In this Spotlight Podcast*, Philippe Courtot of the firm Qualys discusses being an early innovator in the software as a service space and how the market for cloud based security services has evolved since he launched his firm, Qualys, almost two decades ago.
In-brief: The security firm Qualys is warning of a serious and remotely exploitable vulnerability in a function of the GNU C Library (glibc) known as gethostbyname. The security hole raises more questions about dangers lurking in legacy, open source software.
On Thursday, I will chair an excellent discussion of security and the Internet of Things at the Qualys Security Conference (QSC) in Las Vegas. The discussion has the working title “Refrigerator Spam and Other Tall Tales: Assessing the Real Internet of Things Risk for Your Organization.“ As the title suggests, we’ll be disclaiming the FUD (fear, uncertainty and doubt) that surrounds much of the IoT and security space, while also highlighting the real risks that more and diverse connected devices pose to enterprises. I’ll be joined on stage by some truly exceptional minds. Among them: Danny McPherson, the Senior Vice President and Chief Security Officer at Verisign and Jonathan Trull, Chief Information Security Officer, Qualys. (Jon was our guest at the first Security Ledger/Invincea CISO hangout last week.). On stage with us will be Chris Rezendes, the President of INEX Advisors and one of our moderators at The Security of Things Forum. We’ll also be joined […]
A common time clock that is used by companies and government agencies, including the Transportation Security Administration (TSA) contains pre-programmed “back door” user accounts that could allow malicious attackers to gain access to sensitive networks, according to research by a security researcher at Qualys Inc. Speaking before an audience at the Black Hat Briefings in Las Vegas on Wednesday, Billy Rios, the Director of Threat Intelligence at Qualys Inc., revealed research on the Kronos 4500, a “time and attendance” product (aka time clock) that employees use to ‘punch in’ and ‘punch out’ from work. Rios said that an in-depth analysis of the Kronos equipment and the software that it runs revealed two types of backdoor accounts (user names and passwords) that will provide access to any deployed 4500 device. The accounts are particularly worrying because some vulnerable devices can be discovered using Internet searches, and because TSA is known to use Kronos attendance […]
The SANS Internet Storm Center dialed down the panic on Monday, resetting the Infocon to “Green” and citing the increased awareness of the critical OpenSSL vulnerability known as Heartbleed as the reason. Still, the drumbeat of news about a serious vulnerability in the OpenSSL encryption software continued this week. Among the large-font headlines: tens of millions of Android mobile devices running version 4.1 of that mobile operating system (or “Jelly Bean”) use a vulnerable version of the OpenSSL software. Also: more infrastructure and web application players announced patches to address the Heartbleed vulnerability. They include virtualization software vendor VMWare, as well as cloud-based file sharing service Box. If history is any guide: at some point in the next week or two, the drumbeat will soften and, eventually, go silent or nearly so. But that hardly means the Heartbleed problem has gone away. In fact, if Heartbleed follows the same […]
