In this month’s Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.
WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.
WannaCry hits Taiwan Semi
The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.
Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.
According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.
Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.
That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.
The digital transformation revolution waits for — and spares — no one. It forces all businesses to adopt tech innovations, like cloud, IoT and mobility, and to protect the resulting IT environments as they become hybrid, distributed and elastic.
With traditional network perimeters dissolved, securing digital transformation efforts gets more challenging by the day, especially for smaller organizations. That’s why Qualys is putting its Qualys Cloud Platform at the disposal of this underserved small-business market — for free.
With the new Qualys Community Edition, smaller organizations will now have access — at no charge — to the cloud-based security that many of the world’s largest companies rely upon to protect their global IT environments.
By tapping the robust, massively scalable Qualys Cloud Platform, they’ll be able to discover IT assets and their vulnerabilities, identify compliance gaps and get detailed, customizable reports.
The Qualys Community Edition is not only aimed at organizations that’ll use it internally. It’s also intended for smaller security practitioners that want to provide exceptional assessments to clients, outclass their competitors and boost revenues.
When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry.
“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.
It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said.
Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.
Read on to learn more.
To provide the level of data protection required by the EU’s General Data Protection Regulation (GDPR), your organization must continuously detect vulnerabilities, and prioritize their remediation.
Why? An InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and unable to pinpoint the critical ones that must be remediated immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls. “Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.
In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. The reason: Many organizations fail to detect and remediate critical bugs on a timely basis, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this second installment of our GDPR compliance blog series, we’ll explain the importance of vulnerability management and threat prioritization, and how Qualys can help you solidify these practices so you can slash your risk of data breaches.
To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.
Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.
If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings.
“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.
In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!”
It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD debugging documentation, which led the OS vendors to independently create the same critical security flaw in their respective kernel software.
The issue came to light last week when US-CERT (United States Computer Emergency Readiness Team) warned that under certain circumstances “some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception.”
“The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS,” the CERT alert reads.
The list of OS vendors affected reads like an industry “who’s who.” It includes Apple, Microsoft, Red Hat, VMware, Ubuntu, Xen and SUSE Linux. The problem was discovered by researcher Nick Peterson of Everdox Tech, who has detailed the flaw in a paper titled “POP SS/MOV SS Vulnerability.”
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.
Twitter picks a good day for password-change call
As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.
The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move strongly endorsed by Forbes’ Thomas Fox-Brewster. In addition, Twitter recommended that users change their password on any other online services where they used their Twitter password. (It bears repeating: It’s a bad idea to re-use passwords.)
The reason for the brouhaha: An IT slip-up caused user passwords to be stored in plain text in an internal Twitter log. Twitter’s security policy is to instead mask passwords using the “bcrypt” hashing technique. That way, passwords are stored on Twitter systems as a string of random characters.
It’s happening more and more.
High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.
Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.
Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.
“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.
Today’s Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no active attacks against these vulnerabilities.
The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.