Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

US Congress investigates Juniper software flaw

On Wednesday, a tech savvy member of the U.S. Congress criticized a no show by Juniper Networks executives during a hearing exploring whether any government data was stolen as a result of a software flaw first disclosed last December.

Continue Reading...

Posted in General | Comments Off on US Congress investigates Juniper software flaw

 

FCC to investigate SS7 mobile phone vulnerabilities

On Wednesday, the Federal Communications Commission (FCC) announced it would investigate use by cellular carriers use of legacy mobile phone technology vulnerable to attack.

Continue Reading...

Posted in Mobile Application Security | Comments Off on FCC to investigate SS7 mobile phone vulnerabilities

 

Podcast: Securing the supply chain through procurement language, Part 1

Procurement language in software. The concept of holding someone contractually liable for the statements they make about the quality, reliability, and—most of all—security of the software they are providing. Many industries have specific hardware procurement requirements for parts introduced into their supply chains, but what about software? Until recently, there has not been real pressure to have supply chain software vendors attest to the validity of their wares. But with the introduction of software into automobiles, television sets, and medical devices, software integrity has taken on greater meaning.

Continue Reading...

Posted in Medical Device Security | Comments Off on Podcast: Securing the supply chain through procurement language, Part 1

 

PCI DSS v3.2 to require more software testing

The PCI Security Standards Council (SSC) will soon release version 3.2 of the Payment Card Industry (PCI) – Data Security Standards (DSS), and, based on a preview, it is expected to have more testing for payment system software.

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on PCI DSS v3.2 to require more software testing

 

School libraries vulnerable to ransomware

Over 3 million Internet-accessible servers, including those used in school libraries, are vulnerable to a new strain of ransomware that encrypts data on servers until a fee, usually in bitcoin, is paid, according to a Talso blog from Cisco.

Continue Reading...

Posted in Uncategorized | Comments Off on School libraries vulnerable to ransomware

 

Connected trucks could pave the way for autonomous cars

On Thursday, representatives from the Netherlands will meet with the EU in Rotterdam to define potential changes to legislation to make self-driving cars a reality in Europe. This comes at the end of a successful trial where a platoon of trucks was connected over Wi-Fi, with the first vehicle determining the speed and route of the trucks.

Continue Reading...

Posted in Automotive Security | Comments Off on Connected trucks could pave the way for autonomous cars

 

Report finds criminal use of zero days doubled in 2015

The latest edition of the Symantec Internet Security Threat Report finds that the use of zero days, software flaws previously unknown to the software vendor, doubled in 2015 over the previous year. That’s a 125 percent increase from the year before. Or, as Symantec phrased it on their web site, that’s a new zero-day vulnerability found every week (on average) in 2015.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Report finds criminal use of zero days doubled in 2015

 

Open Source Vulnerability Database suspends operation

The Open Source Vulnerability Database is no more.

Continue Reading...

Posted in Open Source Security, Software Architecture and Design | Comments Off on Open Source Vulnerability Database suspends operation

 

Podcast: Rauli Kaksonen on discovering Heartbleed

It’s been two years since a critical vulnerability, CVE-2014-0160 better known as Heartbleed, was first disclosed. The flaw, found in certain older versions of OpenSSL, did not properly handle Heartbeat Extension packets, protocol is to determine the persistence of the another machine in a transaction, in this case the encryption between a client and a server. It affected hundreds of thousands of popular websites, and allowed an attacker to request more than a simple response; it could allow for the leakage of passphrases and encryption keys.

Continue Reading...

Posted in Open Source Security, Software Architecture and Design | Comments Off on Podcast: Rauli Kaksonen on discovering Heartbleed

 

2 years later, 200K+ IP addresses remain vulnerable to Heartbleed

The numbers aren’t impressive. In the first month after the Heartbleed vulnerability was disclosed in April 2014, nearly 300,000 IP addresses patched their systems. But over the course of the next 22 months, only one-third of the remaining vulnerable systems were patched. That means roughly 200,000 systems remain vulnerable worldwide today.

Continue Reading...

Posted in Open Source Security, Web Application Security | Comments Off on 2 years later, 200K+ IP addresses remain vulnerable to Heartbleed