Checkmarx Blog


Checkmarx Heartbleed Vaccination Now Available

Apr 29, 2014 By Sharon Solomon | Checkmarx has now released an update that scans your application source code for the Heartbleed-vulnerable library code.  The Heartbleed vulnerability had affected almost half a million secure web servers, certified by trusted authorities, by the time it was exposed. The bad news is that the problem still exists. More than 2% of the Alexa world top 1,000,000 websites are still susceptible to attack.
Read More »

Hackers Already Exploiting Microsoft IE Zero Day ​in Federal, Financial Orgs.

Apr 28, 2014 By Sarah Vonnegut | Hackers are already busy at work exploiting a just-discovered zero-day security flaw in Microsoft’s Internet Explorer, posing a serious risk to up to 56% of the world browser market. The vulnerability was found in all versions of the browser and as of today, “limited, targeted attacks” have been leveraged against IE versions 9, 10, and 11, though all versions 6 through 11 are vulnerable. Security firm FireEye discovered the flaw and reported it to Microsoft on Saturday. Microsoft announced the vulnerability, CVE-2014-1776, on Saturday night and added that they are currently investigating the issue and will issue a security update as needed. The company says that by default, Microsoft Web Apps like Outlook, Outlook Express, and Windows Mail use Microsoft’s ‘restricted site zone’ that diminish risk of the exploit on those sites. However, many more sites accessed in Internet Explorer could still be used in an attack.
Read More »

Mobile Sunday: GoogolPlex Hack Takes Siri To Risky Levels

Apr 27, 2014 By Sharon Solomon | Imagine unlocking your car by simply talking to your iPhone. Or would you rather chat with your washing machine or dish-washer while at work? All these actions can soon become possible thanks to an innovative Siri hack called GoogolPlex, which was developed and implemented by a group of American youngsters. GoogolPlex was recently demonstrated by a group of freshmen from the University of Pennsylvania – Ajay Patel, Alex Sands, Ben Hsu and Gagan Gupta. They managed to manipulate the Siri feature, which is preinstalled in all Apple devices running the latest iOS 7 software. While very convenient and functional, this unofficial hack can potentially enable cybercriminals to infiltrate people’s homes and cars to achieve harmful results. Apple has refused to comment on the revelations and no security patch has been released so far.
Read More »

The Week in Security: Your Top 6 Stories

Apr 26, 2014 By Sarah Vonnegut | Apple Security Updates and Spoofing and Heartbleed …oh my. These are your weeks top security stories:
Aol Hit With Major Email Spoofing Hack
In a blast from the past security story, Aol email users have been suffering from spoofed accounts. Spoofed emails are pesky messages, in this case containing malicious links, that had their FROM field changed to make it look like it’s coming from the victim, but are just coming from the spammer/spoofer’s account, sent from their server. If there are bounce-backs from emails you didn’t send out, you’ve most likely been spoofed. Once your account has been spoofed, there’s not a whole lot you can do.
Read More »

Top-Selling WiFi DSL Modems Routing Hackers Your Way

Apr 24, 2014 By Sharon Solomon | WiFi DSL routers have become a staple part of all professional computing setups. Unfortunately, wireless communication also introduces numerous vulnerabilities. A massive backdoor was found in popular NetGear, Linksys/Cisco and SerComm WiFi DSL modems back in December 2013. Security patches released by the companies have not solved the problem. More than 20 popular models sold worldwide have been found to possess the vulnerability. Once remotely in control of the router via a compromised port, the hacker can gain “root shell” access and send malicious commands to the device. Thousands of customers were expecting to mitigate the problem with the patch, but the desired result was not achieved. Owners of the vulnerable routers will have to adopt a pro-active approach to safeguard their networks since the backdoor still exists.
Read More »

Web App Attacks: 7 Takeaways from the New Verizon DBIR

Apr 23, 2014 By Sarah Vonnegut | Hackers going after Web applications are getting smarter and faster by automating their malicious tools, and organizations are struggling to keep up. This was among the biggest revelations in Verizons’ 2014 Data Breach Investigations Report. The report analyzed over 63,000 security incidents over the past year, 1,367 of which resulted in a breach. It may come as a surprise to some that PoS intrusion attacks, the cause of the massive Target breach, and similar, subsequent incidents, was not the leading attack vector of the reports’ nine incident patterns. Alas, the award for the most exploited vulnerabilities went to Web applications, which hackers relentlessly went after this year – to the tune of 3,937 incidents and 490 confirmed breaches.
Read More »

Mind Your Fingers. Samsung Galaxy S5 Fingerprint Scanner Exploited

Apr 22, 2014 By Sharon Solomon | Fingerprint scanners are becoming the rage in the smartphone industry. Apple introduced its proprietary sensor in its flagship 5s device last year and Samsung has done it recently with its new Galaxy S5 model. But its not all good news. The Korean manufacturer’s latest security solution can be rendered useless with a simple home-made PCB mould.  
Read More »

5 Security Stories To Know Right Now

Apr 18, 2014 By Sarah Vonnegut | While the Heartbleed bug again dominated the news this week, a few other security stories deserve some love. Here are your top five of the week – get caught up for the weekend!
Michaels Credit Card Breach: 3 Million Customers At Risk
The arts and crafts chain Michaels Stores Inc. this week reported that they suffered two separate security breaches spanning eight months. The breach, which was first reported in January, exposed up to three million customers credit and debit card data. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period,” the statement on their website says. That number is probably less than they were expecting, having come so close to the massive Target breach. In addition to the Michaels breach, customers of Aaron Brothers, owned by Michaels, was victim to a separate breach, in which around 400,000 customers are at risk.
Read More »

The Honeypot Sting: Hacking the Hackers

Apr 16, 2014 By Sarah Vonnegut | How can you tell who’s up to no good when it comes to your networks and computer systems? Simon Bell, a computer science student in his last year at the University of Sussex, has set out to help answer that question. He’s created an SSH (Secure Shell) honeypot written in C with the aim of researching the techniques of malicious attackers trying to infiltrate the network. Dubbed Secure Honey, Bell designed his honeypot as a final project, which he tracks and writes about on his site. Hacking the Hackers: Honeypots, for the uninitiated, are decoy systems or servers designed to track and log the activities of attackers trying to intrude your system (SANS has a great FAQ for further reading).  Instead of the attackers gaining data, the honeypot collects the actions and attempts at intrusion for further analysis. The would-be hackers get nothing – and will quickly move on to the next possibly vulnerable server after a few fruitless tries. “Something really drew me to the idea of luring hackers into a honeypot to watch how they operate and to discover what sort of techniques they may deploy to infiltrate a system,” he says. Anyone can keep up with what Secure Honey attackers are up to on Bell’s live stats page, where hacking attempts, the most commonly used passwords and more are tracked in real time.
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.