hacking – Page 266 – STE WILLIAMS

Behind the Scenes at ICS Village

library
crime | hacking | security

ICS Village co-founder Bryson Bort reveals plans for research-dedicated events that team independent researchers, critical infrastructure owners, and government specialists.

Independent researchers and critical infrastructure owners came together in a small village at the Ballys Convention Center last week to share their knowledge and test their skills. In a conversation with Bryson Bort, founder and CEO of Scythe and co-founder of the ICS Village, Dark Reading heard how the federal government hopes to leverage the combination of skills that were on display at DEF CON and why rapid changes in infrastructure control are having a big impact on industrial control system (ICS) security.

“Thirty years ago, power only went one way,” Bort said. “Now, with renewables, we have a two-way street of power.” Controlling this two-way flow requires that computers manage the edge of the electrical grid, he pointed out, adding that electric automobiles make the control more complicated and more dangerous.

“Electric car infrastructure is driving a completely different problem where we’re now talking voltages that you don’t see in residential,” he said. “These are really high voltages. I think Porsche’s Taycan is coming out next year, and they’re going for, like, 800 volts.”

Bort said changes in requirements were part of why he ended up at the Department of Homeland Security talking about bringing the knowledge and skills held by DEF CON attendees to government agencies and critical infrastructure owners. “We’re trying to bring those parties together to to change the old perspective of, ‘Hey, it’s just a bunch of dirty hackers who are trying to break things for bad reasons,'” Bort said.

As a result of those conversations, the ICS Village is in the early stages of planning dedicated events at conferences next year to join independent researchers, critical infrastructure owners, and government specialists. The idea is that the assembled teams will do real research under guidelines for ethical disclosures to the benefit of the industry, Bort says.

Asked whether protecting critical infrastructure and manufacturing capabilities from enemy nation-states is the goal of the ICS Village, Bort demurred. “What we’ve seen so far is that there are no real direct attacks on our infrastructure,” he said. “Wildlife causes far more outages and disruptions than any intentional human being has done so far.”

Still, Bort said, many “operations” are going on in and around critical infrastructure every day. He described these as intelligence operations in which malicious actors get into a system, see how far they can go, and understand precisely what the defensive response is.

“I believe they are trying to establish those levers so that whenever things do rise to some tension level where we’re really talking ‘kinetic on kinetic,’ one of the other things they have in their quiver now is to pull some levers and cause some damage [to the US],” he said.

But the greatest deterrent to a proactive attack against US infrastructure can’t be found in any DEF CON village, Bort said. Should someone launch an attack, the former Army officer said, “The response that we’re going to have is not going to be wagging a finger or debating red lines. We’re going to go back and bomb you.”

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/behind-the-scenes-at-ics-village/d/d-id/1335540?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Beat the Heat: Dark Reading Caption Contest Winners

library
crime | hacking | security

Phishing, token codes, training, MFA, polluted data entry, and whales. And the winners are …

Michael Edwards, senior cybersecurity engineer at Raytheon, aka syekim13, earns the top honor and a $25 Amazon gift card for his clever caption contest entry penned below:

Coming in a close second is Cindy Hudson with “Attention! Whaling Alert! Whaling Alert! Whaling attempt spotted in the CEO’s email.” Cindy, aka camerobabe, is an IT security manager at Air Force Directory Services. Her second-place caption entry won her a $10 Amazon gift card

Finally, many thanks to everyone who entered the contest and to our loyal readers who cheered the contestants on. Also, a shout out to our judges, John Klossner and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheridan, Curtis Franklin, Jim Donahue, Gayle Kesten, and yours truly.

If you haven’t had a chance to read all the entries, be sure to check them out today.

Related Content:

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/endpoint/beat-the-heat-dark-reading-caption-contest-winners/a/d-id/1335510?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

European Central Bank Website Hit by Malware Attack

library
crime | hacking | security

The website was infected with malware that stole information on subscribers to a bank newsletter.

A European Central Bank (ECB) website is offline after attackers inserted malicious code that could have stolen the names, titles, and email addresses of subscribers to one of its industry newsletters.

According to ECB officials, the website for the Banks’ Integrated Reporting Dictionary (BIRD), which publishes information useful to those preparing regulatory and statistical reports, was infected in December 2018. The infection was discovered this week during site maintenance.

The ECB reports that BIRD is hosted by a third party and that no market-sensitive data or internal ECB systems were affected. The bank is in the process of contacting all individuals whose information might have been stolen in the attack.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/european-central-bank-website-hit-by-malware-attack/d/d-id/1335544?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security? We’ve heard of it! But why be a party pooper when there’s printing to be done

library
crime | hacking | security

On Call With the gateway to the weekend upon us, it is time to crack open the On Call files once again to enjoy a tale from one of those brave engineers at the front line of the tech world.

Today’s story is from a reader we’ll call “Sven” and, for a change, is almost an anti-on call since it concerns what can happen when the all-important company mobile is turned off.

Sven’s tale begins innocuously enough: “I was working for a contractor that was developing van-tracking software for a well-known cash delivery company.”

Unfortunately, “one of the base units being used for software development went missing”.

Naturally, a miscreant could get up to all manner of mischief with such a device and, since this all took place around 30 years ago, security was not quite what it is now.

There was, said Sven, “mass panic and new security measures were introduced”.

“Everybody had an expensive £300 lock fitted to their office door that required a five-digit code to open.

“We were all told to input a code for our office and not to write it down or tell anybody.”

So far, so good. We’ve all experienced the knee-jerk reaction when something bad happens and, to be fair, one would have expected a firm writing software for cash-delivery trucks to have already had things pretty well locked down.

Here’s to beer, without which we’d never have the audacity to Google an error message at 3am

Better late than never. However, this is not the end of the story.

The week after, the office manager, a chap we’ll call “Bill” (because we have watched Office Space far too many times) was hosting a birthday party for his daughter and, according to Sven, “he takes 100 pictures with his new company-supplied digital camera”.

Rashly, he “promises all the kids that he will print the pictures so they can have a copy”.

While digital cameras may have been rare back then, photo-quality printers were also expensive beasts. However, the manager had a plan. “He turns up at the office on Sunday morning to use company property to fulfill his extravagant promises…”

Alas, “the photo-grade printer which was on a wheeled cart has been wheeled into someone’s office”.

And, of course, all the offices now had those fancy new keypads.

Not to worry! On-call will come to the rescue! Except, in those halcyon days, people used to take weekends off and “our colleague used to turn his company-provided mobile off on weekends”.

If you’d thought that the manager would take the hint about the snaffling of company property, think again.

“Monday morning, we are all called to a meeting. ‘Bill’ decides he needs control of the equipment and anything else we have in our offices.”

And having learned from his locked-out experience and doubtless keen to avoid disappointing his princess a second time, the chap also demanded all employees change their code to be “2×12=24” or “21224”.

(That, of course, wasn’t the actual code, but you get the idea.)

“I still remember it,” said Sven, “after 30 years.”

Ever had a manager double down on brazen incompetence when a company mobile wasn’t answered? Or maybe you were the one who turned the thing off to enjoy a well-earned weekend? Drop an email into On Call and tell us all about it. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/16/on_call/

Police costs for Gatwick drone fiasco double to nearly £900k – and still no one’s been charged

library
crime | hacking | security

Sussex Police’s probe of the infamous London Gatwick airport drone fiasco of Christmas 2018 has doubled in cost to nearly £900,000 – and the bungling force still hasn’t arrested the person or persons responsible.

So far police in Sussex, where the “London” airport is situated, have splurged an eye-watering £886,210 on trying to track down whoever shut down the UK’s second busiest airport in December.

Reports dating back to March showed the force had spent £419,000 by that date, meaning the cost of the investigation has doubled over the past five months. At the time, local MP Henry Smith described the force’s spending as “shocking”.

The figure was revealed in a Freedom of Information response to Gary Mortimer, editor of drone industry news website sUAS News – along with the revelation that police still haven’t cuffed anyone over the disruption, other than an innocent local couple who were released after a public outcry. The husband, a drone enthusiast, had been at work when the first sightings were called in – yet police ignored multiple witnesses who knew he couldn’t have been flying his drones at the time.

Chief Constable Giles York later doubled down on his employees’ behaviour, refusing to apologise for the wrongful arrests and suggesting the two innocent people should have been grateful to police for not having them “released under investigation”* instead, thus branding them as suspects for potentially years.

Commenting on the cash spent on the Gatwick drone investigation, sUAS News’ Mortimer told The Register: “The police can’t be blamed for the Gatwick drone fiasco; the chain of command that called them out for an alleged incident with no evidence to support it needs to face scrutiny. I believe Gatwick Airport should pay the bill for a false alarm or tell the world what really happened.”

Detective Chief Superintendent Jason Tingley told the media that “it was a possibility that there may not have been any genuine drone activity in the first place” – to the evident horror of his bosses. This also fuelled a large number of theories about what had happened, hadn’t happened and might have happened but had been hushed up.

Between 19 and 21 December 2018, Gatwick Airport was closed to all flights after sightings of small drones being flown near the airport’s southern perimeter. As a precaution, all aircraft movements were halted in case the drones were part of a plot to bring down an airliner.

From those initial sightings the whole thing descended into farce very rapidly. Police eventually confessed that most of the drone sightings after the initial ones were probably caused by them flying their own drone around in a fruitless attempt to spot the rogue craft. Despite tens of thousands of people being stranded at Gatwick and thousands more searching the local area, not one managed to use a smartphone to video anything that looked like a drone flying near the airport.

Sussex Police has desperately wanted public scrutiny of its failings in the Gatwick fiasco to just go away, to the point where the force recently secured the deletion of a YouTube video interview with a senior manager who talked about it.

The Register has asked Sussex Police if it wants to comment on the investigation cost doubling. We’ll update this article if it responds but we’re not holding our breath. ®

Arrestnote

* “Released under investigation” is a recent police tactic for evading laws that put them under independent judicial supervision. A few years ago it came to light that police workers were abusing their pre-charge bail powers to keep people under police control for years on end while making no effort to formally close investigations into them. Parliament passed the Policing and Crime Act 2017 to end this abuse, forcing police to answer to the courts for their use of bail.

Scoffing at the new Act, police managers simply created a new internal police procedure that looks and functions exactly like pre-charge bail did before the Policing and Crime Act 2017 – except without the external scrutiny of judges and without any obligation on police to do, well, anything at all.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/16/gatwick_drone_investigation_costs_double_no_arrests/

More Than 20 Data Breaches Reported Per Day in First Half of 2019

library
crime | hacking | security

But incidents involving SSNs, addresses, birth dates were smaller than in previous years.

If data breach reports evoke a sense of déjà vu these days, it’s only because breaches have almost unfailingly kept increasing in number and becoming bigger in scope quarter after quarter, year in and year out. However, the raw numbers do not always tell the full story.

Risk Based Security’s just-released data breach report for the first six months of this year reveals a total of 3,813 breaches were reported from January 1 through June 30—or on average, more than 20 of them each day.

Combined, the breaches exposed over 4.1 billion records containing Social Security numbers, bank account and payment card information, full names, birthdates, addresses, and other sensitive information. The total number of breaches in the first half of 2019 was 54% higher than during the same period last year, while the number of exposed records was 52% more than 2018.

The data shows that organizations still face too many blind spots in their security operations, says Inga Goddijn, executive vice president at Risk Based Security. “Clearly despite the increased spending, resources are still spread too thin and there are too many holes going unfilled.”

While the broad breach numbers are consistent with patterns in almost every single quarter and six-month period for the past several years, Risk Based Security’s data showed that some things might be changing.

For instance, fewer records were exposed in data breaches involving Social Security numbers, names, birth dates, and addresses—all critical components for identify theft—this year compared to two years ago.

Only 11% of the exposed records during the first half of 2019 were SSNs compared to 22% last year and 27% in 2017. Similarly, just 8% and 11%, respectively, of the breached records involved birth dates and addresses, compared to 13% and 22% last year.

Similarly, for all the heightened concern around breaches caused by third parties, the data shows that in the first-half of this year there were fewer of them compared to the same period over the last five years.

In the first six months of 2019, a total of 137 breaches exposed sensitive third-party data. In comparison, there were 173 such incidents during the same period last year, 151 in 2017 and 169 in 2016. The number of records exposed in the breaches involving third-party data was also less than half of last year, and about one-third that of 2017.

Big Breaches, Big Exposures

The biggest breaches in the first six months of this year included one at Verifications.Io that exposed a mind-numbing 983 million records with all sorts of sensitive information; another at First American Financial Corp that impacted 885 million records; and one at an unknown organization that leaked personally identifiable information on some 275 million Indian citizens.

Just eight such mega-breaches accounted for 3.2 billion, or 78.6%, of the total number of records that were compromised in the first half of this year. More than seven-in-10 (70.5%) of the breaches exposed email addresses, and 64.2% exposed passwords — a sign of the high-level of attacker interest in obtaining credentials for use in future malicious activities.

There were far fewer Web breaches (162) than there were incidents of unauthorized access to systems and services by external hackers (3,128). Yet, Web breaches were responsible for more than 80%, or 3.3 billion, of the records that were exposed in the first half of 2019.

As has been the case for sometime, organizations in the healthcare, retail, finance, and IT sectors reported significantly more data breaches than firms in almost every other industry.

“Perfect security is impossible,” Goddijn says. But taking a more risk-focused approach to cybersecurity can help organizations address critical gaps, she says. That includes having a good handle on your most critical assets and knowing where your sensitive data resides, Goddijn notes. “It also includes leveraging high-quality data in order to understand where the weak spots are in order to make more informed decisions about how to address those spots.”

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/more-than-20-data-breaches-reported-per-day-in-first-half-of-2019/d/d-id/1335538?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Firefox fixes “master password” security bypass bug

library
crime | hacking | security

Firefox just pushed out an update to fix a security glitch…

…in its password manager.

Mozilla delivers a new major version every six weeks on what we jocularly call fortytwosday, given that it always comes out on a Tuesday (and that 6 × 7 = 42).

Point releases, mainly to fix security issues, often come out between the main fortytwosday versions, as in this case, taking the full version number of the current 68-flavoured release from 68.0.1 to 68.0.2.

What’s interesting in this release is the security fix it delivers:

CVE-2019-11733: Stored passwords in ‘Saved Logins’ can be copied without master password entry.

When a master password is set, it is required to be entered before stored passwords can be accessed in the ‘Saved Logins’ dialog. It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

Mozilla rates this fix as “moderate” – after all, it doesn’t let just anyone extract web passwords any time from anywhere – but if you are a Firefox user, it’s worth checking that you are up-to-date.

Even if you have automatic updating turned on, make sure you know how to verify manually that updating is working correctly. (By the way, that goes for all the updates you’re subscribed to, including those for your operating system and other apps.)

The easiest way is simply to choose the About Firefox menu item, which tells you the version number you’re running now, checks for any updates, and offers you any updates that you haven’t received yet.

On a Mac, the About box is accessed from the Firefox menu item; on Windows and Linux, it’s Help → About Firefox.

Many Windows and Linux users run with the Firefox menu bar turned off to save screen space. If you don’t have the File Edit View... menu visible, you can enable it by right clicking in the top bar of the Firefox window and turning on the Menu Bar option.

If there’s an update available, you’ll see a [Restart to update Firefox] button:

Click it and you’re done – Firefox will remember the tabs you have open and the session cookies you have set, exit, update, reload and open your tabs back up again.

If all goes well, you’ll be back where you were, still logged in to the same sites and ready to continue.

Go back to the About box and confirm that you’re up-to-date:

Two more controversies…

By the way, Firefox’s password manager raises two interesting controversies even in the absence of a security problem like the one mentioned here.

The password manager is turned on by default, but without a master password, as you can see by doing a fresh install and then going to the Privacy Security section on the Preferences page:

In other words, a default Firefox setup essentially suffers from the bug described in this article all the time, because there’s no master password used by default, and therefore you never need to enter one.

We recommend never keeping unprotected password databases on your computer, so we suggest that you either:

Turn Firefox’s Ask to save logins and passwords for websites option OFF, or
Turn Firefox’s Use a master password ON.

If you’ve already got a standalone password manager app that you use for general password security, you probably want to forgo Firefox’s built-in password storage and use your chosen app instead.

Although there’s an adage that says you shouldn’t put all your eggs in one basket, there are disadvantages to using multiple password managers, namely that it’s much harder to keep everything in synch and backed up.

After all, there’s another cybersecurity adage that says, when it comes to passwords, you should put all your eggs in one basket, and watch that basket.

To get rid of any login information you’ve entrusted to Firefox, , accidentally or otherwise, use the [Saved Logins...] button shown above, and then [Remove All] to empty Firefox’s password database.

Oh, and while you’re about it, turn on two-factor authentication (2FA) for any online accounts that support it – it’s a minor inconvenience for you but a significant additional barrier for cybercrooks.

WATCH NOW – PASSWORDS AND PASSWORD MANAGERS

No video? Watch on YouTube. No audio? Click the [Subtitles] icon for closed captions.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SGS2jipuYaM/

68% of Companies Say Red Teaming Beats Blue Teaming

library
crime | hacking | security

The majority of organizations surveyed find red team exercises more effective than blue team testing, research shows.

More than one-third of organizations surveyed say their defensive blue teams fail to catch offensive red teams, and 68% overall agree red team exercises have proved more effective.

A survey conducted by Exabeam at Black Hat USA 2019 found red teams, which are made up of internal or hired security experts who imitate cybercriminals’ behavior to test a business’ security defenses, are also more popular. Seventy-two percent of respondents conduct red team exercises, with 23% performing them monthly, 17% quarterly, 17% annually, and 15% biannually.

Sixty percent conduct blue team exercises, intended to test a defensive team’s ability to stop cyberattacks. Thirty-five percent of companies polled say the blue team never or rarely catches the red team; 62% say the red team is caught occasionally or often. They say communication and teamwork (27%) are skills that blue teams need to work on, followed by knowledge of attacks and tactics (23%), threat detection (20%), and incident response time (17%).

Nearly three-quarters of IT security professionals say their companies have increased security infrastructure investment as a result of red and blue team testing, and 18% say these budget changes have been significant. Only 25% say this testing has had no effect on budget.

The Flaw in Vulnerability Management: It’s Time to Get Real

library
crime | hacking | security

Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, starting with endpoint vulnerabilities, we can build for a safer future.

Today, the risk of cyberattack is simply part of the cost of doing business. Companies spend millions of dollars every year on the most advanced software in an attempt at defense. But it’s not enough.

The nature of attacks is persistently and rapidly changing, so preparing an adequate defense is like chasing smoke. Meanwhile, companies struggle to take care of their most vulnerable area, the endpoint. Routine software updates and maintaining current, compliant security configurations across all systems require significant resources and diligence, and security hygiene sometimes gets sacrificed on the long list of IT priorities with teams that are already stretched thin. As a result, companies can’t take full advantage of many of the features in their security software.

Though very different problems, both lead us to acknowledge that because of the ever-changing nature of attacks and the difficulty maintaining all endpoints at all times, organizations remain at least somewhat exposed on any given day. Even small risks carry tremendous burdens that can prove devastating to the companies and users that are ultimately affected.

Vulnerability Management to the Rescue?
To help organizations shore up their endpoints, a number of vendors have created software to automatically detect system vulnerabilities. These offerings typically fall under the “vulnerability management” category and provide a necessary first step. Proactively scanning endpoints and pinpointing vulnerabilities for teams alleviates a lot of the resource drain associated with endpoint management. But this is only a step, not a complete solution.

According to recent research that tracked more than 316 million security incidents, it takes companies an average of 38 days to patch a vulnerability. More than a month to fix a problem after it has been identified! This is unacceptable given the potential impact and the amount of money pouring into security today. We must be able to fix vulnerabilities much, much faster if companies are going to have a shot at protecting data and intellectual property in the future.

Let’s Get Real
It’s time to be honest about what vulnerability management actually requires because it currently doesn’t cover remediation in any meaningful sense. Opening a ticket doesn’t count as resolving the vulnerability. That’s passing the buck along for someone else to handle when they can get to it. Vulnerability management as it stands today should really be considered vulnerability assessment — finding but not solving problems or managing against threats.

So, why does this happen? Why is it so hard to fix an issue once it is identified? Primarily because departments within the enterprise remain relatively siloed. Security teams find issues, and then IT teams are asked to fix them. There is little collaboration between groups.

Aside from making it more difficult to fix an issue because of the lack of coordination between teams, this creates dreaded lag time in rolling out a fix. For every minute the problem is not addressed, viruses and malware can penetrate further into an organization’s infrastructure as hackers actively try to weaponize vulnerabilities. Just look at all of the issues WannaCry caused simply because it was able to keep moving before people were able to remediate with software that had already been released.

Addressing the Future
It’s time for vulnerability management to get an upgrade if companies want to effectively defend against malicious attacks over the long term. The solution is twofold. First, companies must rethink how teams are constructed so that security and IT groups can work together more efficiently. This is why the idea of SecOps is gaining traction. When these two groups — security and operations — collaborate, they can create and agree on at least some baseline remediations for their most common issues.

There also needs to be significant innovation coming from vulnerability management vendors to incorporate true remediation, whether this comes via their own advances or by strategic integrations with partners. Companies will require solutions that remediate vulnerabilities at scale; after all, fixes must be rapidly deployed enterprisewide or they are not true fixes. Modern remediation should take seconds to minutes, not days to weeks, and automation will be the key to making this level of efficiency possible.

Even with bold, aggressive innovation and organizational structure in vulnerability management, we may never be able to patch 100% of vulnerabilities within hours. But consider how much better off organizations would be if they could fix the majority of issues automatically, right as they occur. It would make a monumental difference in terms of costs and resources devoted to security. IT and security teams would then be much better equipped to deal with remaining issues in a timely manner.

It is unrealistic to believe that companies ever will be fully immune to a cyberattack. But by getting real about where we are with the basics, starting with vulnerabilities at the endpoint, we can build for a future that minimizes entry points for attacks and remedies issues as soon as they occur in order to mitigate damage. It’s time to embrace the challenge and take the next step forward in vulnerability management.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: 5 Things to Know About Cyber Insurance.

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years’ experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-flaw-in-vulnerability-management-its-time-to-get-real/a/d-id/1335465?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Research Finds More Struts Vulnerabilities

library
crime | hacking | security

Despite aggressive updating and patching, many organizations are still using versions of Apache Struts with known — and new — vulnerabilities.

Apache Struts continues to be a critical piece of software infrastructure for many organizations, and according to new research, it continues to be a deep well of vulnerabilities from which hackers can draw.

In a new report, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, writes that the team investigated 115 separate Apache Struts releases and compared them with 57 security advisories covering 64 vulnerabilities. They found 61 additional Struts versions affected by at least one already disclosed vulnerability.

In addition, Mackey points out that an earlier report, the “2019 Open Source Security and Risk Analysis,” showed that 43% of commercial software had vulnerabilities at least 10 years old — a reminder, he writes, that knowing about vulnerabilities is of little use if good patching and updating policies aren’t followed.

For more, read here.

Article source: https://www.darkreading.com/vulnerabilities---threats/new-research-finds-more-struts-vulnerabilities/d/d-id/1335530?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple