Here’s a short story about a simple vulnerability that was easy to fix, but nonetheless could have had serious consequences.
Imagine an attacker, who doesn’t even have root access, being able to:
- Get source code from the community of Pebble watch developers
- Replace their binaries with malicious ones
- Deploy the malicious binaries to the developers’ watches when they click the ‘Remote Deployment’ button.
To help keep track of what happened at RSA Conference 2014, here’s a quick list of Qualys' activities over the week:
|
SSL Labs: Testing for Apple’s TLS Authentication Bug: Updates to SSL Labs let you test for this newly-discovered (and now patched) bug.
MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability: Deep-dive into only the third remote code execution vulnerability ever found to affect the MediaWiki platform.
QualysGuard Continuous Monitoring enables customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks.
QualysGuard Web Application Firewall offers rapid deployment of robust security for web applications with minimal cost of ownership, and is constantly updated with new rules to keep up with application updates and newly emerging threats.
Top 4 Security Controls helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks. The Top 4 Security Controls are released in collaboration with the SANS Institute and the Council on CyberSecurity.
2014 SC Magazine Awards
Partnerships
Earlier today I gave a presentation at RSA Conference 2014 in San Francisco about the 20 Critical Security Controls (CSC) and some ideas on how to implement them using QualysGuard. The document for the 20 CSC provides a number of suggestions for each control, called Quick Wins that point out aspects of the controls that are relatively easy to implement. One example is the detection of new machines, or how to report on machines that do not run an approved version of the operating system.
It’s time for the Top 13 of '13 — the most popular and most viewed blog posts, discussions, new product features, technical documents and videos that were contributed, read, updated, and commented on in 2013 by the Qualys Community of security professionals.
Many thanks to all the Qualys Community members and site visitors for building out the reference library and active conversations that comprise Qualys Community!
As 2013 comes to a close, enterprise partnerships and mergers and acquisitions in the tech sector have continued to occur at billion dollar levels. One can infer there is much to gain from adding the confidential intellectual properties of others. The true puzzle is understanding if the intellectual properties are, in fact, truly confidential. After all, what is the value in acquiring trade secrets if they are not secret?