It’s happening more and more.

High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.

Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.

Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.

“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.

Continue reading …

Contact lenses that access the Internet literally at the blink of an eye. Toilets that detect cancer-indicating enzymes. Human settlements on Mars. Beaming one’s mind into outer space using lasers. Watching a video of your dreams after you wake up.

Those were just a few of the mind-blowing predictions made by Dr. Michio Kaku at RSA Conference 2018, where he transformed Qualys’ expo booth into a time-traveling vehicle.

For about 30 minutes on Tuesday, the famed physicist led his entranced audience on a spellbinding journey to a future he believes will become a reality in the decades to come.

A new golden age of space travel is upon us

Anchoring many of the advances he described is what he calls a second golden age of space travel, which will trigger and accelerate groundbreaking innovations in artificial intelligence, biotechnology and nanotechnology.

Continue reading …

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar.

Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu, picking Netflix, searching for “My Little Pony,” navigating the seasons and list of episodes, and finally clicking on the one she wanted to watch.

But that process became a thing of the past at Thakar’s house after he got a Google Home smart speaker and home assistant, and linked it up with his smart TV.  Now all his daughter needs to do is tell Google Home to play her favorite show on the living room TV, and all the steps are carried out in an automated, seamless way, without anyone even having to grab the TV remote control.

“That’s transparent,” Thakar said on Monday during his keynote speech at the Cloud Security Alliance (CSA) Summit being held at the RSA Conference in San Francisco.

Continue reading …

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.

Microsoft patches its Meltdown patch, then patches it again

In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.

It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.

Security researcher Ulf Frisk, who discovered the vulnerability, called it “way worse” than Meltdown because it “allowed any process to read the complete memory contents at gigabytes per second” and made it possible to write to arbitrary memory as well.

“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk wrote. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required — just standard read and write.”

Continue reading …

Web applications have become essential for business, as they simplify and automate key functions and processes for employees, customers and partners, making organizations more agile, innovative and efficient.

Unfortunately, many web applications are also unsafe due to latent vulnerabilities and insecure configurations. Web application attacks rank as the most likely to trigger a data breach, according to the 2016 and 2017 editions of the Verizon Data Breach Investigations Report.

Those findings are consistent with SANS Institute’s 2016 State of Application Security Report, which found that “public-facing web applications were the largest items involved in breaches and experienced the most widespread breaches.”

“Insecure web applications are a real problem today,” Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, said during a recent webcast. “Web apps are a foothold into your organization for potential attackers.”

Continue reading …

Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments.

Driving this growth in cloud computing adoption is its essential role in digital transformation initiatives, which help businesses be more efficient, effective, flexible and innovative in areas like e-business, supply chain management, customer support and employee collaboration.

Digital transformation projects are typically delivered using web and mobile apps created in DevOps pipelines, where developers and operations staff work collaboratively at every step of the software lifecycle, releasing apps or app updates frequently.

But security must be integrated throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — in an automated way, organically building it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

In a recent webcast, Hari Srinivasan, Qualys’ Director of Product Management for Cloud and Virtualization Security, explained how Qualys can help you secure your cloud and container deployments across your DevOps pipeline.

Continue reading …

In this edition of Qualys’ infosec news digest, we look at Orbitz’s data breach, AMD’s vulnerabilities controversy, and recent actions by the U.S. government against alleged Russian and Iranian cyber spies.

Orbitz was (kinda, sorta, maybe) hacked

Orbitz disclosed last week that personal information linked to almost 900,000 payment cards may have been compromised, after it detected a “data security incident” in which “there was likely unauthorized access” to customer data.

The customer data at risk includes payment card details, full names, dates of birth, phone numbers and e-mail and home addresses.

Orbitz doesn’t think that passport numbers nor travel itineraries were compromised. It doesn’t collect Social Security numbers. Orbitz, which is owned by Expedia, isn’t sure if data was stolen, but a privacy rights experts recommends that customers not rest easy.

“I think consumers should assume that their personal information has been compromised even though they may not have been notified. There have been so many data breaches that you just can’t assume that you haven’t been affected,” Beth Givens, executive director of the Privacy Rights Clearinghouse, told Consumer Reports.

Continue reading …

With the EU’s General Data Protection Regulation (GDPR) going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply with GDPR was evident among participants of a recent Qualys webcast titled “The GDPR deadline readiness and impact to global organizations outside the EU.”

Here we’re providing an edited transcript of their questions and of the answers provided by webcast host and Qualys Director of Product Management Tim White. Darron Gibbard, Qualys’ Chief Technical Security Officer and Managing Director of the EMEA North region, contributed to some of the answers.

Are there any recommended frameworks for implementing controls and processes for information security that I could follow to ensure GDPR readiness?
There are a variety of different ways of implementing general security best practices. There are some specific recommendations and each member country is starting to post the requirements. The most advanced one is the U.K.’s ICO (Information Commissioner’s Office). They provided a lot more depth about what InfoSec requirements you should put in place, but even their recommendations are still very vague. This isn’t like PCI where they say you have to implement a change detection solution to monitor critical changes to configuration files, and you must monitor log files on a regular basis. GDPR doesn’t have prescriptive controls like that. GDPR indicates that you have to implement the controls that are appropriate for the level of risk and that you need to protect the data from breaches of confidentiality, integrity and availability. So they basically say: “Do a good job at security.”

Continue reading …

In this week’s InfoSec news review we’ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones.

I, me, mine

The freight train that’s cryptomining shows no sign of slowing down, and the cyber security implications are intensifying accordingly.

This week alone, Microsoft detected and disrupted a massive cryptomining malware campaign, a Tesla AWS account got hijacked, a new mining worm was discovered, and Kaspersky researchers warned about increased sophistication of infection methods.  

While there is a legitimate component to this business, malicious hackers eager to profit are aggressively breaching networks and infecting devices — PCs, IoT systems, smartphones, servers — to steal computing power for mining virtual currencies.

Continue reading …