Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.
“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.
The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.
Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.
New Struts Bug Should Be Patched Yesterday
Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.
In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.
The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.
Organizations should upgrade to the patched Struts versions even if their applications aren’t vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.
WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.
WannaCry hits Taiwan Semi
The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.
Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.
According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.
Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.
That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.
Qualys Malware Research Labs recently released the Qualys BrowserCheck CoinBlocker Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker.
About Qualys BrowserCheck CoinBlocker
The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%).
This new release of the Qualys Cloud Platform (VM, SCA, PC), version 8.15, includes several new improvements across the VM, PC, and SCA Apps including new IPv6 configuration options for the scanner, improvements to several VM reports including ability to display EC2 metadata, a new Policy Compliance report, and expanded platform support for VM, PC, and SCA.
The digital transformation revolution waits for — and spares — no one. It forces all businesses to adopt tech innovations, like cloud, IoT and mobility, and to protect the resulting IT environments as they become hybrid, distributed and elastic.
With traditional network perimeters dissolved, securing digital transformation efforts gets more challenging by the day, especially for smaller organizations. That’s why Qualys is putting its Qualys Cloud Platform at the disposal of this underserved small-business market — for free.
With the new Qualys Community Edition, smaller organizations will now have access — at no charge — to the cloud-based security that many of the world’s largest companies rely upon to protect their global IT environments.
By tapping the robust, massively scalable Qualys Cloud Platform, they’ll be able to discover IT assets and their vulnerabilities, identify compliance gaps and get detailed, customizable reports.
The Qualys Community Edition is not only aimed at organizations that’ll use it internally. It’s also intended for smaller security practitioners that want to provide exceptional assessments to clients, outclass their competitors and boost revenues.
DevOps teams can’t get enough of containers — and for good reason. Faster and more efficient application development and deployment, as well as increased application portability, are some container technology benefits, which in turn help drive digital transformation efforts.
Container-based applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment. That’s why containers have facilitated the popularity of microservices, a type of architecture in which applications are structured as independent, small, modular services.
However, containers create their own set of security and compliance issues. These challenges include the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities, and the deployment of containers with weak configurations. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they’re hard to track because they’re so ephemeral.
In this webcast, Srinivasan will outline security use cases for containers at the build, registry, and runtime stages of DevOps pipelines. He will also explain the importance of having visibility into container assets, and of the need for container-native vulnerability analysis. Srinivasan will also address strategies to detect and address drifting runtimes.
Register for Thursday’s webcast, which begins at 10 am PT / 1 pm ET.
A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.
Bluetooth vulnerability rattles vendors, end users
The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.
The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.
The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.
DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.
“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.
Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.
With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.