Introducing Checkmarx Software Composition Analysis (CxSCA)

Need-to-Know AppSec News Stories, April 2016

We’re starting something new today: An AppSec news story roundup that you can either read or watch via our Whiteboard Roundup below! We look forward to helping our readers stay up-to-date with all they need to know about AppSec – so please let us know what you think below and if we’ve missed any good security stories. 

Whiteboard Roundup for April: All the Top AppSec News in April in Under 5 Minutes

‘Hacking Your Phone’


A 60 Minutes piece on mobile hacking has brought light to a little-known global network used by phone carriers around the world – and the many serious security issues connected to it. The gist is that the protocol allows anyone (or at least knowledgeable hackers) to eavesdrop on and monitor the movements of someone – using nothing more than their cell number. Scary, indeed.


The report, which aired Sunday night, centered on the Signalling System No. 7 – or  SS7 for short. It’s a network protocol at the heart of the mobile network system – and it’s got a vulnerability that allows hackers (both the white-hat and black-hat varieties) to track a cell phone’s use just by knowing the victim’s number.  


The big deal behind the issues highlighted in the 60 Minutes piece is that every cellular network and mobile device can be affected by vulnerabilities in the SS7 protocol, so nobody is safe from being hacked. It’s up to the mobile carriers to secure the network, and while some carriers appear to have more security protocols in place, all carriers can get hacked.


The second half of the program focused on another major mobile security issue: Spoofing Wi-Fi. Lookout Mobile Security founder John Hering hacked the iPhone of Sharyn Alfonsi, the shows’ host – by spoofing a public hotel Wi-Fi network. The hack allowed Herring and his team to track Sharyn Alfonsi’s whereabouts, listen to her calls, and after tricking her into downloading malware on her iPhone, they could even watch her through her phone camera.


Dig Deeper:


Fallout from the Panama Papers

Since the release of the Panama Papers on April 3rd, the fallout from the trove of documents has been pretty massive, with twelve former and current heads of state having been implicated in scandals. In addition, hundreds of other celebrities and politicians have had their offshore activities brought to light.


But the real story for the AppSec is how an organization with as many high-profile clients – and the sensitive financial and corporate secrets they were using the company to keep – could have had such poor security as was discovered in the case of Mossack Fonseca, the law firm at the center of the Panama Papers Scandal.


While the cause of the breach is still undetermined, initial investigations uncovered old, out of date platforms and applications that could have easily been the source of the breach. The Drupal CMS running the firm’s’ client-side portal hadn’t been updated for over three years and included a deadly SQL injection that would have allowed anyone to execute commands remotely. In addition, their webmail system was 6 years out of date, didn’t encrypt their emails and their backend was vulnerable to the DROWN attack. Their main WordPress site hadn’t been updated in three months, either.


The irony of the whole story is that if only Mossack Fonseca had used the kind of secure, encrypted communications the journalists working on the Panama Papers and the whistle-blower used, along with keeping their systems and platforms up to date, the chances of such a huge leak would have been made much more difficult.


Dig Deeper:


U.S. Government ‘Worse Than All Major Industries’ on Cybersecurity


A scathing report was released this week, giving various U.S. Government agencies poor grades on their cybersecurity effectiveness. The analysis, released by SecurityScorecard, measured various industries in terms of their cyber security health across ten categories, from social engineering and vulnerabilities to network security and exposure of passwords. U.S. Government agencies were found to be especially lacking in network security and software patches.


The Office of Personnel Management data breach, discovered in June of last year, saw nearly 22 million records of government employees leaked, with others believing the hack also exposed highly sensitive documents. The records included full names, addresses, social security numbers and most likely confidential security-clearance background info, as well. The OPM hack put the U.S. Government in the spotlight in terms of increasing their cybersecurity defenses. Yet it appears there’s still a long way to go.


Dig Deeper:


Apple OS Messages App Fixed Bug That Allowed XSS Attacks to Steal Message Contents


An application layer-bug that was fixed by apple in March would have allowed remote disclosure of the contents and attachments contained within the Messages for OS X application.


The attack could have allowed a simple JavaScript URI that, when clicked, would initiate an XSS attack, allowing the attacker to feed all message content to a remote server. All the victim would need to do is click the malicious URL/URI sent by the attacker. If the victim also had SMS forwarding enabled, the attacker would also be able to see the messages sent and received by the victim’s phone, as well.


The takeaway for security folks here is that JavaScript remains a very misunderstood language in terms of how it interacts with client-side content and the security implications associated with it.


Dig Deeper:


WordPress opens up SSL availability for all


With nearly 27% of all content management systems running on WordPress, security is a major concern. And while many security vulnerabilities on WordPress sites can be traced back to vulnerable or out-of-date plugins, there are plenty of security issues that continue to plague the CMS itself. HTTPS has been supported on sub-domains for the last two years, but custom domains still needed to purchase and install the certificates themselves – if they even knew to do it.


Now, custom domains will automatically be fitted with an SSL certificate, and HTTPS will be activated by WordPress in the coming days. WordPress parent company Automattic systems engineer Barry Abrahamson announced on the WordPress blog that the SSL certificates will be given by the Let’s Encrypt Initiative. The project of adding SSL certificates to each WordPress hosted site began in January. Soon, all WordPress CMS owners will be able to see the green icon in their site’s address bar!


Dig Deeper:


Open Source Vulnerability Database shut down permanently

The Open-Sourced Vulnerability Database or the OSVDB, a project dedicated to providing information on the biggest security flaws, was shut down last week after years of issues between the site founders, owner and security vendors.


The database was created in response to Symantec acquiring the company that ran the famous Bugtraq database. In an interview with Network World, OSVDB co-founder HD Moore (@hdmoore), said “the irony is that Bugtraq under Symantec has now outlived OSVDB.”


Since many organizations reference OSVDB vulnerabilities, some of which have no identifier besides the one created by the OSVDB, businesses are left in the dark for now as to when a replacement for OSVDB will emerge – if ever.


Dig Deeper:


Apple Quicktime for Windows Discontinues Support, Uninstall ASAP


US-CERT announced this week that Apple is reportedly ending support for Quicktime on the Microsoft Windows platform. The announcement follows a report from Trend Micro that two new security vulnerabilities found in the Quicktime platform will most likely not be fixed in upcoming versions. Any Window user with Apple Quicktime on their computers is advised to uninstall as soon as possible.


Dig Deeper:

Don’t use URL Shorteners to share your sensitive documents


Last week, researchers at Cornell released a report detailing their findings – that the URL shortening services offered by Microsoft, Google and are susceptible to brute force attacks that can uncover documents that are supposed to be private. The random six-letter characters can be parsed to determine the original URL of sensitive documents that were shared with the shortened URLs, enabling hackers to get their hands on information they weren’t supposed to be able to get. Convenience over security at it’s best.


The attack would even allow malicious actors to upload malware to the cloud drives they’ve accessed, meaning that the next time one of the original owners visits the URL they can be forced into downloading malware, and maybe not even know it.


Google took immediate action by lengthening the shortened URLs from six characters to 11 or 12 for sharing documents. Microsoft initially denied the issue and then later removed the URL shortener, though all the OneDrive document links created before then are still vulnerable.


Dig Deeper:


Samsung Galaxy USB Hacks Continue to Pop-Up

For Android, the story of the week is that many Samsung Galaxy devices were found vulnerable to hacking via USB. USB attacks have been around for years – see USB Rubber Ducky and BadUSB attacks for previous USB vulnerabilities – but the problem persists. In the newest USB attack, discovered by Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick) older models of Samsung can be plugged into a Linux host via USB to connect to the modem. Once connection occurs, the device can then be hacked into making calls and sending messages, without the victim’s knowledge, even when the phone is locked.


Dig Deeper:


Nothing Found on Syed Farook’s iPhone

The FBI is getting significant pushback after nothing significant was found on the iPhone owned by Syed Farook, one of the San Bernadino terrorists. Following a heated legal battle between the FBI and Apple and a worldwide debate on how many , the FBI eventually hired hackers to break into the terrorists phone.


While they’re saying the investigation is still ongoing, it’s become obvious to many that the investigation was fruitless, as an investigation like this wouldn’t take more than a few days at most. Now, security and privacy experts are accusing the FBI of using the incident to set a precedent for requiring tech companies to comply with similar requests. The fact that Apple didn’t bend to the FBI’s demands hopefully set a precedent against those kinds of requests.


But if the government can get hackers for hire to help them in such situations, willful participation from the tech companies will be of little help for incidents like this in the future.


Dig Deeper:



Jump to Category