In the News

Leakedsource.com finds 45M leaked VerticalScope user records

15 Jun 2016 | By Doug Olenick

The outdoor and sports-centric website aggregator VerticalScope was hacked according to an industry watchdog with about 45 million records from more than 1,100 websites being taken and posted to the internet.

The compromised data was found by Leakedsource in February 2016 with the records discovered containing information such as email address, username, IP address and one or two passwords. Leakedsource.com is a search engine that scours a number of online sources looking for stolen or leaked records.

Giving website visitors more information regarding exactly what level of security is being used to protect their information was suggested by Amit Ashbel, cyber security evangelist at Checkmarx.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value.Maybe its time that websites are forced to indicate what security standards they follow to protect their user's data,” he said. 

Continue reading the article on SCMagazine.com.

The outdoor and sports-centric website aggregator VerticalScope was hacked according to an industry watchdog with about 45 million records from more than 1,100 websites being taken and posted to the internet.

The compromised data was found by Leakedsource in February 2016 with the records discovered containing information such as email address, username, IP address and one or two passwords. Leakedsource.com is a search engine that scours a number of online sources looking for stolen or leaked records.

Giving website visitors more information regarding exactly what level of security is being used to protect their information was suggested by Amit Ashbel, cyber security evangelist at Checkmarx.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value.Maybe its time that websites are forced to indicate what security standards they follow to protect their user’s data,” he said. 

Continue reading the article on SCMagazine.com.


</close>

45 Million Potentially Impacted by VerticalScope Hack

15 Jun 2016 | By SecurityWeek News

VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.

Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.

Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.

"No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value. Maybe it’s time that websites are forced to indicate what security standards they follow to protect their user’s data.”

Continue reading on SecurityWeek.com

VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.

Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.

Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.

“No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.

“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value. Maybe it’s time that websites are forced to indicate what security standards they follow to protect their user’s data.”

Continue reading on SecurityWeek.com


</close>

The Beginners Guide To Application Security, AKA The Beginners Guide To Hacking

9 Jun 2016 | By Ben Campbell

For software developers who quite understandably detest hackers, it probably doesn’t seem natural or appealing to think like a hacker in order to build better applications. But does the FBI not have to think like criminals in order to protect financial institutions? Does the DEA not have to think like meth manufacturers in order to locate those chemical-filled trailers? Do mothers not have to think like sugar-hungry sons in order to successfully hide a bag of chocolate chips in the vegetable crisper?

Continue reading this article at Business Computing World

 

For software developers who quite understandably detest hackers, it probably doesn’t seem natural or appealing to think like a hacker in order to build better applications. But does the FBI not have to think like criminals in order to protect financial institutions? Does the DEA not have to think like meth manufacturers in order to locate those chemical-filled trailers? Do mothers not have to think like sugar-hungry sons in order to successfully hide a bag of chocolate chips in the vegetable crisper?

Continue reading this article at Business Computing World

 


</close>

Millions of Twitter Credentials Up for Sale for Less Than a Cent Each

9 Jun 2016 | By Tara Seals

A hacker, who has links to the recent MySpace, LinkedIn and Tumblr data breaches, is claiming another trophy: Millions upon millions of Twitter accounts.

The Russian hacker, going by the handle Tessa88, is selling a cache of 32 million records for 10 Bitcoin on the Dark Web. It’s another example of how little account credentials are going for these days: 10 Bitcoin is the equivalent of around $5,820, which works out to less than a cent each.

Amit Ashbel, director of product marketing and cybersecurity evangelist at Checkmarx, told us that the fact that this is a new leak of an old steal isn’t surprising.

"I would start by stressing that this is regular practice by criminals,” he said. “Once they manage a large hack they will always save something for a rainy day. The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Read the original article at InfoSecurity Magazine

A hacker, who has links to the recent MySpace, LinkedIn and Tumblr data breaches, is claiming another trophy: Millions upon millions of Twitter accounts.

The Russian hacker, going by the handle Tessa88, is selling a cache of 32 million records for 10 Bitcoin on the Dark Web. It’s another example of how little account credentials are going for these days: 10 Bitcoin is the equivalent of around $5,820, which works out to less than a cent each.

Amit Ashbel, director of product marketing and cybersecurity evangelist at Checkmarx, told us that the fact that this is a new leak of an old steal isn’t surprising.

“I would start by stressing that this is regular practice by criminals,” he said. “Once they manage a large hack they will always save something for a rainy day. The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Read the original article at InfoSecurity Magazine


</close>

OWASP Top 10 & Open Source Code: Why Watching Your Back Means Watching Everyone Else’s

6 Jun 2016 | By Admin

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 


</close>

Don’t wait for the police: plugging holes in your website forms to avoid SQL injection

6 Jun 2016 | By Naomi Webb

It’s been a while since the last major Florida election controversy but at long last the sunshine state has delivered. A cybersecurity researcher exposed serious vulnerabilities in the Lee County Supervisor of Elections Office website…and was promptly arrested after detailing those vulnerabilities in a YouTube video that bizarrely featured a man running for the supervisor of elections position.

SQL injections are the number one threat in the OWASP top 10 and have been a favored tool of hackers for over 15 years. Tried, true, effective, and able to be automated using third party tools. What more could a hacker want? When your application is attacked using SQLi, the attacker sends malformed SQL statements using forms or even querystring values in the hopes that you don’t validate and check them before you execute them on the server. SQLi is unique from other attacks such as XSS because the statements run on the database server and not in the user’s browser.

Continue reading this article on Tech Guru Daily.

It’s been a while since the last major Florida election controversy but at long last the sunshine state has delivered. A cybersecurity researcher exposed serious vulnerabilities in the Lee County Supervisor of Elections Office website…and was promptly arrested after detailing those vulnerabilities in a YouTube video that bizarrely featured a man running for the supervisor of elections position.

SQL injections are the number one threat in the OWASP top 10 and have been a favored tool of hackers for over 15 years. Tried, true, effective, and able to be automated using third party tools. What more could a hacker want? When your application is attacked using SQLi, the attacker sends malformed SQL statements using forms or even querystring values in the hopes that you don’t validate and check them before you execute them on the server. SQLi is unique from other attacks such as XSS because the statements run on the database server and not in the user’s browser.

Continue reading this article on Tech Guru Daily.


</close>

5 Ways to Create a Secure Software Development Life Cycle (sSDLC)

5 Jun 2016 | By Kamn

Enterprise level software needs a tightly bound software development life cycle (SDLC) to ensure deployed applications follow business requirements and stay bug-free. In the Hollywood blockbuster version of this high-stakes process, that secure SDLC would require exactly five things: lasers, a group of witty nerds, a security program that features fast moving green type on a black screen, a large digital clock and Jason Statham.

Unfortunately, securing an SLDC isn’t so simple in real life. Standard SDLC guidelines often don’t include all-important security, and this oversight can leave the resultant software vulnerable to a variety of common attacks. Like in the Hollywood version, however, these costly data breaches and devastating cyber-attacks can be combatted with five things. Keep reading to find out the details on SDLCs and the ways to ensure your organization’s software is secure.

Building software requires structure

Smaller individual apps can be built without needing much structure and it all tends to go fine. But once any application graduates from a simple app to enterprise level and the words project management enter the picture, it’s going to require structure in its development. This need for organization through the various stages of development is what gave rise to the standard SLDC template.

The basic steps are:

  1. Requirements: gather the requirements that define the way an application will function
  2. Design: design the application and a functional user experience and layout
  3. Coding: use the requirements to then code the application’s functionality
  4. Testing: test the application for any bugs
  5. Deployment: push the application from development or staging to the production server

Continue reading this article on DesignCanyon.com.

Enterprise level software needs a tightly bound software development life cycle (SDLC) to ensure deployed applications follow business requirements and stay bug-free. In the Hollywood blockbuster version of this high-stakes process, that secure SDLC would require exactly five things: lasers, a group of witty nerds, a security program that features fast moving green type on a black screen, a large digital clock and Jason Statham.

Unfortunately, securing an SLDC isn’t so simple in real life. Standard SDLC guidelines often don’t include all-important security, and this oversight can leave the resultant software vulnerable to a variety of common attacks. Like in the Hollywood version, however, these costly data breaches and devastating cyber-attacks can be combatted with five things. Keep reading to find out the details on SDLCs and the ways to ensure your organization’s software is secure.

Building software requires structure

Smaller individual apps can be built without needing much structure and it all tends to go fine. But once any application graduates from a simple app to enterprise level and the words project management enter the picture, it’s going to require structure in its development. This need for organization through the various stages of development is what gave rise to the standard SLDC template.

The basic steps are:

  1. Requirements: gather the requirements that define the way an application will function
  2. Design: design the application and a functional user experience and layout
  3. Coding: use the requirements to then code the application’s functionality
  4. Testing: test the application for any bugs
  5. Deployment: push the application from development or staging to the production server

Continue reading this article on DesignCanyon.com.


</close>

Easy and Cost-Effective Secure App Development

4 Jun 2016 | By Diogo Costa

Every year, we see a considerable increase in the number and severity of cybersecurity incidents from which companies suffer major financial losses, harm to their reputation, and irreparable damage to their customers. In 2015 alone, cybercriminals raked in billions of dollars from data breaches, as well as account information for hundreds of millions of users meant to be sold on the black market and used for further fraudulent activities.

There are several methods and tools that can help you to adopt a secure application development process and better understand and fix security issues in your applications before release. One of the most effective is the use of Static Application Security Testing (SAST) tools, such as the CheckMarx CxSAST.

In essence, SAST solutions are suites of tools that integrate into the Software Development Lifecycle (SDLC) and enable developers to vet and scan their codes as they program. The most important benefit of SAST solutions is that bug detection and removal is streamlined and seamlessly integrated into the overall development process.

Continue reading this article on Tech.co

Every year, we see a considerable increase in the number and severity of cybersecurity incidents from which companies suffer major financial losses, harm to their reputation, and irreparable damage to their customers. In 2015 alone, cybercriminals raked in billions of dollars from data breaches, as well as account information for hundreds of millions of users meant to be sold on the black market and used for further fraudulent activities.

There are several methods and tools that can help you to adopt a secure application development process and better understand and fix security issues in your applications before release. One of the most effective is the use of Static Application Security Testing (SAST) tools, such as the CheckMarx CxSAST.

In essence, SAST solutions are suites of tools that integrate into the Software Development Lifecycle (SDLC) and enable developers to vet and scan their codes as they program. The most important benefit of SAST solutions is that bug detection and removal is streamlined and seamlessly integrated into the overall development process.

Continue reading this article on Tech.co


</close>

Hacking: The Case for Prevention Rather Than Cure

2 Jun 2016 | By Amit Ashbel

When the movie Sneakers came out in 1992, hacking wasn't considered a real threat; it was almost something cool that really clever kids did just to prove they could.  More than two decades later, hacking has taken on a far more sinister tone and become a much more profitable profession. With breaches continuing to happen at an alarming rate, the proliferation of cyber-crime is a huge threat to corporate organisations and individual consumers alike. In a bid to counter this current trend, and threat, we go back five centuries to the Dutch philosopher, Desiderius Erasmus to borrow his idea of 'prevention is better than cure'.

The pace of technology

One of the reasons why there are so many breaches is because of the increasing volume of connected devices - a result of technological advances. We live in a world where new devices, platforms, applications or systems are launched every day, each of which presents a new surface attack area and unfortunately without any regulation or industry standards, security has been less of a priority than getting these new products to market. Developers are still measured by how quickly they can write application code and therein lies the problem; security, unfortunately, is often an afterthought and developers are usually involved in the process far too late.

Continue reading this article on SCMagazine.com.

When the movie Sneakers came out in 1992, hacking wasn’t considered a real threat; it was almost something cool that really clever kids did just to prove they could.  More than two decades later, hacking has taken on a far more sinister tone and become a much more profitable profession. With breaches continuing to happen at an alarming rate, the proliferation of cyber-crime is a huge threat to corporate organisations and individual consumers alike. In a bid to counter this current trend, and threat, we go back five centuries to the Dutch philosopher, Desiderius Erasmus to borrow his idea of ‘prevention is better than cure’.

The pace of technology

One of the reasons why there are so many breaches is because of the increasing volume of connected devices – a result of technological advances. We live in a world where new devices, platforms, applications or systems are launched every day, each of which presents a new surface attack area and unfortunately without any regulation or industry standards, security has been less of a priority than getting these new products to market. Developers are still measured by how quickly they can write application code and therein lies the problem; security, unfortunately, is often an afterthought and developers are usually involved in the process far too late.

Continue reading this article on SCMagazine.com.


</close>

The OSI model, your security, and giving special consideration to the application layer

2 Jun 2016 | By Patrick Vernon

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.


</close>