Beware of browser hijacker that comes bundled with legitimate software

Lavians, a “small software vendor team,” is packaging its offerings with a variant of browser-hijacking malware The company sells and offers for free different types of software (drivers and other kinds of utilities) on their own website, but also on popular download sites. Unfortunately, most of them come bundled with the aforementioned malware, which installs itself into Internet Explorer, Firefox, and Chrome without the user’s consent. Ad-injectors and browser hijackers are definitely a nuisance, … More

ThreadFix: Software vulnerability aggregation and management system

ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. A view of the application portfolio Application security programs tend to involve a number of technologies and activities, and application security teams struggle managing these testing activities and all the data they are generating. “We built ThreadFix so that application security teams can create a consolidated view of their applications … More

Global security software market up 3.7% in 2015

Worldwide security software revenue totaled $22.1 billion in 2015, a 3.7 percent increase in from 2014, according to Gartner. SIEM remained the fastest-growing segment in 2015, with 15.8 percent growth, while consumer security software showed the sharpest decline at 5.9 percent year on year. In 2015, the top five vendors together accounted for 37.6 percent of the security software revenue market share, down 3.1 percentage points from 2014. These vendors also displayed a collective decline … More

How MDM software exposes your personal data

Bitglass tracked the personal mobile devices of several willing employee volunteers with mobile device management (MDM) software to understand how MDM could be misused and to assess the true extent of access employers have to personal data and user behavior. Researchers configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This, a common configuration in enterprise MDM deployments for inspecting … More

Mozilla will fund code audits for open source software

The Mozilla Foundation has set up the Secure Open Source (SOS) Fund, whose aim is to help open source software projects get rid their code of vulnerabilities. “The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs,” Chris Riley, Mozilla’s Head of Public Policy, explained. “But we hope this is only the beginning. … More

It takes 248 days for IT businesses to fix their software vulnerabilities

Compiled using data collected from tens of thousands of websites, a new WhiteHat Security report reveals that the majority of web applications exhibit, on average, two or more serious vulnerabilities per application for every industry at any given point in time. The report’s findings are based on the aggregated vulnerability scanning and remediation data from web applications that use the WhiteHat Sentinel service for application security testing. The research shows that no industry has mastered … More

Improving software security through a data-driven security model

The current software security models, policies, mechanisms, and means of assurance are a relic of the times when software began being developed, and have not evolved along with it, says Google researcher Úlfar Erlingsson. Practical security of computer users has, therefore, worsened, even as a plethora of computer security mechanisms have been introduced time and time again. Erlingsson proposes a new data-driven software security model to improve user and system security. “When deciding whether software … More

Free badge program helps determine the security of open source software

The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that aims to improve the security of critical open source projects, issued its first round of CII Best Practices Badges. Early badge earners include Curl, GitLab, the Linux kernel, OpenBlox, OpenSSL, Node.js and Zephyr. This is a free program that seeks to determine security, quality and stability of open source software. The CII Best Practices online app enables developers to quickly determine whether … More

Bangladesh Bank hackers compromised SWIFT software with bespoke malware

Bit by bit, indications about how the attackers who targeted Bangladesh’s central bank managed to take off with some $80 milllion (of the nearly $1 billion they aimed for) via fraudulent transfers are coming to light. First it was established that second-hand, cheap networking equipment that collects next to no network data, and the lack of a firewall between the bank’s SWIFT facility and the rest of the network, helped the attackers pull off the … More

Over 3 million servers running outdated JBoss software open to attack

Spurred by the recent discovery that the Samas (aka SamSam) ransomware is being spread via compromised servers running out-of-date versions of Red Hat’s JBoss server software, Cisco Talos researchers have begun scanning the Internet for machines that might be at risk. They found approximately 3.2 million vulnerable machines, but also a considerable number of those that are already compromised: 2,100 backdoors have been already been installed across nearly 1600 IP addresses. Another way into the … More