In our latest security news digest, we check out the Facebook hack heard ’round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities.

Facebook scrambles to investigate major breach affecting tens of millions of users

The cyber security world shook on Friday upon learning that attackers exploited a software flaw on Facebook that allowed them to obtain access tokens for 50 million accounts, with another 40 million accounts possibly also affected.

Equally or even more concerning: The purloined tokens could have been used to access accounts in other websites into which their users log in with their Facebook credentials, such as Spotify and AirBnB.

Facebook inadvertently introduced the bug in July of last year. After investigating unusual activity detected in mid-September of this year, Facebook discovered the attack last week.

The attack has made global headlines since its disclosure on Sept. 28, and has naturally drawn scrutiny from security experts, government regulators, Facebook users, and industry observers.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” Paul Bischoff, privacy advocate with Comparitech, told Dark Reading.

Continue reading …

This release of the Qualys Cloud Platform version 2.34.1 includes updates and new features for Cloud Agent & AWS EC2 Connector, AssetView, CloudView, and Security Assessment Questionnaire, highlights as follows.

Continue reading …

Patch release of Qualys Cloud Platform, version 8.15.2, includes new support for Apache instance auto-discovery in Qualys Policy Compliance.

Policy Compliance

• Apache Instance Auto-Discovery – This new feature in Qualys PC enables automatic discovery of Apache during compliance scans.  Once one or more apache instances are discovered, the required authentication records are automatically created. We’ve also simplified authentication records for Apache allowing multiple instances to share a single authentication record.  In cases where multiple Apache instances are found, users no longer need to provide separate authentication records for each instance.

Continue reading …

With the newly available Qualys Consulting Edition, consultants and MSPs can now individually manage their mid-market client networks, keeping data separate and organized. This lets them offer their clients tailored, personalized services, with valuable insights and recommendations for threat prevention, detection, and response.

The solution’s flexibility allows consultants to customize the deployment and setup for each client’s unique environment. It’s all based on the highly-scalable Qualys Cloud Platform, which is trusted by many of the world’s largest businesses and service providers.

Continue reading …

In this month’s Patch Tuesday release there are 61 vulnerabilities patched with 17 Criticals. Out of the criticals, most are browser-related, with the rest including Windows, Hyper-V, and .net Framework. A vulnerability (CVE-2018-8475) in Windows’ image parsing has been publicly disclosed, in addition to a vulnerability (CVE-2018-8457) in the Scripting Engine.

Continue reading …

The annual Qualys user conference, QSC18, is quickly approaching, and we are looking for customer presentations showcasing how you use Qualys to enable security best practices and secure your digital transformation.

If you would like to be considered as a presenter, please send a session title and short abstract to David Conner at dconner@qualys.com. The CFP is open until October 11, 2018. Qualys will cover travel costs for approved customer presenters.

This year’s event will be held on November 14-15 at the Bellagio Hotel in Las Vegas. QSC is a unique forum to connect our customers and partners with our engineers and leading industry experts. To learn more about Qualys Security Conference, watch the QSC17 highlights video.

A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.

Could British Airways hit GDPR turbulence after data breach?

Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.

Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.

Continue reading …

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

• New CIS Benchmarks for MySQL and updates to latest versions of Windows, SUSE, and Ubuntu benchmarks
• New best practice and industry policies for NIST 800.53, Amazon Linux, and Juniper JunOS
• New DISA STIG Policies for Windows 8.1, Windows Server 2008/2012 Domain Controllers and several existing DISA STIGs updated to latest version
• Updates to several existing library policies

Qualys’ Certification Page at CIS has been updated. Continue reading …

This new patch release of the Qualys Cloud Platform, version 8.15.1, includes updates to Qualys Vulnerability Management.

Vulnerability Management

• IP Update Handling for Agents – External IP address for Agents will no longer overwrite previous internal IP address when an internal address is not available during inventory data collection. The previous internal IP will remain as the Agent’s IP until the Agent recollects inventory data.

For more details about the above feature – please review the release notes. Release notes will be posted as soon as they are available on the Qualys Cloud Platform Release Notes page.

Platform release dates will be published on the Qualys Status page when available.

Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.

The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.

Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.

To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.

White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.

It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.

“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.

The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.

“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.

Continue reading …