web applications Archives

web applications

Whack-A-Bash: New Vulnerabilities add to Patch Confusion

September 29, 2014 Paul Roberts

The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka “Shellshock”) is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed. The bad news about the quick fixes for the two issues, CVE-2014-6271 and CVE-2014-7169, from the likes of Red Hat, Ubuntu, Debian and others is that – in being early- they fail to fix the problems we don’t yet know about. And that’s what we’re seeing in the wake of last week’s storm of patches: a steady drip-drip of disclosures that suggest that Bash may contain other problems worthy of new fixes. Within hours of the disclosure of the first holes, there were problems discovered by Red Hat Product Security researcher Todd Sabin, who found additional “off by one” errors in Bash that were assigned CVE-2014-7186 and CVE-2014-7187 and […]

Cisco Updates ASA Security Appliance To Tackle Zero Day Malware

September 17, 2014 Paul Roberts

We’re used to writing about all the things that are changing in the security field: the onslaught of mobile devices and connected ‘stuff,’ the advent of ‘advanced’ and ‘persistent’ adversaries, the destruction of the network perimeter. But all this talk about change can obscure the fact that so much has not changed. Companies still maintain perimeters, after all, and they rely on nuts-and-bolts technologies to defend them. But these days, those products need to do more – especially in the area of ‘advanced threats’ that are likely to slip past traditional antivirus and IDS products. Enter Cisco Systems, which on Tuesday announced a new version of its ‘next generation firewall‘: the Cisco ASA (Adaptive Security Appliance) with FirePOWER Services. The appliance is the first to make full use of technology from Cisco’s acquisition of Sourcefire last year. Specifically, the latest ASA integrates Sourcefire’s Advanced Malware Protection (or AMP) technology, which gives the […]

Tesla Looks to Build Out Internal Hacking Team| Car and Driver Blog

August 22, 2014 Paul Roberts

Car and Driver has an interesting news item today on Tesla’s continuing efforts to build an internal team of software hackers to shore up the security of its connected cars. C&D reports that Tesla is looking to hire up to 30 full-time employees from the hacking community, and used the recent DEFCON hacking conference in Las Vegas to recruit talented software hackers, reverse engineers and the assorted polymaths who attend. Tesla gave out tokens that could be exchanged for a tour of the Tesla factory at the show. “Our security team is focused on advancing technology to secure connected cars, setting new standards for security, and creating new capabilities for connected cars that don’t currently exist in the automotive industry,” Tesla spokeswoman Liz Jarvis-Shean told C&D. California-based Tesla has already been making the rounds of security conferences. It also made headlines for hiring Kristin Paget, a well-respected hardware hacker […]

Micro Survey of Smart Home Devices Finds Much To Fault

July 30, 2014 Paul Roberts

Larry Dignan over at ZDNet is writing about a new survey by HP’s Fortify application security division that finds 70 percent of Internet of things devices have exploitable software vulnerabilities. Some caveats: HP makes its conclusions based on scans of “10 of the most popular Internet of things devices.” That’s a very small sample size that could (greatly) skew the results one way or the other. So take this with a grain of salt. You can download the full survey here. (PDF) [Read Security Ledger coverage of Internet of Things here.] According to Dignan, HP found 25 vulnerabilities per device. Audited devices included TVs, Webcams, thermostats, remote power outlets, sprinklers, door locks, home alarms, scales and garage openers. One of each, from the sound of it. The findings, assessed based on the OWASP Internet of Things Top 10 list and vulnerability categories, account for the devices as well as cloud and […]

Researchers Warn Of Flaws In Popular Password Managers

July 14, 2014 Paul Roberts

Researchers from the University of California, Berkeley have published a paper describing security holes in five, web-based password managers including LastPass, My1login and Roboform. According to the paper (PDF), four out of the five password managers inadvertently leaked a user’s credentials for stored web sites due to all-too-common web based security flaws like Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). The researchers, Zhiwei Li, Warren He, Devdatta Akwawe and Dawn Song, all of the University of California Berkeley, said that they disclosed the holes in August of last year and that all of the affected firms and that all but one – NeedMyPassword – have since patched the vulnerabilities. All the password managers tested were found to contain one of a short list of security problems. Either they were vulnerable to classic web-based holes (like XSS), or they were found to be susceptible to user interface-focused attacks, like […]