

When you hand your application over to someone who is going to test it for code issues like the OWASP Top 10, and only that, you're going to miss massive bugs that may still lurk in your code. Heartbleed anyone? Maybe there is a logic flaw in your code. Maybe there is a procedural mistake that allows for someone to bypass a critical security mechanism. Maybe you've forgotten to remove your QA testing user from your production code. Thing is, you may not actually know if you just test it for app security issues with traditional or even emerging tools. Static analysis? Nope. Dynamic analysis? Nope. Manual code review? Maybe.

The ugly truth is that unless you have someone who not only understands what the code should do under normal conditions - but also what it should never do, you will continue to have applications with security issues. This is why automated scanners fail. This is why static analysis tools fail. This is why penetration testers can still fail - unless they're thinking outside the code and thinking in terms of application functionality and performance.

The reality is that for those applications that simply can't easily fail - you not only need to get it tested by some brilliant security and development minds, but also by someone who understands that beautiful combination of software development, security, and application business processes and design. Someone who looks at your application and says: "You know what would be interesting?"...

In my mind this goes a great deal to explaining why there are so many failing software security programs out there in the enterprise. We seem to be checking all the right boxes, testing for all the right things, and still coming up short. Maybe it's because the structural integrity hasn't been validated by the demolitions expert.

Test your applications and software. Go beyond what everyone tells you to check and look deep into the business processes to understand how entire mechanisms can be abused or entirely bypassed. That's how we're going to get a step closer to having better, more safe and secure code.