Vulnerabilities

Program code on a monitor

Code Tutorials Spread Application Flaws Far and Wide

In-brief: Researchers at universities in Germany, working with the security firm Trend Micro, discovered more than 100 vulnerabilities in GitHub code repositories simply by looking for re-used code from tutorials and other free code samples. The same method could be harnessed by cyber criminals or other sophisticated attackers to find and exploit vulnerabilities in software applications, the researchers warned.

A warning letter from the FDA to St. Jude Medical said the firm ignored warnings that its implantable medical devices and related software were vulnerable to hacking or unexpected failure.

Update: FDA says St. Jude Medical knew about Device Flaws 2 Years Before Muddy Waters Report

In-brief: In a damning report, the FDA said that St. Jude Medical* knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices. (Editor’s note: updated to include a statement from Abbott and comment from Dr. Kevin Fu. – PFR April 14, 2017)

A flaw in Broadcom WiFi system on chip (SOC) components affects many different types of phones.

WiFi Chip Flaw in iPhone is Really Bad News for IoT

In-brief: a remotely exploitable flaw in a common hardware component used in phones by Apple, Samsung and others underscores the risk posed by software embedded in system on chip components that are found in almost every connected device, experts warn. 

Insecure network attached storage devices are the common thread in a string of data breaches, including the recent leak of US Air Force personnel files, security experts say.

NAS Holes: Air Force Data Leak the Tip of Very Large Iceberg

In-brief: The recently disclosed trove of personnel files by an US Air Force officer is one piece of a much larger phenomenon: exposed, vulnerable and Internet-connected network attached storage (or NAS) devices chock full of gigabytes sensitive data.

The tactics of cyber criminal hacking crews are indistinguishable from those of sophisticated, state sponsored "advanced persistent threat" groups, the firm FireEye said in its most recent M-Trends report.

Report: Hacking Crews are all APT now

  In-brief:The tactics of cyber criminal hacking crews are indistinguishable from those of sophisticated, state sponsored “advanced persistent threat” groups, the firm FireEye said in its most recent M-Trends report.