We wind up the month of August with stories on the latest Apache Struts hack—bad news, if you remember Equifax—and what you need to do now to protect yourself. Plus news on plane, ATM, and even water heater hacks, and a primer on what to look for in SAST, DAST, IAST, and RASP tools.
Stay aware of the latest software security news at the Synopsys Software Integrity blog.
via The Hacker News: The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. … Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible.
via Help Net Security: A critical remote code execution vulnerability (CVE-2018-11776) in Apache Struts, the popular open source framework for developing Java-based web apps, could allow remote attackers to run malicious code on the affected servers. … Tim Mackey, technology evangelist at Synopsys, noted that in identifying CVE-2018-11776, the researcher looked at prior remote code execution vulnerabilities within Struts to determine if there was a coding pattern which lead to them.
via Synopsys: Application security tools can complement one another and help you secure your applications in each stage of the software development life cycle (SDLC) and beyond. Here’s a quick overview of SAST, IAST, DAST, and RASP and what you should look for when choosing these application security testing tools.
via Forbes: Hacking an aircraft is easier than you might think. Last year, a Department of Homeland Security (DHS) official admitted that he and his team of experts remotely hacked into a Boeing 757. … According to Nitha Suresh, a cybersecurity consultant at Synopsys, the surveillance signal used to broadcast the position of aircraft can potentially be eavesdropped or spoofed by highly skilled attackers.
via Computer Weekly: Cyber criminals are planning to withdraw millions in cash from automatic teller machines (ATMs) around the world in a coordinated campaign, the FBI has said in a confidential alert to banks.
via The Washington Post: “Def Con hackers easily burst into voting machines.” “An 11-year-old changed election results on a Florida state website in under 10 minutes.” “Hacking the U.S. midterms? It’s child’s play.” Those were some of the headlines from this year’s Def Con computer security conference in Las Vegas, where youth and adult hackers had little trouble rooting out flaws in voting equipment and cracking into mock state election websites. But there was one exercise that stumped them: They couldn’t seem to break into a replica of a heavily protected voter registration database.
via The Irish Sun: Reddit has announced a major security breach that’s left user details exposed—but what exactly was lost? We reveal the inner workings of the hack, and explain how you might be at risk, and what you should do next. … “Attackers use this information in a few ways,” said Travis Biehn, technical strategist at Synopsys. “First up, they’ll try account name and password pairs on other websites, exchanges, banks and so on.”
via Electronics Weekly: Synopsys has announced availability of a new Seeker release, an interactive application security testing (IAST) solution redesigned to enable DevSecOps and continuous delivery of secure web applications. Seeker integrates into CI/CD pipelines and monitors web applications during preproduction testing cycles. It claims to be the only application security solution that detects and automatically verifies whether vulnerabilities are exploitable, providing developers with accurate, actionable information in real time.
via WIRED: One group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them.