Checkmarx Blog

HTML5

Learning from the Experts – How JavaScript and HTML5 Vulnerabilities Affect Application Security

May 20, 2014 By Sharon Solomon | Checkmarx recently sponsored an educational webinar to raise Application Security awareness amongst developers and IT professionals. JavaScript and HTML5 were given special attention in the online event hosted by SecureWorld. The aim was to shed some light on the vulnerabilities created by the integration of new features and functionality into the programming languages. Maty Siman from Checkmarx and LivePerson’s Yair Rovek shared their InfoSec Industry experiences backed by real-time demonstrations. Sam Masiello, Head of Application Security at Groupon, was the moderator. “Insecure code is all around us,” Masiello explained at the beginning of the webinar. “It doesn’t matter if you are running Windows, iOS, Android or Java. These loopholes, if left unpatched, leave your company data vulnerable.”
Read More »
iStock_000033496462Small

7 Tips For Choosing The Right Tool To Secure Your Application

May 14, 2014 By Sharon Solomon | With more and more leading applications and websites are being hacked, internet users are thinking twice before sharing personal information online. With hacktivism, commercial espionage and criminal hackings on the rise, it has become extremely crucial to safeguard databases and make sure that adequate application-layer security is in place. Unfortunately, the responsibility for providing this security often falls on the narrow shoulders of the QA teams. Operating under tight deadlines, they already have their hands full and eventually fail to address the glaring security issues. Not all companies have the resources needed to enjoy the services of staff trained to tackle vulnerabilities. Even hiring skilled security professionals is not always “pocket-friendly”. But there is good news. Healthy coding practices and smart vulnerability tool selection can help boost your product’s “immunity” and minimize the need for post-production maintenance.
Read More »
Screaming-at-Babies-Jamming-the-Roads-300x211

IoT-Hacking Horror Stories: Screaming at Babies & Jamming the Roads

May 05, 2014 By Sarah Vonnegut | In the ‘wonderful world’ of the Internet of Things, two interesting stories – one about hacking traffic systems and another about attackers screaming at babies in their cribs – have recently popped up that should make us stop and think about its current state of security.  Taking It To The Streets In the first story, a researcher at IoActive spoke to Wired about a recent vulnerability he found in traffic control systems throughout the U.S.’s biggest cities that could be manipulated “to snarl traffic or force cars onto different streets,” the article says. Instead of hitting the traffic lights directly, an attack using the flaw would be towards street sensors that wirelessly send unencrypted data to the systems which control traffic lights.  Hackers would be able to send haphazard commands and data to mess with the system, Cesar Cerrudo, the IoActive researcher, says. There are 50,000+ vulnerable wireless detection systems installed in metropolitan areas across the U.S., UK, France and more. A coordinated attack could truly wreak havoc.
Read More »
Viber

Mobile Sunday: Viber Encryption Troubles Putting Millions at Risk

May 04, 2014 By Sharon Solomon | The Viber instant messaging app has become a household name, with over 200 million downloads worldwide. This cross-platform software is also compatible with desktops and provides unique functionality. But researchers at the University of New Haven have now exposed the lack of data encryption in the popular mobile app, a serious security problem. This is the second IM vulnerability exposed by the UNH experts this month, with the previous one being found in the WhatsApp messenger. The Facebook-owned service was found to give away user location in an unencrypted and open form. Viber is now feeling the heat. Hackers can easily perform man-in-the-middle attacks to harvest sensitive user data. Its even possible to retrieve messages including photos, videos and location-related data from the Viber servers.
Read More »
Chrome

Chrome Eavesdropping Bug Exposed; Researcher Endorses SCA

May 01, 2014 By Sharon Solomon | Google Chrome has come a long way since its initial release back in 2008. Almost 60% of the users today prefer the Google-made browser. But even this fast and responsive browser has its vulnerabilities. Hackers can now eavesdrop on unsuspecting users and convert their voice to text without prior consent.  
Read More »
Cube

Checkmarx Heartbleed Vaccination Now Available

Apr 29, 2014 By Sharon Solomon | Checkmarx has now released an update that scans your application source code for the Heartbleed-vulnerable library code.  The Heartbleed vulnerability had affected almost half a million secure web servers, certified by trusted authorities, by the time it was exposed. The bad news is that the problem still exists. More than 2% of the Alexa world top 1,000,000 websites are still susceptible to attack.
Read More »
2264763977_fbeb2e34ba_z-300x200

Hackers Already Exploiting Microsoft IE Zero Day ​in Federal, Financial Orgs.

Apr 28, 2014 By Sarah Vonnegut | Hackers are already busy at work exploiting a just-discovered zero-day security flaw in Microsoft’s Internet Explorer, posing a serious risk to up to 56% of the world browser market. The vulnerability was found in all versions of the browser and as of today, “limited, targeted attacks” have been leveraged against IE versions 9, 10, and 11, though all versions 6 through 11 are vulnerable. Security firm FireEye discovered the flaw and reported it to Microsoft on Saturday. Microsoft announced the vulnerability, CVE-2014-1776, on Saturday night and added that they are currently investigating the issue and will issue a security update as needed. The company says that by default, Microsoft Web Apps like Outlook, Outlook Express, and Windows Mail use Microsoft’s ‘restricted site zone’ that diminish risk of the exploit on those sites. However, many more sites accessed in Internet Explorer could still be used in an attack.
Read More »
iStock_000016812416Small

Mobile Sunday: GoogolPlex Hack Takes Siri To Risky Levels

Apr 27, 2014 By Sharon Solomon | Imagine unlocking your car by simply talking to your iPhone. Or would you rather chat with your washing machine or dish-washer while at work? All these actions can soon become possible thanks to an innovative Siri hack called GoogolPlex, which was developed and implemented by a group of American youngsters. GoogolPlex was recently demonstrated by a group of freshmen from the University of Pennsylvania – Ajay Patel, Alex Sands, Ben Hsu and Gagan Gupta. They managed to manipulate the Siri feature, which is preinstalled in all Apple devices running the latest iOS 7 software. While very convenient and functional, this unofficial hack can potentially enable cybercriminals to infiltrate people’s homes and cars to achieve harmful results. Apple has refused to comment on the revelations and no security patch has been released so far.
Read More »
iStock_000033207252Small-300x199

The Week in Security: Your Top 6 Stories

Apr 26, 2014 By Sarah Vonnegut | Apple Security Updates and Spoofing and Heartbleed …oh my. These are your weeks top security stories:
Aol Hit With Major Email Spoofing Hack
In a blast from the past security story, Aol email users have been suffering from spoofed accounts. Spoofed emails are pesky messages, in this case containing malicious links, that had their FROM field changed to make it look like it’s coming from the victim, but are just coming from the spammer/spoofer’s account, sent from their server. If there are bounce-backs from emails you didn’t send out, you’ve most likely been spoofed. Once your account has been spoofed, there’s not a whole lot you can do.
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.