Software-Defined Perimeter enables application-specific access control

Back in the early 1990s enterprises migrated away from proprietary protocols such as DECnet, SNA, and Novell IPX to common standards such as IP. The motivation was the open nature of IP and access to all of the investment and innovation in and around IP. But, enterprises still wanted complete control over their network. To achieve that, the concept of IP Firewalls was introduced so that enterprises could create a unique IP network—such as internal … More

US Library of Congress makes tinkering with your car software legal

The US Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works. But, there are exceptions to the rule, and they are decided by the Librarian of Congress every three years.The latest decision was published on Wednesday, and contains very good news for security researchers. They will be able to safely break DRM protection while looking under the hood of motorized land vehicles, medical devices … More

Vulnerabilities in security software leave users open to attacks

In most people’s minds, antivirus and security software equals better security. But thanks to security researchers who have taken it upon themselves to analyze some of those offerings, we are discovering that that belief is not necessarily true.AV and security software is not immune to exploitable bugs, and can provide a way into a target’s system. What’s more, the fact that this type of software has to have privileged access to the system in order … More

Cisco squashes DoS bug in its unified infrastructure software

Cisco has released a patch for a serious remotely exploitable vulnerability affecting its Integrated Management Controller (IMC) Supervisor and Cisco UCS Director offerings.“A vulnerability in JavaServer Pages (JSP) input validation routines of the Cisco IMC Supervisor and Cisco UCS Director could allow an unauthenticated, remote attacker to overwrite arbitrary files on the system,” the company explained in an advisory.“The vulnerability is due to incomplete input sanitization on specific JSP pages. An attacker could exploit this … More

Five years of hardware and software threat evolution

McAfee Labs commemorates the five-year anniversary of the Intel-McAfee union by comparing what researchers thought would happen beginning in 2010 with what actually happened in the realm of hardware and software security threats. Researchers and executives reviewed their predictions on the security capabilities of silicon, the challenges of emerging hard-to-detect attacks, and their 2010 expectations for new device types versus the reality of the marketplace.The five-year threat landscape analysis suggests: Intel Security foresaw threats targeting … More

Evaluating the security of open source software

The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software.The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses (IDA) and … More

MatrixSSL Tiny: A TLS software implementation for IoT devices

INSIDE Secure announced the availability of MatrixSSL Tiny, the world’s smallest Transport Layer Security (TLS) software implementation, to allow companies to affordably secure IoT devices with stringent memory requirements. The solution will be featured at Black Hat USA 2015 in Las Vegas.For example, MatrixSSL Tiny has been deployed on IoT devices with less than 10 kilobytes of flash and 600 bytes of RAM. Moreover, with MatrixSSL Tiny, device manufacturers can reduce their overall design costs … More

What’s the state of your software?

Cybercrime is felt by businesses up and down the country, with the Information Security Breaches Survey (ISBS) reporting that 81 per cent of large and 60 per cent of small businesses in the UK suffered a cyber-breach in 2014. Web application attacks remain one of the most common patterns in confirmed breaches, and account for up to 35 per cent of breaches in some industries according to the 2015 Verizon Data Breach Investigations Report. Yet … More

Rowhammer.js: The first remote software-induced hardware-fault attack

A group of Austrian and French researchers have devised a relatively simple way to remotely exploit the Rowhammer bug present in some computer chips. Their version of the attack is JavaScript-based, doesn’t require physical access to the machine or the execution of native code or access to special instructions, and can be performed on millions of users simultaneously.The existence of the Rowhammer (or Row Hammer) bug is not news: since 2012, chip makers have been … More

How gamers can help improve critical software security

There’s now a game where sophisticated gamers can help improve security of the country’s critical software. SRI International, in partnership with the University of California, Santa Cruz (UCSC), the Air Force Research Laboratory, and the U.S. Defense Advanced Research Projects Agency (DARPA) Crowd-Sourced Formal Verification (CSFV) program, has created Binary Fission, a fun and accessible way for “citizen scientists” to help increase the reliability and security of mission critical software by verifying that it is … More