In-brief: Carnegie Mellon’s CERT issued a warning that many certificate authorities continue to issue domain certificates with no more proof than the right e-mail address. Updated to include comment from GlobalSign. Paul 3/27/2015
application
Ghost Vulnerability Replays Third Party Code Woes
In-brief: The security firm Qualys is warning of a serious and remotely exploitable vulnerability in a function of the GNU C Library (glibc) known as gethostbyname. The security hole raises more questions about dangers lurking in legacy, open source software.
Cat and Mouse: Web Attacks Increasingly Sidestep WAF Protections
Recently, the Akamai Threat Research Team unveiled a unique distributed brute force attack campaign targeting nearly five hundred WordPress applications. What’s interesting about this campaign? It clearly demonstrates how Web attackers are becoming more sophisticated, attempting to evade security controls – specifically Web Application Firewalls (WAFs) and rate control protections. A Short Primer to Brute-Force Attacks Brute force Web attackers attempt to gain privileged access to a Web application by sending a very large set of login attempts, within a short period of time. Using volumetric single source of attack is easily mitigated by blacklisting. Today’s brute force attacks are typically characterized by volumetric attacks coming from distributed IPs. In this way, if the attacker’s source IP is detected, they can still continue with the attack campaign by switching a source IP. As part of this cat-and-mouse evolution, WAFs are enhanced with several rate control measures that detect and block […]
Please Apply Our 10 Year-Old Patch: The Dismal State of Embedded Device Security
On Friday, the firm Allegro Software of Boxborough, Massachusetts, released an odd-sounding statement encouraging all its customers to “maintain firmware for highest level of embedded device security.” Specifically, Allegro wanted to warn customers about the need to apply a software update to address two recently discovered vulnerabilities affecting its Rom Pager embedded web server: CVE-2014-9222 and CVE-2014-9223, collectively known as the “Misfortune Cookie” vulnerabilities. That patch in question was released almost ten years ago – in 2005. As reported widely last week, the vulnerabilities affecting the Rom Pager software can be found in some 12 million broadband routers by manufacturers including Linksys, D-Link, Huawei, TP-Link, ZTE and Edimax. In short: some of the most common sellers of broadband routers in the world. The security firm CheckPoint discovered the vulnerabilities and issued a report about them. (The report web site is here and a PDF format report is here.) According to CheckPoint, the Misfortune Cookie vulnerability has to […]
Strategies for Securing Agile Development: An Online Conversation
There’s no question that agile development methods, which emphasize collaboration and shorter, iterative development cycles, are ascendant. Many factors contribute to agile’s growing popularity, from constrained budgets to increased user demands for features and accountability. Though traditionally associated with small and nimble software and services startups, agile methodology has been embraced by organizations across industry verticals – many (like John Deere) whose name doesn’t scream “app store” or “Silicon Valley Startup.” But if agile is here to stay, a nagging question is how to pivot to agile’s fast-paced and iterative release schedules without skimping on important areas like code security. After all, the conventional wisdom is that security slows things down: imposing time- and labor intensive code audits and testing on the otherwise results-driven development cycle. Fortunately, agile and secure development aren’t mutually exclusive. Tomorrow (Thursday), the Security Ledger and Veracode will collaborate on a Hangout and discussion of how to build, automate and deliver secure software using the agile […]
