Category Archives: Software

July 2020 Patch Tuesday forecast: Will the CVE trend continue?

Microsoft has averaged roughly 90 common vulnerabilities and exposures (CVE) fixes per month over the past five months. With everyone working from home and apparently focused on bug fixes, I expect this large CVE fixing trend to continue. Despite these record CVE numbers, the actual number of updates have been down; we haven’t seen Exchange or SQL Server updates in a while. The hot topic of conversation over the last two weeks has been the … More

The post July 2020 Patch Tuesday forecast: Will the CVE trend continue? appeared first on Help Net Security.

Microsoft adds OpenText’s information governance, secure collaboration at scale, and content management

Waterloo-based information management software company OpenText today announced that it is extending its content services technology for Microsoft Teams, enabling the use of its content services for information governance and control.  Addition of the information governance tools and systems to Teams will make available an expanded set of compliance, records management, and archiving options available…

Vulnerability disclosure program needed to ensure confidence in COVID apps, says expert

With Ontario still delaying the release of the beta version of the federal-endorsed COVID-19 exposure notification mobile app, an executive of a bug bounty platform warns that confidence in any app will depend on the ability of the public to analyze and report holes in the software.

“The big thing we’ve been advocating for is making sure at the very least there is a vulnerability disclosure program in place,” Casey Willis, CTO and founder of Bugcrowd, said in an interview. “Security researchers are interested in their own safety as probable users of this app,” he said, so for that reason alone, they want to be able to feedback any issues to app developers.

“That needs to be backed up with a fairly robust intake method and a robust ability to make changes and issue security fixes should they be necessary.”

He acknowledged that’s true for any application, but Willis believes it’s particularly important for COVID contact tracing/exposure notification apps because they are being developed quickly “and speed is the natural enemy of security.”

Vulnerability reporting will also help improve public confidence, he added, because they will see that bugs are being fixed.

The importance of issuing security updates was underscored in a recently-published study of security and privacy issues of 34 Android COVID-19 contact tracing applications by five university researchers (four from Australia) and a researcher from Australia’s national science research agency.

None of the apps were built around the decentralized Apple-Google framework on which the federally-endorsed app that Ontario is about to test is constructed upon. It doesn’t collect any location data, nor send any data to a centralized server. Most of the apps studied by these researchers used a centralized model. So does Alberta’s ABTraceTogether app, which uses code from Singapore’s TraceTogether app.

The researchers from about 70 per cent of the apps studied posed potential security risks either because they use cryptographic algorithms that are insecure or not part of best practice; or because they stored sensitive information in clear text that could be potentially read by attackers.

Over 60 per cent of apps posed vulnerabilities through what they called manifest weaknesses such as allowing permissions for backup which would result in the copying of potentially unencrypted application data. Three-quarters of the apps contained at least one tracker, potentially causing serious privacy data leakage.

“The results demonstrate that there is no solution that is able to protect users’ privacy against all of the attacks investigated,” the researchers concluded.

However, they also said that “generally, Bluetooth-based decentralized solutions that avoid direct location tracking outperform centralized systems” on privacy issues. Both the Alberta and Canadian apps use Bluetooth.

The study’s findings were reported to app developers May 23rd. Between then and the release of the study some app developers had responded. For example, all potential privacy leakage in apps from Singapore, Vietnam and Spain had been fixed. The trackers in the app from Malaysia had been removed. One U.S. app was been taken out of the Google Play store.

On the other hand, new vulnerabilities were found in updated apps in India and Spain.

The study suggests COVID-19 contact tracing and exposure notification apps inevitably come with security and privacy issues. Still, the researchers found that the majority of security patches are straightforward. For example, over 70 per cent of the studied apps use insecure hash functions such as SHA-1 and MD5 or store sensitive information in cleartext.

Solving privacy issues, the researchers admitted will be harder. “To the best of our knowledge, there are no solutions that can protect users’ privacy against all potential attacks.”

One key conclusion: “To ensure security and remove potential vulnerabilities, code should be released for public review.”

On June 18 Prime Minister Justin Trudeau announced a COVID-19 notification app developed by the government’s Canadian Digital Service, Ontario’s Digital Service and volunteers from online retail platform Shopify. Built on the Apple-Google framework the app is getting a security review from BlackBerry.

The app was supposed to be released in Ontario on July 2nd for beta testing. Asked this week why it hasn’t been launched an Ontario official referred to a statement that day from Premier Doug Ford, who said he’s ready to release the app but suggested Ottawa is holding back until it gets more provinces to agree to adopt it.

The official said when released the app will support most phones released in the last five years, including iPhone 6S or newer and Android phones running Android 6.0 or later. “We estimate that this includes at least 95 per cent of iPhones currently in use and over 85 per cent of Android devices.”

Attackers are bypassing F5 BIG-IP RCE mitigation – you might want to patch after all

Attackers are bypassing a mitigation for the BIG-IP TMUI RCE vulnerability (CVE-2020-5902) originally provided by F5 Networks, NCC Group’s Research and Intelligence Fusion Team has discovered. On CVE-2020-5902 (K52145254) @TeamAresSec reported publicly at 18:24 the mitigation could be bypassed, we saw it used in the wild at 12:39 for the first time – upgrade don't mitigate – https://t.co/sSr4JIZwu3 pic.twitter.com/PMfG0rCpyQ — NCC Group Infosec (@NCCGroupInfosec) July 7, 2020 “Early data made available to us, as of … More

The post Attackers are bypassing F5 BIG-IP RCE mitigation – you might want to patch after all appeared first on Help Net Security.

Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit

Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices, to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices. About CVE-2020-5902 CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies. It was unearthed along with CVE-2020-5903, a less critical XSS vulnerability that … More

The post Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit appeared first on Help Net Security.

Cybersecurity software sales and training in a no-touch world

The pandemic has led to an outbreak of cybercriminal activity focused on remote workers and enterprises that needed to quickly migrate to the cloud to maintain business continuity. More than 3,100 phishing and counterfeit websites were created each day in January. By March, that figure exceeded 8,300. Communication and collaboration phishing sites also grew by 50% from January to March. For enterprises caught off guard, security vulnerabilities were further exposed and the need to protect … More

The post Cybersecurity software sales and training in a no-touch world appeared first on Help Net Security.

Difficulty scaling software development? Time to master scaling

Software development success unleashes an insatiable demand for more complex software to be developed even faster and preferably cheaper. Completing more ambitious software goals requires scaling up software development. At the recent Collision from Home virtual conference, Stephen Deasy, the Head of Engineering at Atlassian, explored the issues that affect scaling software development. Atlassian is…

Google scoops up North’s Focals smart glasses

Google has officially completed the acquisition of North, a Canadian company renowned for its fashionable smart glasses.

With the acquisition, North’s development team joins Google to develop its future projects. North says its team will be staying in Waterloo, Ontario.

North, the Waterloo-based company founded by Stephen Lake, Matthew Bailey and Aaron Grant, originally started as Thalmic Labs that created the Myo armband. Following its first venture, Thalmic Labs relaunched as North in October 2018, with the Focals smart glasses as its key product.

Focals had three main features that catered to the masses. Instead of unsightly modules protruding from the glass frame, Focals functional components are tucked away inside the frame’s legs. Second, its design closely matched a regular pair of glasses. Finally, at CA$1,299, it’s relatively affordable and can be tested and purchased from North’s Toronto or New York showrooms. In addition, The company also announced in 2018 that Focals would come with prescription lenses in 2019 for around US$200 (around CA$270) extra.

The idea of fashionable, functional, and widely-available smartglasses received broad media coverage and attention from both consumers and the government. In November 2018, North was given a 24 million investment from the Canadian government. 

But public interest in Focals waned in the subsequent months after its initial launch. In February 2019, North slashed Focals cost by CA$500, dropping it from $1299 to $799. In a statement to The Verge, North reassured the publication that the price cut wasn’t due to poor sales. In the same month, The Canadian government retracted its funding offer and demanded North pay back the CA$7 million it had already received.

Whilst the company didn’t overtly exhibit signs of decline–even announcing the second-generation Focals in December 2019–the Globe and Mail reported that North had been suffering from poor sales prior to its acquisition by Google. North’s showroom staff told the Globe that the company would go for days without a sale. Another source informed the Globe that it’s unlikely that North has sold less than 1,000 pairs of Focals since launch, many of them given to influencers and press.

It’s unclear what Google’s plans on doing with Focals, but the acquisition is definitely pertinent given its company’s aptitude for smart glasses.

A Boxcryptor audit shows no critical weaknesses in the software

More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed. During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation. “All these … More

The post A Boxcryptor audit shows no critical weaknesses in the software appeared first on Help Net Security.

New vulnerabilities in open source packages down 20% compared to last year

New vulnerabilities in open source packages were down 20% compared to last year suggesting security of open source packages and containers are heading in a positive direction, according to Snyk. Well known vulnerabilities, such as cross-site scripting, continue to be reported but aren’t impacting as many projects as they have in previous years. This is further encouraged as organizations start to drive a culture shift that embodies open source and container security as a core … More

The post New vulnerabilities in open source packages down 20% compared to last year appeared first on Help Net Security.

AWS announces a no-code mobile and web app builder

Amazon Web Services (AWS) has launched a no-code mobile and web app development tool Amazon Honeycode. A fully managed service, Amazon Honeycode is a visual application builder that can be used by customers to create applications backed by an AWS-built database, which the company says allows customers to easily filter, sort, and link data together…

Fixing all vulnerabilities is unrealistic, you need to zero in on what matters

As technology constantly advances, software development teams are bombarded with security alerts at an increasing rate. This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritize remediation all the more critical, according to WhiteSource and CYR3CON. This research examines the most common methods software development teams use to prioritize software vulnerabilities for remediation, and compares those practices to data gathered from the discussions of hacker communities, including the dark … More

The post Fixing all vulnerabilities is unrealistic, you need to zero in on what matters appeared first on Help Net Security.

Need technology help to maintain social distancing?

Social distancing is a new phrase that’s entered our vocabulary in the era of the COVID-19 pandemic. It’s become important to flattening the curve of COVID-19 infections and exiting the lockdown. How can organizations encourage or even enforce social distancing? Having assigned staff run around your offices, stores, warehouses, and manufacturing facilities admonishing employees, customers,…

How to secure software in a DevOps world

The COVID-19 pandemic and its impact on the world has made a growing number of people realize how many of our everyday activities depend on software. We increasingly work, educate ourselves, play, communicate with others, consume entertainment, go shopping and do many other things in the digital world, and we depend on software and online services/apps to make that possible. Software is now everywhere and embedded within just about everything we touch. The pandemic has … More

The post How to secure software in a DevOps world appeared first on Help Net Security.

Keep remote workers and their devices secure with one click

In this interview for Help Net Security, Shailesh Athalye, VP Compliance at Qualys, discusses cloud-based Remote Endpoint Protection and illustrates how security teams can leverage its numerous features. Qualys recently added malware detection to its cloud-based Remote Endpoint Protection offering. How does it work? As you know because of the recent surge in the remote workforce, the security of the remote hosts is on top of the mind for the security teams. It became immediately … More

The post Keep remote workers and their devices secure with one click appeared first on Help Net Security.

End-to-end encryption will be offered to all Zoom users

Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well. The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.” Zoom does an about-face on … More

The post End-to-end encryption will be offered to all Zoom users appeared first on Help Net Security.

2019 was a record year for OSS vulnerabilities

Total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year, according to the RiskSense report. Top 10 weaponized CWEs The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious … More

The post 2019 was a record year for OSS vulnerabilities appeared first on Help Net Security.

Slack and Amazon link arms to fight against Microsoft Teams

Slack and Amazon announced a new partnership last Friday to try and improve their chances of winning the war for enterprise communication supremacy.

The partnership sees Amazon deploying Slack as its internal communication tool across the company. In addition, Slack has migrated its voice and video call functions over to the infrastructure of Amazon Chime, Amazon’s communication service.

By migrating its video and calling features to Amazon’s infrastructure, Slack can eliminate the cost of maintaining them in its systems. In addition, Slack integrates Amazon’s cryptographic key management and AWS chatbot functionalities.

In an interview with CNBC, Matt Garman, vice-president of sales and marketing at Amazon, attributed Slack’s rich experience and higher functionality as the reasons for adopting Slack for Amazon’s internal teams.

Slack, which has been running on AWS since 2015, saw its usage rise sharply during the pandemic. The Verge reported that on March 10, Slack’s concurrent user count exceeded 10 million, and reached 12.5 million on March 25. The company has yet to update its daily updated user count since October 2019.

It’s no mystery that the new partnership is a direct attack against Microsoft Teams, which has been gaining traction since its release in 2017, three years after Slack launched. In March 2020, Microsoft recorded 44 million active users on its chat platform. At the end of last month, the number increased to 75 million.

Slack will continue to choose AWS as its preferred cloud provider, according to the press release.

OPTIMUSCLOUD: Cost and performance efficiency for cloud-hosted databases

A Purdue University data science and machine learning innovator wants to help organizations and users get the most for their money when it comes to cloud-based databases. Her same technology may help self-driving vehicles operate more safely on the road when latency is the primary concern. Somali Chaterji, a Purdue assistant professor of agricultural and biological engineering who directs the Innovatory for Cells and Neural Machines [ICAN], and her team created a technology called OPTIMUSCLOUD. … More

The post OPTIMUSCLOUD: Cost and performance efficiency for cloud-hosted databases appeared first on Help Net Security.

Despite investing in DevOps tools and practices, teams still encounter customer-impacting errors

An overwhelming majority of organizations prioritize software quality over speed, yet still experience customer-impacting issues regularly, according to OverOps. The report, based on a survey of over 600 software development and delivery professionals, revealed that the current level of DevOps investment is not sufficient for ensuring software reliability. This year’s plans to invest in new tools like automated code analysis could be the key to solving this challenge. “The move to DevOps and the increasing … More

The post Despite investing in DevOps tools and practices, teams still encounter customer-impacting errors appeared first on Help Net Security.

Zoom to offer end-to-end encryption only to paying customers

As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option. “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday. Zoom encryption and … More

The post Zoom to offer end-to-end encryption only to paying customers appeared first on Help Net Security.

Cooking up secure code: A foolproof recipe for open source

The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up. Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with … More

The post Cooking up secure code: A foolproof recipe for open source appeared first on Help Net Security.

Agile security helps software teams deliver quicker and better software

Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More

The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.

Microsoft Reunion makes Windows devwork a little easier

At the Build 2020 conference, Microsoft announced Project Reunion, rolling its Windows desktop API and the universal windows platform (UWP) into a single package.

In its developer blog post, Microsoft defined four focus areas for app development in the coming years:

  • Unify app development across the billion Windows 10 devices for all current and future apps;
  • Leaning into the cloud and enabling new scenarios for Windows apps;
  • Creating new opportunities for developers to build connected apps using Microsoft 365 integration in the Windows experience; and
  • Making Windows great for developer productivity.

Project Reunion plays into the first point. It combines desktop app libraries and UWP libraries, given them the ability to communicate and control elements within each other. This unification enables developers to more easily create apps with better interoperability across device types. In addition, it lets developers update existing applications with new functions.

Microsoft introduced the Universal Windows Platform (UWP) in 2016 to attract developers to the then-barren Windows Store. The main goal back then was to provide a common app platform on every device that runs Windows 10. To achieve this goal, Microsoft introduced a common UWP core API that’s identical with Windows 10 devices like desktop, Xbox, IoT, and so on. Cross API compatibility is achieved through API bridges that translate UWP API calls to apps built on Android and iOS.

Win32, on the other hand, is a Windows API that exposes Windows components –Windows shell, user interface, network services and so forth–to the developer. Nearly all Windows desktop applications use Win32 to some extent.

In recent years, Microsoft has been working to add UWP into platforms that were previously incompatible. That effort eventually led to Project Reunion, finally melding the two together into a decoupled API that can be acquired through platform-agnostic package managers like NuGet.

How secure are open source libraries?

Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software … More

The post How secure are open source libraries? appeared first on Help Net Security.

COVID-19 accelerates telehealth adoption

The meteoric growth in telehealth adoption during the COVID-19 pandemic is a case study in how a crisis can trigger overcoming barriers to the adoption of technology and process improvements. The issues and solutions are applicable to most information technology implementation projects. Telehealth is the use of information and communications technology to deliver health care…

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues. Chrome 83: New and improved security and privacy features The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites. “Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained. “Turning on Enhanced Safe Browsing will … More

The post Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check appeared first on Help Net Security.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

I’m still on Windows 7 – what should I do?

Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves

I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy

Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?

Continue reading...