In the News

Hacked US Security Clearances Are Giving Beijing Insanely Personal Information About American Citizens

14 Jun 2015 | By Jeff Stone

Hackers who broke into the U.S. Office of Personnel Management (OPM) database this week didn’t just steal birthdays, email addresses and health information. They obtained security clearance information that’s invasive enough to ruin potentially millions of American lives. 

The U.S. government is struggling to adapt because, well, governments are slow.

“There’s a lot of bureaucracy and steps you have to go through before you can adopt new technology,” said Amit Ashbel, a product manager at the code security company Checkmarx. “The U.S. is just more frequently attacked because it’s the U.S. It’s a global power and has disagreements with different regions.”

Continue reading at the International Business Times

Hackers who broke into the U.S. Office of Personnel Management (OPM) database this week didn’t just steal birthdays, email addresses and health information. They obtained security clearance information that’s invasive enough to ruin potentially millions of American lives. 

The U.S. government is struggling to adapt because, well, governments are slow.

“There’s a lot of bureaucracy and steps you have to go through before you can adopt new technology,” said Amit Ashbel, a product manager at the code security company Checkmarx. “The U.S. is just more frequently attacked because it’s the U.S. It’s a global power and has disagreements with different regions.”

Continue reading at the International Business Times


</close>

An Analysis of the Starbucks Cyber-Attack and How To Stay Protected

14 Jun 2015 | By Amit Ashbel

How much is a cup of coffee really worth? Several weeks ago, many Starbucks customers began reporting their Starbucks card balance emptied and then topped again. On May 13th, Starbucks released a written statement  denying the un-authorized activity was a result of a hack or an intrusion to its servers or mobile app. But the hard facts show that indeed customers had their accounts abused by hackers. 

The question is, how were the credentials obtained? There are several plausible answers to this question and no answer can be proved or shot down completely. Some researchers say that there was an active phishing campaign targeting Starbucks customers, others say that the phishing campaign was targeting a wider range of users who are not necessarily Starbucks customers.

Continue reading at App Developer Magazine

How much is a cup of coffee really worth? Several weeks ago, many Starbucks customers began reporting their Starbucks card balance emptied and then topped again. On May 13th, Starbucks released a written statement  denying the un-authorized activity was a result of a hack or an intrusion to its servers or mobile app. But the hard facts show that indeed customers had their accounts abused by hackers. 

The question is, how were the credentials obtained? There are several plausible answers to this question and no answer can be proved or shot down completely. Some researchers say that there was an active phishing campaign targeting Starbucks customers, others say that the phishing campaign was targeting a wider range of users who are not necessarily Starbucks customers.

Continue reading at App Developer Magazine


</close>

Game of Hacks coming in white-labelled version after strong demand from security-challenged businesses

20 May 2015 | By David Braue

It may have started out as a way to build a brand and engage the curiosity of the Internet development community, but an Israeli development-tools company's Game of Hacks competition has proven so popular that it is developing a white-labelled solution to help organisations put their own developers through their security paces.

The online game – which pushes players to test their ability to spot security flaws in samples of actual code – was played by 35,000 people in its first 24 hours and hundreds of thousands more in the months since its launch in August 2014. Yet the most interesting part of the Game of Hacks, vice president of marketing Asaph Schulman told CSO Australia, was watching what happened as hackers tired of the game itself and began looking for ways to hack it.

“At the end of the day,” Schulman said, “if we can actually replicate this phenomenon – posing questions about finding vulnerabilities and gamifying that – we can create something that is fun, educational, and resolves a certain pain point for our target audience.”

Continue reading this article at CSO Australia. 

It may have started out as a way to build a brand and engage the curiosity of the Internet development community, but an Israeli development-tools company’s Game of Hacks competition has proven so popular that it is developing a white-labelled solution to help organisations put their own developers through their security paces.

The online game – which pushes players to test their ability to spot security flaws in samples of actual code – was played by 35,000 people in its first 24 hours and hundreds of thousands more in the months since its launch in August 2014. Yet the most interesting part of the Game of Hacks, vice president of marketing Asaph Schulman told CSO Australia, was watching what happened as hackers tired of the game itself and began looking for ways to hack it.

“At the end of the day,” Schulman said, “if we can actually replicate this phenomenon – posing questions about finding vulnerabilities and gamifying that – we can create something that is fun, educational, and resolves a certain pain point for our target audience.”

Continue reading this article at CSO Australia. 


</close>

9 Security Mistakes Every Java Developer Must Avoid

18 May 2015 | By Sharon Solomon

Java has come a long way since it was introduced in mid-1995. Its cross-platform characteristics have made it the benchmark when it comes to client-side web programming. But with cybercrime and hackings reaching epidemic levels due to its widespread usage and distribution, the need for secure Java development has become the call of the hour.

A recent Kaspersky lab report mentions Java as the most attacked programming language, with more and more hacking incidents being reported worldwide. Java’s susceptibility is largely due to its segmentation problem. Not all developers are using the latest version (Java 9), which basically means that the latest security updates are not always applied.

Read the full article here

Java has come a long way since it was introduced in mid-1995. Its cross-platform characteristics have made it the benchmark when it comes to client-side web programming. But with cybercrime and hackings reaching epidemic levels due to its widespread usage and distribution, the need for secure Java development has become the call of the hour.

A recent Kaspersky lab report mentions Java as the most attacked programming language, with more and more hacking incidents being reported worldwide. Java’s susceptibility is largely due to its segmentation problem. Not all developers are using the latest version (Java 9), which basically means that the latest security updates are not always applied.

Read the full article here


</close>

Starbucks customers’ mobile accounts breached by thieves

17 May 2015 | By Elizabeth Weise

Some Starbucks customers have had money siphoned out of their Starbucks mobile app by thieves using a clever new attack, but Starbucks itself hasn't been hacked, the company said Friday.

It works like this: First, the thieves buy stolen passwords and IDs on the underground market.

They then use an automated program to try the stolen combinations one after another on the Starbucks mobile app until one works, according to application security firm Checkmarx. This is what's called a "brute force" attack. These programs can "process" hundreds of ID-password combinations a second.

If the user has it set the app up to automatically reload from their credit card or PayPal account, the thieves can immediately steal again as soon as the app has more money in it, according to application security firm Checkmarx.

Read the full article here.

Some Starbucks customers have had money siphoned out of their Starbucks mobile app by thieves using a clever new attack, but Starbucks itself hasn’t been hacked, the company said Friday.

It works like this: First, the thieves buy stolen passwords and IDs on the underground market.

They then use an automated program to try the stolen combinations one after another on the Starbucks mobile app until one works, according to application security firm Checkmarx. This is what’s called a “brute force” attack. These programs can “process” hundreds of ID-password combinations a second.

If the user has it set the app up to automatically reload from their credit card or PayPal account, the thieves can immediately steal again as soon as the app has more money in it, according to application security firm Checkmarx.

Read the full article here.


</close>

The Anonymous Inoculation

4 May 2015 | By Niv Elis

In its third year of coordinating cyber attacks against Israel, the online “hacktivist” group Anonymous decided to up its rhetoric. On April 7, the group promised in a video, it would unleash “an electronic Holocaust” on the Jewish state, threatening to wipe Israel from the cyber- security map.

Though Anonymous garnered plenty of media attention, the question is whether it did any lasting damage. Most analysts saw it as a childish nuisance; one pro-Israeli hacktivist even broke into an OpIsrael website and posted messages defending the Jewish state. “As long as it’s a dispersed effort [comprised of] ad-hoc teams getting together for activist causes, I don’t see that as a major threat. We should be more concerned about Russia or China, which have real cyber armies,” said Asaph Schulman, vice president of marketing at Checkmarx. “It’s not like the Chinese trying to hack Lockheed Martin for the latest IP in aerodynamics.”

This article was originally featured in the Jerusalem Post. Read the rest of the article here (PDF).

In its third year of coordinating cyber attacks against Israel, the online “hacktivist” group Anonymous decided to up its rhetoric. On April 7, the group promised in a video, it would unleash “an electronic Holocaust” on the Jewish state, threatening to wipe Israel from the cyber- security map.

Though Anonymous garnered plenty of media attention, the question is whether it did any lasting damage. Most analysts saw it as a childish nuisance; one pro-Israeli hacktivist even broke into an OpIsrael website and posted messages defending the Jewish state. “As long as it’s a dispersed effort [comprised of] ad-hoc teams getting together for activist causes, I don’t see that as a major threat. We should be more concerned about Russia or China, which have real cyber armies,” said Asaph Schulman, vice president of marketing at Checkmarx. “It’s not like the Chinese trying to hack Lockheed Martin for the latest IP in aerodynamics.”

This article was originally featured in the Jerusalem Post. Read the rest of the article here (PDF).


</close>

Checkmarx: Turning Hackers Into Unwitting Product Developers

21 Apr 2015 | By Steve Bowcut

Brilliance Security Magazine had the good fortune of sitting down with Maty Siman, Founder and CTO, of Checkmarx at the RSA Conference in San Francisco.  Mr. Siman’s obvious intelligence yet humble demeanor enables him to standout as a notable leader in the security industry.  Founded in 2006 and headquartered in Tel Aviv, Checkmarx develops Static Code Analysis solutions which enable organizations to introduce security into their Software Development Lifecycle.

Read the full article here.

Brilliance Security Magazine had the good fortune of sitting down with Maty Siman, Founder and CTO, of Checkmarx at the RSA Conference in San Francisco.  Mr. Siman’s obvious intelligence yet humble demeanor enables him to standout as a notable leader in the security industry.  Founded in 2006 and headquartered in Tel Aviv, Checkmarx develops Static Code Analysis solutions which enable organizations to introduce security into their Software Development Lifecycle.

Read the full article here.


</close>

Virtual Forge and Checkmarx seal unique partnership for Static Application Security Testing

15 Mar 2015 | By Virtual Forge & Checkmarx

The new partnership between Virtual Forge and Checkmarx offers companies a powerful platform for testing and ensuring the application security of business applications, including those that are developed in SAP ABAP.

Much of the data breaches still take place through the exploitation of vulnerabilities and security holes in software. Many companies therefore see the need to identify application vulnerabilities as early as possible and to fix them. For this very purpose, Static Application Security Testing (SAST) solutions have been proven as effective means.

Read the full article here.

 

The new partnership between Virtual Forge and Checkmarx offers companies a powerful platform for testing and ensuring the application security of business applications, including those that are developed in SAP ABAP.

Much of the data breaches still take place through the exploitation of vulnerabilities and security holes in software. Many companies therefore see the need to identify application vulnerabilities as early as possible and to fix them. For this very purpose, Static Application Security Testing (SAST) solutions have been proven as effective means.

Read the full article here.

 


</close>

Securing Business Applications in Real-Time

29 Jan 2015 | By Ian Barker

As demand to access company information on the move and from mobile devices increases it places extra strain on security resources.

Existing web applications firewalls (WAFs) monitor traffic but don’t have an understanding of the logic of data flows and the behavior of applications. This can make it hard for them to distinguish between legitimate traffic and attacks on apps such as SQL injection and cross-site scripting.

Israel-based security company Checkmarx is launching a run-time application self-protection (RASP) tool called CxRASP which will monitor an app’s bidirectional data flow, enabling the detection of and defense against real-time attacks.

Checkmarx’s technology ‘listens’ at each interaction junction of the app, covering access points between the application and the user, the database, the network, and the file system. With complete visibility into the app’s input and output, CxRASP tailors the protection mechanism to the specific flow within the application to achieve high detection accuracy in real-time. Suspicious activity is flagged when it enters the app, and then verified to see if it is actually malicious at the output to minimize false positives and false negatives. If an attack is identified, the organization is alerted and instructions are sent on how to fix the vulnerability.

“The fast increasing number of applications and the resulting vast amounts of insecure code written and released into production means that we need a more intelligent way to ensure software security,” says Emmanuel Benzaquen, CEO of Checkmarx. “CxRASP is the ultimate way to protect applications as it lets applications do the work of protecting themselves so that security vulnerabilities are revealed and blocked in real-time”.

The product can be integrated with static application security testing tools from Checkmarx and elsewhere to ensure application protection throughout the development process.

This article originally appeared on BetaNews

As demand to access company information on the move and from mobile devices increases it places extra strain on security resources.

Existing web applications firewalls (WAFs) monitor traffic but don’t have an understanding of the logic of data flows and the behavior of applications. This can make it hard for them to distinguish between legitimate traffic and attacks on apps such as SQL injection and cross-site scripting.

Israel-based security company Checkmarx is launching a run-time application self-protection (RASP) tool called CxRASP which will monitor an app’s bidirectional data flow, enabling the detection of and defense against real-time attacks.

Checkmarx’s technology ‘listens’ at each interaction junction of the app, covering access points between the application and the user, the database, the network, and the file system. With complete visibility into the app’s input and output, CxRASP tailors the protection mechanism to the specific flow within the application to achieve high detection accuracy in real-time. Suspicious activity is flagged when it enters the app, and then verified to see if it is actually malicious at the output to minimize false positives and false negatives. If an attack is identified, the organization is alerted and instructions are sent on how to fix the vulnerability.

“The fast increasing number of applications and the resulting vast amounts of insecure code written and released into production means that we need a more intelligent way to ensure software security,” says Emmanuel Benzaquen, CEO of Checkmarx. “CxRASP is the ultimate way to protect applications as it lets applications do the work of protecting themselves so that security vulnerabilities are revealed and blocked in real-time”.

The product can be integrated with static application security testing tools from Checkmarx and elsewhere to ensure application protection throughout the development process.

This article originally appeared on BetaNews


</close>

The unsung achiever: Pakistani tops lists of ethical hackers of 2014

3 Jan 2015 | By Farooq Baloch

The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists, The Express Tribune learnt on Thursday.

“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.

Checkmarx, a source code analysis company based out of Tel Aviv, Israel, recognized Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability – a Same-Origin Policy (SOP) bypass – in Android’s Open Source Platform browser (versions older than 4.4).

The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. Checkmarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.

Read the rest of this article here.

The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists, The Express Tribune learnt on Thursday.

“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.

Checkmarx, a source code analysis company based out of Tel Aviv, Israel, recognized Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability – a Same-Origin Policy (SOP) bypass – in Android’s Open Source Platform browser (versions older than 4.4).

The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. Checkmarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.

Read the rest of this article here.


</close>