Critical RCE flaw in ATM security software found

Researchers from Positive Technologies have unearthed a critical vulnerability (CVE-2017-6968) in Checker ATM Security by Spanish corporate group GMV Innovating Solutions. The software and the flaw Checker ATM Security is a specialized security solution aimed at keeping ATMs safe from logical attacks. It does so by enforcing application whitelisting, full hard disk encryption, providing ACL-based control of process execution and resource access, enforcing security policies, restricting attempts to connect peripheral devices, and so on. The … More

Top-ranked programming Web tutorials introduce vulnerabilities into software

Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as “mysql tutorial”, “php search form”, “javascript echo user input”, etc. into Google Search. The first five results for each query were then manually reviewed and … More

Attacks exploiting software vulnerabilities are on the rise

Attacks conducted with the help of exploits are among the most effective as they generally do not require any user interaction, and can deliver dangerous code without arousing user suspicion. According to data gathered by Kaspersky Lab, there were 702 million attempts to launch an exploit in 2016 – an increase of 24.54 percent from 2015. During the same period, more than 297,000 users worldwide were attacked by unknown exploits (zero-day and heavily obfuscated known … More

Researchers to present new software and hardware vulnerabilities at HITB Amsterdam

Users assume the underlying hardware and software system, mobile antivirus, password managers and encryption technology will protect them from malicious attacks on their communications. Upcoming research at the HITB Security Conference in Amsterdam suggests to think twice before trusting mobile security blindly and shows that security is not a final product, but rather a bumpy process. Auditing Femtocells To secure communication via mobile devices, layered security includes secure mobile network devices. In Femtocell Hacking: From … More

Malware posing as Siemens PLC software is hitting industrial environments

What kind of malware is hitting industrial control systems, and how worried should we and the operators of theses systems actually be? These are question that Ben Miller, Director of the Dragos Threat Operations Center, has took it upon himself to answer, by sifting through data regarding ICS incidents collected over the last 13+ years and available from public datasets. The results of the analysis Miller’s analysis revealed that targeted ICS intrusions are rare. But, … More

Software development teams embrace DevSecOps automation

Mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale, according to Sonatype. The adoption of DevOps around the world is evidenced by 67% of survey respondents describing their practices as very mature or of improving maturity. Where traditional development and operations teams see security teams and policies slowing them down (47%), DevOps teams have discovered new ways to integrate security at the speed of development. Only 28% … More

Week in review: WhatsApp flaw, lip motion passwords, reinventing software patching

Here’s an overview of some of last week’s most interesting news, podcasts and articles: Vulnerability in WhatsApp and Telegram allowed complete account takeover The vulnerability allows an attacker to send the victim malicious code, hidden within an innocent looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim’s WhatsApp or Telegram storage data, thus giving full access to the victim’s account. Leaked: Personal info on … More

Reinventing software patching, curing big security holes

Today’s security updates are too big, too risky and too late. It is common for enterprises to thoroughly test security updates and install them several months after they have been released, which leaves them open to inexpensive attacks. In this podcast recorded at BSidesLjubljana 0x7E1, Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, illustrates how this problem is getting a solution: micropatching – hot patching in a microsurgical manner, with patches so tiny … More

IoT goods, software and digital services to be evaluated for privacy and security

Consumer Reports, a US non-profit group whose extensive reviews of consumer goods have helped the public make informed and better choices for many decades, has announced that it will start evaluating products and services for privacy and data security. “We think it’s unfair and unrealistic to expect consumers to constantly play defense when the products and services they use aren’t engineered with basic privacy and security protections built in,” the group noted. Why an IoT … More

New macOS ransomware masquerades as software cracking tools

New crypto ransomware dubbed Filecoder (aka Findzip) is stalking macOS users, ESET researchers warn. Masquerading as an application for cracking/patching legal copies of Adobe Premiere Pro and Microsoft Office for Mac (and possibly other pricy software), the malware is distributed via BitTorrent distribution sites. Not a masterpiece, but still destructive Users who download a ZIP file (application bundle) containing the ransomware and run it, will be faced with a window and a “Start” button which … More