A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.

Could British Airways hit GDPR turbulence after data breach?

Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.

Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.

Continue reading …

Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.

The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.

Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.

To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.

White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.

It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.

“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.

The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.

“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.

Continue reading …

With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and unobtrusive.

Accomplishing this requires an understanding of Docker container technology and the adoption of processes and tools tailored for these environments. In a recent webcast, Qualys Director of Product Management Hari Srinivasan, an expert on cloud and container security, outlined container security risks, use cases, and best practices.

Read on to learn about Srinivasan’s recommendations for gaining visibility into container assets, doing vulnerability analysis, and detecting drifting runtimes across your DevOps pipeline.

Continue reading …

Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.

“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.

The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.

Continue reading …

Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.

New Struts Bug Should Be Patched Yesterday

Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.

In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.

The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.

Organizations should upgrade to the patched Struts versions even if their applications aren’t  vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.

Continue reading …

WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

Continue reading …

DevOps teams can’t get enough of containers — and for good reason. Faster and more efficient application development and deployment, as well as increased application portability, are some container technology benefits, which in turn help drive digital transformation efforts.

Container-based applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment. That’s why containers have facilitated the popularity of microservices, a type of architecture in which applications are structured as independent, small, modular services.

However, containers create their own set of security and compliance issues. These challenges include the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities, and the deployment of containers with weak configurations. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they’re hard to track because they’re so ephemeral.

This Thursday, Qualys will host a webcast, “Building Security into the 3 Phases of Container Deployment,” led by Hari Srinivasan, Director of Product Management, who’s our resident expert on container security.

In this webcast, Srinivasan will outline security use cases for containers at the build, registry, and runtime stages of DevOps pipelines. He will also explain the importance of having visibility into container assets, and of the need for container-native vulnerability analysis. Srinivasan will also address strategies to detect and address drifting runtimes.

Register for Thursday’s webcast, which begins at 10 am PT / 1 pm ET.

A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.

Bluetooth vulnerability rattles vendors, end users

The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.

The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.

The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.

Continue reading …

DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.

“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.

“Containers are lightweight, efficient, portable, and they boot faster, making it highly efficient and easy for developers to deploy their applications,” he said during his presentation “Securing Containers — From Build to Deployments.”

Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.

With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.

Continue reading …

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 

“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said. 

Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.

Read on to learn more.

Continue reading …