Checkmarx Blog


One Vulnerability To Rule Them All: SQL Injection

Apr 07, 2014 By Sarah Vonnegut | They’re simple, highly exploitable, and when done ‘correctly’, can be deadly…or at least incredibly costly for an organization. They’ve been used in hundreds of thousands of attacks and have cost companies and organizations millions – at this point billions – in lost or stolen funds as well as other breach costs.
  The nightmare exploit in question?  SQL injection (SQLi) attacks. They’re one of the most common vulnerabilities found on the web; attacks are easy to carry out and can be highly valuable: One little piece of injected code and the organization’s entire database could be used to spoof identities, tamper with existing data, allow the complete disclosure – or complete deletion – of all system data, and give the hacker full administrative access to the server.   
Hackers have gotten more advanced over time, developing automation tools used to scour the web in search of sites vulnerable to SQLi attacks, but organizations have put their focus – and resources – on negating against other types of attacks, allowing hackers to focus in on more easily exploited vulnerabilities.
When it comes to SQLi attacks, history has done a great job of repeating itself. In 2009, the Heartland Payment Systems breach that leaked 130 million credit card numbers was accomplished through SQL injection. The group of hackers responsible for the Heartland breach, led by Albert Gonzalez, also masterminded attacks on Dave & Busters, OfficeMax, Boston Market, Barnes & Noble, and several other businesses – all confronted by SQL injection attacks.
Read More »

Mobile Sunday: New iOS 7 Vulnerability Exposed

Apr 06, 2014 By Sharon Solomon | Smartphones have become “man’s best friend” over the last few years. There is almost no daily task that doesn’t involve the usage of apps and instant messaging. Unfortunately, this also has raised the amount of mobile phone robberies and tampering. Hacking is evolving, but the “traditional” thefts and mishaps are still a big threat. Phone manufacturers are implementing tools such as lockscreens and passwords to deny unwanted access to phones. The iPhone 5s even has a unique fingerprint scanner which needs to be swiped in order to unlock the phone. Apple phones also have “Find my iPhone” software. This feature allows the user to remotely lock the phone if lost in a public place or after being robbed. Unfortunately, a serious vulnerability has been exposed in this welcome feature.
Read More »

All You Wanted to Know About Social Engineering

Apr 04, 2014 By Sharon Solomon | Social engineering is manipulating people into doing something, rather than using technical means. It is the art of gaining access to buildings, systems, or data by exploiting human psychology, rather than by using technical hacking techniques. For example, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.
Read More »

Internet of Fails: Serious Vulnerability Found in Philips Smart TVs

Apr 02, 2014 By Sharon Solomon | Just a couple of decades ago, the Internet of Things (IoT) idea was restricted to sci-fi movies and novels. But the internet revolution has changed everything. Millions of new home appliances are going online on a daily basis, enabling hackers to spread malware, create botnets and harvest sensitive information worldwide.  
Read More »

Checkmarx Selected As Finalist For Red Herring Top 100 Europe Awards

Apr 01, 2014 By Sarah Vonnegut | We’re excited to announce that Checkmarx has been chosen as a Finalist for Red Herring’s Top 100 Europe award, a distinctive list that honors the year’s most promising private tech companies in Europe.  
The Red Herring 100 Awards, first started in 1996, are one of the most prestigious events for start-ups across the world. Red Herring’s editorial team analyzes hundreds of cutting edge companies and technologies and selects those positioned to grow at an explosive rate.  The Top 100 companies are assessed on 20 varying criteria, including disruptiveness of the solution in its respective markets, market maturity, quality of the management, financial performance, and technological advantage, among many others.
Read More »

ATMs Raided With Ploutus as Windows XP Zero Day Approaches

Mar 31, 2014 By Sharon Solomon | Windows XP will be officially discontinued on 8 April, but the legend platform is far from becoming extinct. 95% of the world’s ATMs are still powered by the 12-year old operating system, opening the door for Ploutus attacks. More and more hackers are using SMS messages to steal money. As informed in our previous Windows XP Update, there are worrying amounts of businesses and workplaces still using the expiring platform. Surprisingly, such outdated systems and networks are not exclusive to poor countries. The biggest problems are expected in the banking industry, with thousands of ATMs still using Windows XP. Upgrading the systems to newer software is going to be a long and costly process. Cybercriminals are already exploiting this issue.
Read More »

Top 5 in Security: Weekly Update

Mar 30, 2014 By Sarah Vonnegut | From snooping drones and leaky apps to more hijack-able connected devices, these are your week’s top 5 security stories. 
6 Months Later, Angry Birds Still Spilling Personal Info
Rovio, the gaming company behind the mobile hit Angry Birds, has apparently continued its relationship with the ad platform believed to have been hacked into repeatedly by the British intelligence agency. Worse still, the company continues to collect and share personal information with various third-party advertising services. 
Security researchers at FireEye found that the Android app continues to collect a massive amount of personal data about players who sign-up to the app, including birthday, email, gender, name and country, before pairing it with the customer ID and storing it on the user’s phone. The researchers also discovered that the app sends most of that data in plain text. Even if a player opts out of signing up, the game still collects and sends plenty of information about the device. 
Read more about the still-rogue app here. 
Read More »

Mobile Friday: Google Waze Hacked By Technion Students

Mar 28, 2014 By Sharon Solomon | Waze has come a long way since its launch back in 2008. Winner of the Best Overall Mobile App award at the 2013 Mobile World Congress, the Israeli based startup was sold to Google last year for a whopping $1.3 Billion. Unfortunately, two students from the Technion have revealed a huge security issue in the popular app.   The revolutionary Israeli navigation software made waves by integrating social networking into its user interface and enabling commercial collaborations with strategic businesses. Even Google couldn’t afford to stay indifferent to the app’s massive potential. Everything was looking bright until Shir Yadid and Meital Ben-Sinai, software engineering students at the Technion Institute of Technology in Israel, found a glaring loophole in the application. Waze are aware of the POC, but have not released any security patches so far.
Read More »

Malaysian Airlines Flight MH370: First Ever Cyber-Hijack?

Mar 24, 2014 By Sharon Solomon | The Malaysian Airlines Flight MH370 probably crashed into the Indian Ocean, but what really went on inside the plane is yet to be revealed by investigators. Is it possible that the MH370 was actually cyber-hijacked by a seasoned hacker? Interestingly, relevant proof-of-concepts have already been demonstrated by InfoSec experts.  
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.