We took the opportunity at RSA Conference last month to survey our booth visitors about their organizations’ application security programs. We’ve sponsored and conducted a number of surveys on topics ranging from DevSecOps to open source security to medical device security, but there’s something about collecting feedback from conference attendees in person that really hits home—a glimpse into security IRL, if you will. Taking a look at security IRL Most attendees (78%) reported direct roles in cybersecurity, risk management or software engineering, representing a wide range of industries. Some of the findings were far from unexpected. For example, 40% of respondents cited a lack of skilled security professionals as the biggest challenge in implementing their application security programs. We also found that a startling number of respondents didn’t even know whether their organizations were the target of a cyber attack in the last two years.
Security researcher Robert Wiggins recently uncovered a serious security issue in the TeenSafe “secure” monitoring product for Android and iOS platforms.
Maybe you could call it two-factor fakery.
Posted in Data Breach | Comments Off on Office 365 email protection gets blindsided
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Weekly Security Mashup episode.
The 2018 Verizon Data Breach Investigations Report (DBIR)—the 11th annual exhaustive collection of good advice and (mostly) bad news—which dropped a couple of weeks ago, doesn’t contain any major surprises about the state of online security.
It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from 7.ai. The 7.ai breach then expanded to include Kmart and Best Buy a few days later.
Facebook has extended their long-running bug bounty program to include data misuse by third-party application providers.
Posted in Data Breach | Comments Off on Data misuse is a first-class security concern
The city of Atlanta has become one of the latest victims of a ransomware attack. The attack is believed to be the result of the SamSam malware that has compromised various healthcare, government, and educational systems over the past several years. Is SamSam malware responsible? This malware initially targeted a remote code execution vulnerability in JBoss web servers, but it has also been known to target exposed RDP and FTP services. If we continue with the assumption that the SamSam malware is responsible for locking down Atlanta’s IT systems, what could have been done to prevent such an attack, and what are some of the hurdles an organization may encounter? Is a simple patch the solution? If the ransomware attack originated from the original flavor of SamSam, which targets vulnerable JBoss servers, the first solution is to patch to a nonvulnerable version of JBoss. While this may sound easy in theory, it often becomes difficult in practice.
Posted in Data Breach | Comments Off on What you should know about the recent Atlanta ransomware attack
Yet another cyber attack on a critical infrastructure installation ought to send yet another warning to operators of industrial control systems (ICS) that it is long past time to, as they say, harden their defenses.