All Posts

6 posts

New Features in Qualys Vulnerability Management and Policy Compliance

Today we are excited to announce several new features, workflows, and new technology support in Qualys Vulnerability Management and Policy Compliance.

These new features will be deployed as a part of QWEB 10.0 and Portal 3.0 release versions.

Continue reading …

OpenBSD Local Privilege Escalation Vulnerability (CVE-2019-19726)

Qualys Research Labs discovered a local privilege escalation vulnerability in OpenBSD’s dynamic loader. The vulnerability could allow local users or malicious software to gain full root privileges. OpenBSD developers have confirmed the vulnerability and released security patches in less than 3 hours.

Qualys Research Labs also provided proof-of-concept exploits in the security advisory.

Continue reading …

OpenBSD Multiple Authentication Vulnerabilities

Multiple authentication vulnerabilities in OpenBSD have been disclosed by Qualys Research Labs. The vulnerabilities are assigned following CVEs: CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, CVE-2019-19519. OpenBSD developers have confirmed the vulnerabilities and also provided a quick response with patches published in less than 40 hours.

Continue reading …

Security News: WannaCry Surfaces in Taiwan, as Reddit Breach Puts 2FA in the Spotlight

WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

Continue reading …

How to Avoid Account Lockouts When Scanning Web Applications

Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently.  Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).

Continue reading …

QualysGuard adds VeriSign Identity Protection

Hi!  My name is Corey, I have a dog named Sparky, and I really like chocolate.   You now have everything you need to guess my password.

This isn’t a surprise, of course.  Over the last several years research has shown that passwords are often easily compromised:

One good solution to these password issues is to use two-factor authentication, where a user is required to both know something (i.e. your username and password) and have something (such as a generated code from a key fob).  Your debit card is a good example of this:  You need to both know your PIN code and have the physical card in order to access the bank account it protects.   Two-factor authentication has become more readily available over the last few years, and is now a capability that many security-oriented companies are actively pursuing.

Consequently, I’m thrilled to announce that Qualys is now making VeriSign Identity Protection (VIP) two-factor authentication available to all QualysGuard users at no charge, providing an additional layer of protection to keep your data secure.

Subscription Managers can require VIP for all accounts, or individuals can opt-in as desired.  Enabling it for an account is simple with just three steps:

  1. Obtain a credential from VeriSign.  Like QualysGuard, VeriSign VIP is a software-as-a-service offering with no server software to deploy or hardware to manage.  I prefer using their phone-based credential, but their toolbar is also a good choice (as are key fobs for those who like having a physical token); see the complete list of supported devices.
  2. Login to QualysGuard and edit your user settings.  Click “Advanced” and you’ll see the following under the “Options” tab:VIP Activation
  3. Click “Register Credential” and provide the codes requested.Credential Registration

You’re now ready to use VIP Authentication for logging in to QualysGuard.  You’ll still use your username and password (what you know) but will be prompted to provide the code from your credential (what you have) to complete the login process:

VIP Login

Don’t worry if you can’t access your token (who hasn’t left their phone on the kitchen table?); you can request a one-time password that will grant access within the next hour.

We’re excited to help lead the effort to replace passwords with better authentication methods, and look forward to hearing from you on how we can continue to improve our service.  In the meantime, feel free to take that chocolate bar without any guilt!