Tag: application security

Security Experts call for Action on Connected Auto Safety

A non-profit group that represents prominent computer security researchers has issued an open letter to the automotive industry calling for more collaboration on cyber security issues. The group, I Am The Cavalry said the automotive industry needs to elevate cyber security to put it on par with other vehicle safety issues. The announcement, on Friday at DEF CON 22 in Las Vegas – an annual hacker conference – included a letter to CEOs in the automotive industry, calling for the adoption of “five key capabilities that create a baseline for safety relating to the computer systems in cars.” The letter asks for safety to be built into the design of computer systems in vehicles. “Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood,” the group said. “Modern cars are computers […]

FAKEID Logo

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.

Core Infrastructure Initiative Logo

Heartbleed Prompts Fiscal Lifeline For Open Source

One of the most powerful (and substantive) realizations to come out of the news about the ‘Heartbleed’ OpenSSL vulnerability was that open source projects need help and attention from the tech community that relies on their fruits. I’ve written about this before – noting Apple’s reluctance to put some of its considerable cash hoard towards supporting open source projects it relies on (like the Apache Software Foundation), as have others. [Read Security Ledger’s coverage of the Heartbleed vulnerability here.]   Now that idea appears to have taken root. On Thursday, the Linux Foundation announced the creation of the Core Infrastructure Initiative, a multi-million dollar project to fund open source projects that are in the critical path for core computing functions. The CII group has some substantial backing. Google, Cisco, Microsoft, Facebook, Amazon, IBM, Intel, Samsung, Fujitsu and VMWare all signed on to the CII Steering Committee. (Surprising (or not): Apple was not one of the firms supporting […]

google_Parametron

Google Will Use Cash To Clean Up Open Source

The widespread use of vulnerable or buggy third party code is serious problem facing public and private sector organizations, alike. Just this week, for example, The Wall Street Journal reported that an independent audit of Healthcare.gov, the star-crossed Federal Government website that is the primary health exchange in more than 30 states, is choking on poorly integrated or extraneous code that “served no purpose they could identify.” But what happens when the third-party code in question is open source code? Things get more complex. For one thing: open source is the salt and pepper of the software world: a common ingredient in applications of all sorts. And, as security researchers have noted: many of the so-called “smart devices” that are populating the physical world run variants of Linux, the open source operating system. But because those source code repositories are managed cooperatively and collectively by volunteers, security often takes a […]

healthcare dot gov

Health Exchanges Need A Fail Whale

In a blog post on Veracode’s blog today, I write about the problems encountered at government-run online health exchanges that were intended to connect millions to private insurance plans under the Affordable Care Act. The exchanges opened to the public on Tuesday, and they got off to a rocky start, with reports of web sites paralyzed as millions of uninsured Americans logged on to sign up for subsidized health insurance. In some cases, the problems appear to have been caused by “external factors.” New York State’s online health exchange was felled by the weight of more than 10 million requests of dubious origin, The New York Post reported. But other exchanges, including Healthcare.gov the federal government’s main health insurance storefront, which is used by residents or more than half of the states, were victims of their own success: overwhelmed when the doors swung open and millions of eager customers poured […]