With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Continue reading …

Enterprises are moving full steam ahead when it comes to their digital transformation efforts. They’ve aggressively adopted cloud infrastructure and other cloud services, IoT, application containers, serverless functionality, and other technologies that are helping their organization to drive forward.

Those organizations that are way down the road in their digital transformation efforts say that they’ve witnessed improved business decision-making – both when it comes to making better decisions and when it comes to making those decisions more rapidly. They also say that they’ve improved their customer relationships by delivering an improved customer digital experience.

So it’s time to celebrate and declare digital victory, right?

Hold off before we book the band and order the champagne for the big party. In fact, those who want to move forward securely and confidently in their risk and regulatory compliance postures have some challenges ahead.

Continue reading …

This last week or so of May has been busy with security news and incidents, as the FBI put out an unprecedented call to do a massive wave of reboots of home and small office routers, while Intel confirmed the existence of yet another Spectre / Meltdown variant. And, yes, we had yet another high-profile instance of an unprotected AWS storage bucket exposing data, as well as more IoT security bad news.

Unplug and reset that router pronto!

As you may have heard by now, THE FBI WANTS YOU TO REBOOT YOUR ROUTERS!

Sorry, we didn’t mean to use our outside voice and startle you, but the urgent and extraordinary plea from the feds has been ubiquitous in recent days and we wouldn’t want you to be out of the loop.

The reason: It takes a village to dismantle a botnet that has infected 500,000 home and small office routers, as well as other networked devices, with the VPNFilter malware.

The FBI discovered the botnet, which it says was assembled by Russian hacker group Sofacy. Also known as Fancy Bear, the group has targeted government, military, security and intelligence organizations since 2007. It’s credited with the hack of the Democratic National Committee in 2016.

By rebooting their home and small business routers, people won’t get rid of the malware, but the move will prevent it from escalating to more destructive stages, and allow the FBI to deepen its intervention.

As Cnet explained: “Rebooting your router will destroy the part of the malware that can do nasty things like spy on your activities, while leaving the install package intact. And when that install package phones home to download the nasty part, the FBI will be able to trace that.”

Continue reading …

End users and their devices are right smack in the center of the battle between enterprise InfoSec teams and malicious hackers, and it’s not hard to see why.

When compromised, connected endpoints — desktops, laptops, smartphones, tablets — offer intruders major entry points into corporate networks. However, end users are also their organizations’ best threat detection tools.

That’s a key takeaway from SANS Institute’s “2017 Threat Landscape Survey: Users on the Front Line,” a report published in August and co-sponsored by Qualys.

The study, conducted in May and June, polled 263 IT and InfoSec pros from companies of all sizes and major industries such as finance, government, technology and education.

It found that most of the top intrusion methods reported by respondents sought to directly or indirectly compromise end users or their devices. Hackers’ preferred threat vectors included:

• Email attachment or link (flagged by 74 percent of respondents)
• Web-based drive by or download (48 percent)
• App vulnerabilities on endpoints (30 percent)
• Web server / web app vulnerabilities (26 percent)
• Removable storage devices (26 percent)

Continue reading …

After speaking at Qualys’ recent webinar  “Aligning Web Application Security with DevOps and IoT Trends,” Forrester’s Amy DeMartine granted us this Q&A, where she revisits and offers keen insights on issues including IoT security challenges and DevOps’ benefits for secure app dev. DeMartine, a Principal Analyst focused on security and risk professionals, also discusses “red teaming” for cloud products, and identifies signs you need a new automated security analysis tool.

Continue reading …

First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.

That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”

“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”

The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.

Continue reading …

Enterprises are having a challenging time securing their data and systems. But it doesn’t have to be that way. We recently reached out to Tyler Shields, principal analyst at Forrester to discuss his presentation at Qualys Security Conference 2015, and what it means to be able to secure enterprises at “cloud scale.” And what it’s going to take for enterprises to succeed in security in the years ahead.

Continue reading …

There’s a connected device tsunami coming. Everything from light bulbs to refrigerators to cars to industrial control systems are increasingly becoming Internet connected. Many are under the impression that this “Internet of Things” is primarily a consumer security and privacy issue. Turns out, it’s not. But what precisely will the Internet of Things mean to enterprise security managers and CISOs and how they protect their organization’s infrastructure and information?

Continue reading …

Black Hat USA 2014 is one of the most widely attended security conferences of the year and this year there were a number of interesting briefings on a variety of topics such as automotive attack surfaces, POS malware, cloudbots and more. Qualys presented two pieces of research surrounding TSA vulnerabilities as well as hacking physical devices such as keyless cars and home alarm systems.

Continue reading …