On a Friday afternoon before a long holiday weekend, a company’s security operations center receives a potentially serious alert: It appears that a domain controller has been tampered with. After examining event logs and overlaying network traffic, a SOC analyst confirms that a suspicious system did in fact connect to the controller, extracted credentials, and performed other actions. 

Worried this could be a hacker, the SOC team spends hours doing network analysis. Eventually they determine it’s a false alarm: An administrator had logged into the network to check his email with his personal laptop, whose use the company had authorized a month before.

Why did it take the SOC team so long to solve this mystery? They lacked a comprehensive IT asset inventory that would have allowed them to either quickly find that laptop on a list of devices owned by employees and approved for work use, or else determine it was a rogue device.

This hypothetical incident shows the importance of a continuously updated IT asset inventory, which would have slashed the SOC’s investigation time, and made a big difference if instead there had been an attack, according to security experts from SANS Institute and from Qualys.

Continue reading …

In our latest security news digest, we check out the Facebook hack heard ’round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities.

Facebook scrambles to investigate major breach affecting tens of millions of users

The cyber security world shook on Friday upon learning that attackers exploited a software flaw on Facebook that allowed them to obtain access tokens for 50 million accounts, with another 40 million accounts possibly also affected.

Equally or even more concerning: The purloined tokens could have been used to access accounts in other websites into which their users log in with their Facebook credentials, such as Spotify and AirBnB.

Facebook inadvertently introduced the bug in July of last year. After investigating unusual activity detected in mid-September of this year, Facebook discovered the attack last week.

The attack has made global headlines since its disclosure on Sept. 28, and has naturally drawn scrutiny from security experts, government regulators, Facebook users, and industry observers.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” Paul Bischoff, privacy advocate with Comparitech, told Dark Reading.

Continue reading …

A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.

Could British Airways hit GDPR turbulence after data breach?

Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.

Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.

Continue reading …

Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.

The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.

Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.

To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.

White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.

It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.

“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.

The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.

“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.

Continue reading …

With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and unobtrusive.

Accomplishing this requires an understanding of Docker container technology and the adoption of processes and tools tailored for these environments. In a recent webcast, Qualys Director of Product Management Hari Srinivasan, an expert on cloud and container security, outlined container security risks, use cases, and best practices.

Read on to learn about Srinivasan’s recommendations for gaining visibility into container assets, doing vulnerability analysis, and detecting drifting runtimes across your DevOps pipeline.

Continue reading …

Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.

“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.

The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.

Continue reading …

Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.

New Struts Bug Should Be Patched Yesterday

Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.

In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.

The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.

Organizations should upgrade to the patched Struts versions even if their applications aren’t  vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.

Continue reading …

WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

Continue reading …

DevOps teams can’t get enough of containers — and for good reason. Faster and more efficient application development and deployment, as well as increased application portability, are some container technology benefits, which in turn help drive digital transformation efforts.

Container-based applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment. That’s why containers have facilitated the popularity of microservices, a type of architecture in which applications are structured as independent, small, modular services.

However, containers create their own set of security and compliance issues. These challenges include the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities, and the deployment of containers with weak configurations. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they’re hard to track because they’re so ephemeral.

This Thursday, Qualys will host a webcast, “Building Security into the 3 Phases of Container Deployment,” led by Hari Srinivasan, Director of Product Management, who’s our resident expert on container security.

In this webcast, Srinivasan will outline security use cases for containers at the build, registry, and runtime stages of DevOps pipelines. He will also explain the importance of having visibility into container assets, and of the need for container-native vulnerability analysis. Srinivasan will also address strategies to detect and address drifting runtimes.

Register for Thursday’s webcast, which begins at 10 am PT / 1 pm ET.

A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.

Bluetooth vulnerability rattles vendors, end users

The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.

The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.

The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.

Continue reading …