The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring System (CVSS).
Posted in Software Architecture and Design | Comments Off on What’s happening with the National Vulnerability Database?
Was Equifax first hit with a non-targeted attack?
The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the vulnerability was reported and three days after a researcher released an exploit to the public. So far, it doesn’t look like this was the attack that resulted in the breach. So what happened? Why would a hacker start an attack on Equifax, but not complete it? In this post, I’ll explore some hacking lessons we can take away from the movies.
Think of hacking the way Paul Newman and Jackie Gleason approach pool hustling in the classic film, The Hustler (or Newman and Tom Cruise in the film’s sequel, The Color of Money). The hustler can’t spend every day looking for the richest individual in each town he visits. Instead, he picks a pool hall, loses a couple of games, and sees if he can find a “mark.” In this case, a mark is anyone who appears to have a combination of money and unearned confidence in their pool skills. In other words, someone who is vulnerable to the hustle and worth the hustler’s time in terms of a financial return. The hustler doesn’t care if the mark is a doctor, lawyer, or sanitation engineer. He only wants their money.
Finding a mark in the cyber world
In the cyber world, finding a mark is a little different. One way is to use a known exploit for a known vulnerability — like the Struts exploit — and simply “point it” at a range of IP addresses to see which, if any, are vulnerable to the exploit. These are non-targeted attacks; no specific victim is in mind, and those vulnerable servers are the hacker’s marks. He’ll then investigate those and learn more about them. Low value marks — such as schools or libraries — may be ignored, exploited to serve malware, or perhaps incorporated into a botnet. If the mark has high value, like a bank or retailer, the attacker invests more time to exploit the target or sells information about the mark to others.
Hustlers are rational
We often think of attackers selecting high-value targets and focusing their efforts on defeating the target’s defenses. This is undoubtedly true — in many cases. It’s unlikely, for instance, that the Office of Personnel Management breach in 2015 was an accident (the FBI recently arrested a Chinese national in relation to the malware used in the attack) or that Operation Aurora stumbled upon the source code and design documents of leading defense contractors and IT infrastructure providers. In both of these cases, the attacks appear to be directed by nation states for intelligence and industrial/defense espionage. This may be the case with Equifax as well, either through nation states or organized crime.
Posted in Open Source Security | Comments Off on Hustling and hacking lessons from Paul Newman
You’ve probably heard that personal information, including social security numbers, was stolen from Equifax. Here’s what you need to know.
Posted in Data Breach, Open Source Security, Software Architecture and Design | Comments Off on Now it’s personal—4 takeaways from the Equifax breach
Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it on Struts implementations that don’t have the update installed yet. There are (at least) two working exploits publicly available, making it relatively simple to take control of web servers in a wide variety of industries.
Posted in Software Architecture and Design | Comments Off on Critical vulnerability CVE-2017-5638 attacks escalating
“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises.” Oege de Moor, CEO and founder of Semmle.
Posted in Open Source Security, Software Architecture and Design | Comments Off on “Easy” to hack Apache Struts vulnerability CVE-2017-9805
Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.
Posted in Healthcare Security, Medical Device Security | Comments Off on 6 recommendations for healthcare cybersecurity
Black Duck (now Synopsys) held its inaugural European user conference this month in Amsterdam. Turnout was great, with almost 100 representatives from European businesses attending our training and presentations. I was privileged to lead a panel discussion on the security implications of open source in connected cars. Gordon Haff, Technology Evangelist at Red Hat, and Simon Gutteridge, Global Information Security Manager at TomTom, joined me to explore the topic.
Posted in Automotive Security, General | Comments Off on 4 risks in connected cars
Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities acquiring a software company will “Black Duck” the codebase of the target company to confirm that the code is not hampered by restrictive licenses or unacceptable security risk.
Posted in Open Source Security, Webinars | Comments Off on Commercial application security: 6 facts you didn’t know
In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other measures (compensating controls) to mitigate the risk posed by the vulnerability.
Posted in Developer Enablement, Open Source Security | Comments Off on Vulnerability remediation: You only have 4 options
Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what’s your next step in vulnerability management and triage? And how do you ensure that you maximize your remediation efforts?
Posted in Open Source Security, Software Architecture and Design | Comments Off on Vulnerability management and triage in 3 steps