In the News

The rise of IoT and the associated security risks

7 Jul 2016 | By Amit Ashbel

The proliferation of IoT devices in the workplace presents a huge security risk and if new research from ForeScout Techologies is anything to go by, organisations are ill-prepared to deal with this rise and the associated threat. Even worse, by the time some of the IoT devices reach businesses, they are already vulnerable due to the lack of industry regulations and current approach to development. In order to stem the security issues with IoT applications and devices, there needs to be a step change in the development process. It has simply never been more important that these devices and platforms be developed securely in the first instance.

Businesses are not ready to secure IoT

There is no doubt that IoT is on the rise; Gartner has estimated that there will be 6.4 billion connected things globally by the end of this year and projects that figure to reach 21 billion by 2020. So for every ten IoT devices today, there will be approximately thirty in just four years time. But the poll from ForeScout clearly suggests that businesses are not prepared to deal with these devices with 85 per cent of the 350 IT professionals surveyed saying that they weren’t sure if they could detect an IoT device as soon as it connects to the network. Of course, as soon as an infected device connects to the network, the security of the entire network is compromised.
Continue reading this article on ITProPortal.com

The proliferation of IoT devices in the workplace presents a huge security risk and if new research from ForeScout Techologies is anything to go by, organisations are ill-prepared to deal with this rise and the associated threat. Even worse, by the time some of the IoT devices reach businesses, they are already vulnerable due to the lack of industry regulations and current approach to development. In order to stem the security issues with IoT applications and devices, there needs to be a step change in the development process. It has simply never been more important that these devices and platforms be developed securely in the first instance.

Businesses are not ready to secure IoT

There is no doubt that IoT is on the rise; Gartner has estimated that there will be 6.4 billion connected things globally by the end of this year and projects that figure to reach 21 billion by 2020. So for every ten IoT devices today, there will be approximately thirty in just four years time. But the poll from ForeScout clearly suggests that businesses are not prepared to deal with these devices with 85 per cent of the 350 IT professionals surveyed saying that they weren’t sure if they could detect an IoT device as soon as it connects to the network. Of course, as soon as an infected device connects to the network, the security of the entire network is compromised.
Continue reading this article on ITProPortal.com


</close>

How To Stay Protected In A World Of Non-Stop Malware Threats

5 Jul 2016 | By Naomi Webb

Every day, almost one million malware threats are introduced in the ceaseless jungle that is the internet. And yet, software developers, security experts, and IT administrators are expected to stay up-to-date with these latest threats to ensure that network environments and software applications are secured against them. Sure thing, you might think. I’ll get to today’s million malware threats right after I finish counting raindrops. We’re here to offer our assistance by going through a few of the most common malware threats that organisations face today.

Malware threats continue to plague the internet and they aren’t going to stop. The right breach can bank an attacker millions in dark market money, so it’s financially beneficial for an attacker to create new and unexpected threats and use them to attack critical applications. While you’re never going to be able to keep up with every emerging threat, you do need to stay informed on the ones that become common. One way to do so is by checking out repositories such as Checkmarx’s vulnerability knowledge base. Another way is to read up on the five types of vulnerabilities that can be exploited by malware listed below.

Continue reading this article on Lifehacker Australia

Every day, almost one million malware threats are introduced in the ceaseless jungle that is the internet. And yet, software developers, security experts, and IT administrators are expected to stay up-to-date with these latest threats to ensure that network environments and software applications are secured against them. Sure thing, you might think. I’ll get to today’s million malware threats right after I finish counting raindrops. We’re here to offer our assistance by going through a few of the most common malware threats that organisations face today.

Malware threats continue to plague the internet and they aren’t going to stop. The right breach can bank an attacker millions in dark market money, so it’s financially beneficial for an attacker to create new and unexpected threats and use them to attack critical applications. While you’re never going to be able to keep up with every emerging threat, you do need to stay informed on the ones that become common. One way to do so is by checking out repositories such as Checkmarx’s vulnerability knowledge base. Another way is to read up on the five types of vulnerabilities that can be exploited by malware listed below.

Continue reading this article on Lifehacker Australia


</close>

7 Mobile App Dev Vulnerabilities That Can Cost You an Arm and a Leg

4 Jul 2016 | By Darryl K. Taft

Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn't it? Yes and no.

While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We're swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it's important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.

Continue reading this article on eWeek.com

Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn’t it? Yes and no.

While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We’re swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it’s important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.

Continue reading this article on eWeek.com


</close>

Necessity is the mother of the ‘Rugged DevOps’ movement

30 Jun 2016 | By Alexandra Weber Morales

No matter how good your perimeter security is, experts agree: Your system has been breached, whether you know it or not. The costs of security flaws—cybersecurity expert Joe Franscella calls them “The Five Horsemen of the Internet Apocalypse: Scam, Extortion, Embarrassment, Theft and Death”—are enormous. So why don’t we consider security a first-class citizen in DevOps?

What’s holding us back is cultural, but it’s also technical. “Part of the problem is that most security tools are too slow to work in a Continuous Integration model,” said Guckenheimer. “Checkmarx is probably the tool that’s cracked that first. Ideally, you want to be able to have your code scanned as part of the pull request in the Continuous Integration flow, and that’s just not practical with most tools that exist.

Continue reading this article on SDTimes.com.

No matter how good your perimeter security is, experts agree: Your system has been breached, whether you know it or not. The costs of security flaws—cybersecurity expert Joe Franscella calls them “The Five Horsemen of the Internet Apocalypse: Scam, Extortion, Embarrassment, Theft and Death”—are enormous. So why don’t we consider security a first-class citizen in DevOps?

What’s holding us back is cultural, but it’s also technical. “Part of the problem is that most security tools are too slow to work in a Continuous Integration model,” said Guckenheimer. “Checkmarx is probably the tool that’s cracked that first. Ideally, you want to be able to have your code scanned as part of the pull request in the Continuous Integration flow, and that’s just not practical with most tools that exist.

Continue reading this article on SDTimes.com.


</close>

June 2016: The month in hacks and breaches

30 Jun 2016 | By CSO Staff

News hit over Memorial Day weekend of a massive breach of the social network Myspace. Usernames and passwords of 360 past and present users were stolen. This may end up being the largest data breach of all time, according to Sophos researchers.

At mid-month, the GoToMyPC hack reminded us that old data breaches will continue to rear their ugly heads. This hack was one of several that can be blamed on the 2012 LinkedIn hack, says CSO's Steve Ragan. "The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals," Ragan said. "The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer."

The following infographic from application security provider Checkmarx offers a timeline view of some of this months notable hacks and breaches:

Check out the infographic and continue reading on CIO.com

News hit over Memorial Day weekend of a massive breach of the social network Myspace. Usernames and passwords of 360 past and present users were stolen. This may end up being the largest data breach of all time, according to Sophos researchers.

At mid-month, the GoToMyPC hack reminded us that old data breaches will continue to rear their ugly heads. This hack was one of several that can be blamed on the 2012 LinkedIn hack, says CSO’s Steve Ragan. “The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals,” Ragan said. “The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.”

The following infographic from application security provider Checkmarx offers a timeline view of some of this months notable hacks and breaches:

Check out the infographic and continue reading on CIO.com


</close>

Leakedsource.com finds 45M leaked VerticalScope user records

15 Jun 2016 | By Doug Olenick

The outdoor and sports-centric website aggregator VerticalScope was hacked according to an industry watchdog with about 45 million records from more than 1,100 websites being taken and posted to the internet.

The compromised data was found by Leakedsource in February 2016 with the records discovered containing information such as email address, username, IP address and one or two passwords. Leakedsource.com is a search engine that scours a number of online sources looking for stolen or leaked records.

Giving website visitors more information regarding exactly what level of security is being used to protect their information was suggested by Amit Ashbel, cyber security evangelist at Checkmarx.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value.Maybe its time that websites are forced to indicate what security standards they follow to protect their user's data,” he said. 

Continue reading the article on SCMagazine.com.

The outdoor and sports-centric website aggregator VerticalScope was hacked according to an industry watchdog with about 45 million records from more than 1,100 websites being taken and posted to the internet.

The compromised data was found by Leakedsource in February 2016 with the records discovered containing information such as email address, username, IP address and one or two passwords. Leakedsource.com is a search engine that scours a number of online sources looking for stolen or leaked records.

Giving website visitors more information regarding exactly what level of security is being used to protect their information was suggested by Amit Ashbel, cyber security evangelist at Checkmarx.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value.Maybe its time that websites are forced to indicate what security standards they follow to protect their user’s data,” he said. 

Continue reading the article on SCMagazine.com.


</close>

45 Million Potentially Impacted by VerticalScope Hack

15 Jun 2016 | By SecurityWeek News

VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.

Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.

Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.

"No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value. Maybe it’s time that websites are forced to indicate what security standards they follow to protect their user’s data.”

Continue reading on SecurityWeek.com

VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.

Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.

Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.

“No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value. Maybe it’s time that websites are forced to indicate what security standards they follow to protect their user’s data.”

Continue reading on SecurityWeek.com


</close>

The Beginners Guide To Application Security, AKA The Beginners Guide To Hacking

9 Jun 2016 | By Ben Campbell

For software developers who quite understandably detest hackers, it probably doesn’t seem natural or appealing to think like a hacker in order to build better applications. But does the FBI not have to think like criminals in order to protect financial institutions? Does the DEA not have to think like meth manufacturers in order to locate those chemical-filled trailers? Do mothers not have to think like sugar-hungry sons in order to successfully hide a bag of chocolate chips in the vegetable crisper?

Continue reading this article at Business Computing World

 

For software developers who quite understandably detest hackers, it probably doesn’t seem natural or appealing to think like a hacker in order to build better applications. But does the FBI not have to think like criminals in order to protect financial institutions? Does the DEA not have to think like meth manufacturers in order to locate those chemical-filled trailers? Do mothers not have to think like sugar-hungry sons in order to successfully hide a bag of chocolate chips in the vegetable crisper?

Continue reading this article at Business Computing World

 


</close>

Millions of Twitter Credentials Up for Sale for Less Than a Cent Each

9 Jun 2016 | By Tara Seals

A hacker, who has links to the recent MySpace, LinkedIn and Tumblr data breaches, is claiming another trophy: Millions upon millions of Twitter accounts.

The Russian hacker, going by the handle Tessa88, is selling a cache of 32 million records for 10 Bitcoin on the Dark Web. It’s another example of how little account credentials are going for these days: 10 Bitcoin is the equivalent of around $5,820, which works out to less than a cent each.

Amit Ashbel, director of product marketing and cybersecurity evangelist at Checkmarx, told us that the fact that this is a new leak of an old steal isn’t surprising.

"I would start by stressing that this is regular practice by criminals,” he said. “Once they manage a large hack they will always save something for a rainy day. The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Read the original article at InfoSecurity Magazine

A hacker, who has links to the recent MySpace, LinkedIn and Tumblr data breaches, is claiming another trophy: Millions upon millions of Twitter accounts.

The Russian hacker, going by the handle Tessa88, is selling a cache of 32 million records for 10 Bitcoin on the Dark Web. It’s another example of how little account credentials are going for these days: 10 Bitcoin is the equivalent of around $5,820, which works out to less than a cent each.

Amit Ashbel, director of product marketing and cybersecurity evangelist at Checkmarx, told us that the fact that this is a new leak of an old steal isn’t surprising.

“I would start by stressing that this is regular practice by criminals,” he said. “Once they manage a large hack they will always save something for a rainy day. The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Read the original article at InfoSecurity Magazine


</close>

OWASP Top 10 & Open Source Code: Why Watching Your Back Means Watching Everyone Else’s

6 Jun 2016 | By Admin

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 


</close>