Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 3 hours 43 min ago

Targeted Attack Uses Heartbleed to Hijack VPN Sessions

Fri, 04/18/2014 - 15:33

A targeted attack against an unnamed organization exploited the Heartbleed OpenSSL vulnerability to hijack web sessions conducted over a virtual private network connection.

Incident response and forensics firm Mandiant shared some details on a recent investigation of an incident that began April 8, one day after Heartbleed was publicly disclosed. Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions.

This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL’s heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.

Earlier this week, researchers in Sweden were able to exploit Heartbleed to extract private keys over OpenVPN, an open source VPN software package.

Mandiant’s report today is the first publicly known real-world attack on an organization providing remote access via Heartbleed.

Mandiant said the attacker was able to steal active user session tokens in order to bypass the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to network resources.

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”

Since Heartbleed exploits return only 64KB of memory for each heartbeat request, attackers would need to replay an attack over and over to steal any worthwhile data. In this case, Mandiant said an IDS signature specifically written for Heartbleed triggered more than 17,000 alerts during the attack.

While heartbeat requests don’t leave a trace, Mandiant said it was able to find evidence of the attacks not only from the IDS alerts, but also from the company’s VPN logs. Specifically, it said a malicious IP address triggered the IDS alerts as the attacker tried to reach the company’s SSL VPN. The key evidence was in the VPN logs, which showed active VPN connections changing rapidly—sometimes within seconds of each other—between the attacker’s IP address and the user’s legitimate one; geographically too, the IP addresses were distant, Mandiant said, and they belonged to different ISPs. Mandiant said it was also able to correlate those IDS alerts with the connection changes in the VPN logs.

“Once connected to the VPN, the attacker attempted to move laterally and escalate their privileges with the Heartbleed bug,” Glyer and DiGiamo wrote.

3 Million Cards Impacted in Michaels Breach

Fri, 04/18/2014 - 14:33

Nearly four months after it first reported it was investigating a data breach, the arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were compromised on and off for eight months and that payment card information of nearly three million of its customers may have been impacted.

The company operates more than 1000 stores across the United States and nearly all of them were breached, although the attack has been “fully contained” by now. According to a press release yesterday however, 2.6 million cards used at Michaels’ limited point-of-sale systems between May 8, 2013 and January 27, 2014, may have been compromised in the breach.

While some stores were only targeted once, others were targeted up to four different times, some for multiple months at a time, the longest gap spanning from May to October last year.

A lengthy 45-page document (.PDF) posted by the company yesterday runs down each store that was affected – more than 1,000 are listed – and how long users were exposed at each one.

Michaels downplayed the issue by pointing out that the number of affected cards only translates to roughly seven percent of payment cards used at its stores over the course of that time period.

As the point of sale systems contained information like customers’ credit or debit card numbers and expiration dates, they are the primary bits of information considered to have been compromised in the breach. The company insists however that customers’ names, addresses or PINs do not appear to have been breached at this time.

As many as 400,000 additional cards also appear to have been implicated in a separate breach that affected one of the company’s subsidiaries, the specialty framing and art supply chain Aaron Brothers. The same malware plagued 53 different Aaron Brothers stores (.PDF) between June 26, 2013 and February 27, 2014, mostly in California but also in Arizona, Washington, Oregon, Nevada, Colorado and Texas.

The news comes four months after the Irving, Texas, company announced it was investigating a potential data breach. Since then the company says it hired two security firms who were able to work in tandem with law enforcement, banks and payment processors to look into the issue.

While officials noticed the attack and were able to contain it at Michaels in late January it appears the attack at Aaron Brothers slipped by them, as malware continued to plague systems at those stores for another month afterwards, deep into February.

While similar, the Michaels data breach pales in comparison to this past winter’s Target attack, which affected the sensitive credit card information of over 40 million users. Like the Michaels attack, the Target attack, which came to light shortly before the new year, relied on hackers infecting the retail giant’s point of sale terminals with RAM scraper malware for several weeks, from Thanksgiving to mid-December last year.

In a blog post earlier this month experts at HP pointed out that while there has been an influx of retail credit card breaches – Target, Michaels, Sally Beauty Supply, etc. – there’s still no easy way to counteract these types of attacks since there’s only so many limits to what you can do with magnetic stripe technology.

“Memory scraping has become the new trend, but there is no easy way to defend against this technique as the magnetic stripe information is decrypted at some point,” Matt Oh, a Senior Malware Researcher with HP, pointed out. “This limitation with magnetic stripe technology and the history of cat and mouse between the credit card industry and the criminals tells us that it is time to adopt a new technology.”

*Michaels image via coolmikeoh‘s Flickr photostream, Creative Commons

ICS-CERT Warns of Heartbleed Vulnerabilities in Siemens Gear

Fri, 04/18/2014 - 13:20

A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet.

The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on Friday said that he was able to extract a private key from a vulnerable OpenVPN server after hitting it with a large volume of requests over the course of several hours.

Now, the ICS-CERT has issued an advisory warning that several products from Siemens and one from Innominate are vulnerable to the heartbleed attack. The mGuard firmware from Innominate, versions 8.0.0 and 8.0.1 are vulnerable to the attack, but the company has issued an update that addresses the flaw.

Meanwhile, Siemens has identified a number of its products that contain the heartbleed vulnerability. The list of vulnerable products include:

  • eLAN-8.2 eLAN prior to 8.3.3 (affected when RIP is used – update available)
  • WinCC OA only V3.12 (always affected)
  • S7-1500 V1.5 (affected when HTTPS active)
  • CP1543-1 V1.1 (affected when FTPS active)
  • APE 2.0 (affected when SSL/TLS component is used in customer implementation).

“A successful “HeartBleed” exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory,” the advisory says.

By some estimates, OpenSSL is deployed on more than half of the SSL-protected Web servers worldwide, but that’s just one piece of the puzzle. The library also is used in embedded devices, industrial control systems and other systems, some of which are just coming to light now.

Heartbleed Used to Steal Private Keys from OpenVPN

Fri, 04/18/2014 - 12:27

You can add OpenVPN to the growing list of products and services vulnerable to the Heartbleed OpenSSL vulnerability. Worse, researchers have been able to chain together exploits to steal private keys from traffic moving through the open source virtual private network software package.

A Swedish VPN company called Mullvad reported its findings to OpenVPN this week, which quickly urged users to update their OpenSSL library, revoke old private keys, generate new ones and create new certificates for the new private keys.

This process is going on worldwide for companies and Web-based services vulnerable to the bug in the OpenSSL crypto library’s heartbeat functionality. The bug returns 64KB of memory to any client or server making a request; if the pings are made often enough, an attacker could see in plaintext anything from user credentials to enough data to piece together a private SSL key.

Fredrik Stromberg, cofounder of Mullvad, said his company was able to extract “private key material” using a known Heartbleed proof-of-concept exploit. Stromberg told Threatpost that attacks against OpenVPN are a little more complicated because TLS session traffic is wrapped inside the OpenVPN protocol. Stromberg had to write a script that cracked the OpenVPN protocol and then used a Heartbleed exploit to dump memory similar to other attacks against Web servers, for example.

“What I did was I left it continuously running overnight pounding on my test server,” Stromberg said. “When I woke up in the morning, let’s say I had more than 1GB and less than 10GB in memory dumps, and found enough key material to reproduce a key.”

Stromberg joins a growing list of security researchers who have been able to extract private keys via Heartbleed exploits—a worst-case scenario. Most of the previous success stories were achieved through the CloudFlare Challenge against a purpose-built Web server. This is the first successful attempt against VPN software.

“I can tell you the actual exploitation part is exactly the same as against TLS on a web server or email server,” Stromberg said.

“You need to know how the VPN works, but this specification is open. It’s a little more advanced than a normal Heartbleed exploit, but not very hard if you’re a competent programmer.”

OpenVPN acknowledged Stromberg’s findings and replacing the keys for each peer that was active while linked against a vulnerable OpenSSL session, its advisory said. Mullvad offers a secure OpenVPN connection for its clients for a monthly fee. Stromberg said his Heartbleed test against OpenVPN was part of due diligence for his customer base.

As far as a fix goes, VPN providers must go a step beyond patching servers, revoking certs and reissuing new ones and manually send a certificate revocation list to users and browser makers so that they won’t be accepted going forward.

“If you do not do that, you will still be vulnerable to man-in-the-middle attacks if someone sets that up,” Stromberg said. “It would be easy to impersonate a server.”

Stromberg noted in an email to OpenVPN that the TLS-auth feature in the software marginally protects against Heartbleed to the extent that the HMAC key used to authenticate packets that are part of a TLS handshake is kept secret.

“This means that while a small business may benefit from using tls-auth because only the employees have access to the key, a public VPN service such as ours does not, because anyone who is a customer has access to the key.”

Experts Worry About Future of Critical Infrastructure Security

Fri, 04/18/2014 - 11:42

SAN FRANCISCO–The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It’s an issue that Eugene Kaspersky has been thinking about for a long time, and isn’t sure that the organizations running these systems are any closer to addressing these threats than they were several years ago.

As with many other things in technology, there’s a lot of disagreement in the industry about critical infrastructure and SCADA security issues, even over what exactly qualifies as critical infrastructure. The term often is applied to the systems that run things such as utilities, power grids, transportation systems and the like, and the networks and systems they control typically use arcane software. Many of those software packages haven’t been subjected to the kind of security testing an scrutiny that typical commercial software has, and the process of patching and updating them is difficult and laborious. 

The fragile nature of these systems has raised the concerns of security researchers, policymakers and others, and led to calls for regulation and standardization for security. What’s unclear in all of this is who or what entity should be involved in the creation of any standards. Should it be an international effort? Who should lead it?

Kaspersky, the CEO of Kaspersky Lab, said during an interview at the company’s Cyber Security Summit here, that he has little faith in any international push to develop such standards.

“I vote for less regulation in technology and innovation,” he said.

“The older I am, the less and less I believe in international projects. Let the nations do it themselves, and they can be an example for the rest of the world. I think the United States will be first and then the rest of the world can copy and paste.”

A big issue in the SCADA and critical infrastructure security world when it comes to regulation and standards is that in most countries, the government doesn’t own any of these systems; they’re all in the hands of private companies. Tom Ridge, the former secretary of the Department of Homeland Security and former governor of Pennsylvania, said during a keynote at the summit Tuesday that, at least in the United States, that presents a major obstacle.

“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” Ridge said. “National security and economic security are intertwined.”

The critical infrastructure networks in the U.S. are prime targets for attackers, as is the case in other countries, but Kaspersky said the U.S. likely is at the top of the target list for skilled attackers.

“It’s very difficult to compare who is better protected. The U.S. is the most developed IT country in the world,” he said. “It has many more SCADA systems than any other country, so the U.S. is the biggest target. But it also has the most resources. So which nation is better protected, the one with all of the systems and resources or the one with fewer systems and is a smaller target?”

The bad news is that attackers likely won’t discriminate. Attackers take what they can get, usually regardless of geographic location or ownership. But Kaspersky said he has confidence that the market ultimately will provide an answer to the problem of critical infrastructure security.

“If you have many competing companies there’s much more chance that one of these will come up with something innovative. I vote for competition. I believe in a world that has independent and competing businesses,” he said. “There’s a much better chance that the right answer will be found much faster.”

Like Apple’s TouchID, Galaxy S5 Vulnerable to Fingerprint Hack

Thu, 04/17/2014 - 15:03

Researchers published a video this week demonstrating how Samsung’s latest entry in the smartphone arena, the Galaxy S5, is vulnerable to a hack that involves lifting and copying fingerprints to trick the phone’s biometric sensor.

Much like the Apple iPhone 5S, the smartphone, which first hit the market last week, boasts a fingerprint scanner as an added layer of security.

Now the same research outfit that was able to hack the iPhone’s 5S’s Touch ID feature last year, Germany’s Security Research Labs (SRLabs), has managed to bypass a similar feature on the Galaxy S5. Like the iPhone hack the Galaxy hack relies on the attackers using a mold of a fingerprint; or in this case a lab-manufactured wood glue replica of a print, to carry out their attack.

In a video posted Tuesday the researchers claim their method allows for “seemingly unlimited authentication attempts without ever requiring a password.”

While this may sound like a pretty farfetched exploit vector – a user would have to have the Finger Scanner set up on this exact brand of phone and an attacker would have to go through the trouble of creating the fingerprint replica – as the folks from SRLabs note, it could have implications for those who use the new fingerprint scan feature on PayPal’s Android app.

That app allows users to transfer funds using their fingerprint as a biometric authenticator, meaning that if an attacker had access to your phone, and one of these fingerprint molds, they’d be able to make purchases and unsolicited money transfers from the account.

In the video the researchers demonstrate how an attacker could wire himself money via PayPal from a person’s debit account. Using the fingerprint replica it takes three swipes for PayPal to recognize the bogus fingerprint, but according to the researcher, attackers could be allowed “multiple attempts to make a successful swipe with this spoof.”

In a statement released by the company this week PayPal downplayed the issue, claiming they were taking SRLabs’ findings seriously but were confident that its app is still “easier and more secure” than using passwords or credit cards. PayPal added that it could simply deactivate cryptographic keys associated with fingerprints on accounts from lost or stolen devices and allow users to make a new one.

The company added that in the unlikely occurrence that one of its users gets duped by an attacker with one of these phony fingerprint scans, it will reimburse any losses they incur.

To use the S5’s fingerprint scanner, the phone requires users to swipe a finger eight times over the home button. The user can then use that fingerprint to lock their screen, verify their Samsung account or authenticate their PayPal account.

A number of critics have been vocal against using fingerprints as a biometric authentication measure for years now. Some of those voices, including researchers from the Chaos Computer Club (CCC) and SRLabs, have pointed out that whenever a fingerprint gets stolen, there’s no way to change it and that it’s easy to lift users’ fingerprints off of items, including their personal devices.

Still though, fingerprint spoofs, known in some circles as ‘fake fingers’ are not easy to produce. CCC hacker Starbug, who was famously the first to break Apple’s TouchID last fall, used a high resolution image of a fingerprint with latex to produce his.

“This demonstrates—again—that fingerprint biometrics is unsuitable as [an] access control method and should be avoided,” the CCC said in September.

Certificate Revocations Shoot Up in Wake of OpenSSL Heartbleed Bug

Thu, 04/17/2014 - 13:50

The after effects of the OpenSSL heartbleed vulnerability continue to spread through the technology industry, nearly two weeks after the details of the flaw were disclosed. One of the latest repercussions is a huge increase in the number of SSL certificates being revoked, as site owners and hosting providers go through the process of replacing vulnerable certificates.

Certificate authorities and other organizations maintain certificate revocation lists that browsers can use to determine whether a certificate on a given site has been revoked. Site owners will revoke certificates for a number of reasons, including security problems. Those revocations typically go unnoticed, unless a high-profile site is involved or there’s some event that causes a large number of sites to need to replace their certificates.

Enter heartbleed.

In the last few days, there has been a tremendous spike in the volume of certificate revocations.

A good portion of that increase–which saw revocations go from perhaps a few thousand a day to more than 70,000 earlier this month–can be attributed to CloudFlare replacing all of the certificates for sites that it manages. The company was one of the few organizations that got early warning about the OpenSSL bug before the software’s maintainers revealed the details.

“After learning the full extent of the bug and that it had been live on the Internet for two years, we started an investigation to see whether our private keys and those of our customers were at risk,” Nick Sullivan of CloudFlare wrote in a blog post.

“We started our investigation by attempting to see what sort of information we could get through Heartbleed. We set up a test server on a local machine and bombarded it with Heartbleed attacks, saving the blocks of memory it returned. We scanned that memory for copies of the private key and after extensive scanning, we could not find a trace of it.”

CloudFlare then issued a public challenge, asking researchers to see whether they could get the private key from a vulnerable server the company set up. Within a few hours, someone succeeded. And several other people later won the challenge, as well, retrieving the private key.

“A nagging question is why, when OpenSSL has functions to cleanse memory, are these chunks of keys being found in memory. We are continuing to investigate and if a bug is found will submit a patch for OpenSSL,” Sullivan wrote.

“The more HTTPS traffic the server serves, the more likely some of these intermediate values end up on the heap where Heartbleed can read them. Unfortunately for us, our test server was on our local machine and did not have a large amount of HTTPS traffic. This made it a lot less likely that we would find private keys in our experimental setting. The CloudFlare Challenge site was serving a lot of traffic, making key extraction more likely. There were some other tricks we learned from the winners about efficiently finding keys in memory.”

There’s been some discussion about whether it is practical for an attacker to retrieve the private key of a target server using the heartbleed attack, and Sullivan said he sees it as doable.

“Based on these findings, we believe that within two hours a dedicated attacker could retrieve a private key from a vulnerable server. Since the allocation of temporary key material is done by OpenSSL itself, and is not special to NGINX, we expect these attacks to work on different server software including non-web servers that use OpenSSL,” he wrote.

 

Tor Begins Blacklisting Exit Nodes Vulnerable to Heartbleed

Thu, 04/17/2014 - 11:40

The Tor Project has begun blacklisting exit nodes vulnerable to the Heartbleed vulnerability in OpenSSL.

Researcher Collin Mulliner, with the Systems Security Lab at Northeastern University in Boston, published the results of an experiment he conducted using a publicly disclosed Heartbleed proof-of-concept exploit against 5,000 Tor nodes. Mulliner said that 1,045 nodes, or a little more than 20 percent, were vulnerable to the bug.

Mulliner said only Tor exit nodes were leaking plaintext user traffic, including host names, credentials and web content. Mulliner conducted his experiment for three days last Friday through Sunday, and his results are a point-in-time snapshot. A post yesterday from Tor Project leader Roger Dingledine on the Tor mailing list said that 380 vulnerable exit keys were being rejected.

Heartbleed was publicly reported on April 7. The vulnerability lies in the heartbeat function in OpenSSL 1.0.1 to 1.0.1f which publicly leaks 64 KB of memory to any client or server pinging a web server running the vulnerable crypto library. The memory leaks can disclose in plaintext anything from user credentials to private server keys if the attack is repeated enough. Several researchers have already managed to retrieve private SSL keys in an online challenge from vendor CloudFlare. Speculation is that intelligence agencies and/or hackers may have been exploiting it since November. Mulliner said he did not try to extract private keys from Tor, nor did he think it was possible.

Tor promises anonymity to its users by using proxies to pass encrypted traffic from source to destination. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear.”

“I found a significant amount of plaintext user traffic, complete Web traffic, session IDs; everything you would find if you ran Heartbleed against a normal Web server,” Mulliner said.

Heartbleed saves attackers the work of setting up their own exit node and waiting for traffic to pass through it. Using Heartbleed, all a hacker would have to do is query a vulnerable exit node to obtain traffic, Mulliner said.

Dingledine yesterday published the first list of rejected exit nodes and said those nodes will not be allowed back on the network.

“I thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they’ve upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don’t want this identity key on the Tor network even after they’ve upgraded their OpenSSL,” Dingledine wrote. He added that he hopes others will add to this list as other vulnerable relays are discovered.

Tor acknowledged some of its components were vulnerable to Heartbleed in a post to its blog on April 7.

Mulliner said it was a fairly straightforward process to write a script to run a Heartbleed proof of concept.

“Anybody who can get the Python script can play around with it,” Mulliner said, adding that there are likely fewer vulnerable Tor nodes now than when he ran his scans last week since some have likely been patched and Tor has begun blacklisting. “The data is dated, but it’s a good picture of that point in time.”

Kurt Baumgartner on APT Attacks in the Enterprise

Thu, 04/17/2014 - 10:59

Dennis Fisher talks with Kaspersky Lab security researcher Kurt Baumgartner about the specter of APT attacks in enterprises, what kind of tactics APT attackers are using now and the effect of the Heartbleed openSSL bug on the certificate  authority system.

http://threatpost.com/files/2014/04/digital_underground_151.mp3

Federal Court Rejects Lavabit’s Contempt Appeal

Wed, 04/16/2014 - 15:33

A Federal court struck down Lavabit’s appeal today, affirming contempt of court sanctions against the now-shuttered secure email provider that was forced to release its SSL keys to the FBI last year.

Those keys could have decrypted emails belonging to the company’s founder Ladar Levison along with Lavabit’s entire user base, a collective of 400,000 that reportedly included former National Security Agency contractor turned whistleblower Edward Snowden. Levison ultimately shut Lavabit down in August 2013 before disclosing the keys.

According to the ruling, issued today by the Unites States Court of Appeals for the Fourth Circuit, (.PDF) one of Lavabit’s biggest missteps is that it failed to raise its arguments before the District Court after it was initially held in contempt last year, something that “significantly alters the standard of review.”

Lavabit specifically argued against the Pen/Trap Statute, an order that allows the placement of a pen register and a trace-and-trap device on its system. Pen/Trap orders are court-ordered surveillance mechanisms that give the government access to all “non-content dialing, routing, addressing and signaling information” on a real-time basis for 60 days.

Lavabit’s appeal contended that the government overstepped the bounds of the Pen/Trap order when the FBI asked the firm to release its SSL keys.

Apparently Levison only made one statement in his appeal that related to the order and that was back in July when he objected to turning over the private keys, insisting the move would “compromise all of the secure communications in and out of his network.”

Levison’s argument was not comprehensive enough, in the eyes of the court, which called the remark “vague,” and simply a reflection of his personal angst at the time over having to comply with the order.

“Lavabit never challenged the statutory validity of the Pen/Trap Order below or the court’s authority to act. To the contrary, Lavabit’s only point below alluded to the potential damage that compliance could cause to its chosen business model,” Judge G. Steven Agee, who authored the decision, wrote in the ruling today.

Agee’s opinion – joined by Judges Paul Niemeyer and Roger Gregory – was that the Pen/Trap Order levied on Lavabit always covered the encryption keys.

“If Lavabit truly believed the Pen/Trap Order to be an invalid request for the encryption keys, then the Government’s continuing reliance on that order should have spurred Lavabit to challenge it,” the decision reads, adding that the company should have acted after the district court issued the order on Aug. 1.

“Lavabit failed to make its most essential argument anywhere in its briefs or at oral argument,” Judge Agee said.

Lavabit brought up a handful of other arguments – that the case should be viewed as a matter of “immense public concern,” that the firm was unrepresented during some of its proceedings, etc. – but the court found no merit in these arguments, choosing not to rule on these claims.

“We reiterate that our review is circumscribed by the arguments that Lavabit raised below and in this Court. We take this narrow course because an appellate court is not a freestanding open forum for the discussion of esoteric hypothetical questions,” Agee wrote regarding Lavabit’s claims.

“The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order,” the ruling says of Lavabit’s actions, in closing.

The 10-year-old encrypted email service used a single set of SSL keys for all of its users that would unlock all traffic coming in and out of the company’s network.

Levison publicly maintained in an interview last fall that the FBI was exceeding its statutory authority in demanding Lavabit’s keys and claimed he was being forced by law to keep quiet about the case.

Refusing to become a “listening post” for the FBI Levison elected to shut down the service in August amid looming legal threats that would have given the government access.

After filing his appeal Levison gave users a brief five day window of time in October to download their email archives and account data in October.

As Snowden is clearly tangled up in an ongoing criminal investigation his name isn’t directly mentioned in today’s ruling, but it’s common knowledge that it’s his information the FBI was seeking when it initially imposed the Pen/Trap Statute on Lavabit last year.

In a talk at February’s TrustyCon conference, one of Levison’s lawyers, former Electronic Frontier Foundation attorney Marcia Hofmann, said that the Lavabit case could prove to be just the beginning and that the incident should help prompt other outfits to reconsider how to handle government requests.

“We need to update our threat models. Ladar was worried about data at rest, not data in transmission. The threats are different than we thought. Security and privacy enhancing services are really in the crosshairs. To the extent that you design a service like Lavabit, you should be thinking about how you’re going to deal with government requests,” Hofmann said.

Oracle Fixes 104 Security Vulnerabilities in Quarterly Patch Update

Wed, 04/16/2014 - 12:32

P { margin-bottom: 0.08in; }A:link { }
-->Software maker and database management company Oracle yesterday released its quarterly Critical Patch Update. The release resolves more than 100 security vulnerabilities, many of which received high common vulnerability scoring system base scores and should be applied as soon as possible.

Products affected by the patch include but are not limited to Oracle Database, Fusion Middleware, Hyperion, Supply Chain Product Suite, iLearning, PeopleSoft Enterprise, Siebel CRM, Java SE, and Sun Microsystems Products Suite, including Oracle Linux and Virtualization, and Oracle MySQL.

Last week, Oracle released a list of products affected by the Heartbleed OpenSSL vulnerability, as well as their current status with respect to vulnerable versions of the encryption library.

Among the patches that should be prioritized are two bugs in Oracle’s database products. The more severe of these two issues could lead to a full compromise of impacted Windows systems, though exploitation would require that an attacker authenticate him or herself. Other platforms like Linux and Solaris are less affected because the database does not extend into the underlying operating system there.

The update also closes off 20 Fusion middleware vulnerabilities, the most critical of which is remotely exploitable without authentication and could lead to a wide compromise of the WebLogic Server.

Also included in its April release are 37 Java vulnerabilities. Four of those received the highest possible CVSS ratings of 10.0. Oracle urges all user – home users in particular – to apply these patches immediately.

The patch update also fixes five vulnerabilities affecting Oracle Linux and Virtualization products. The most severe of these vulnerabilities could affect certain versions of Oracle Global Secure Desktop.

“Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible,” wrote Oracle security assurance manager, Eric Maurice.

Earlier this month, researchers from Security Explorations disclosed more than two dozen outstanding issues with the company’s Java Cloud Service platform. There is no mention of that line of products in the update, so it appears that the company did not resolve those bugs. At the beginning or March, researchers at the London-based computer security firm Portcullis claimed to uncover four bugs in the Oracle’s Demantra Value Chain Planning suite of software. The update makes no mention of these vulnerabilities either.

Certificate Revocation Slow for Heartbleed Servers

Wed, 04/16/2014 - 12:05

The rush to revoke and replace digital certificates on Heartbleed-vulnerable Web servers seems to be no rush at all.

Internet research and security services firm Netcraft reports today that of the more than 500,000 servers it knows of that are running vulnerable versions of OpenSSL, only 80,000 certificates have been revoked so far. The urgency to do so was ramped up on Friday when four unrelated security researchers each were able to take advantage of the TLS heartbeat vulnerability to steal private SSL keys in a challenge set up by vendor CloudFlare.

Also, the first public reports of exploits against websites resulting in stolen data were reported against the Canada Revenue Agency and Mumsnet of the U.K.

“While some companies quickly recognized the need to issue new certificates in response to the Heartbleed bug, the number of revocations has not kept up,” wrote Paul Mutton. “This is a mistake, as there is little point issuing a new certificate if an attacker is still able to impersonate a website with the old one.”

Heartbleed is a dangerous Internet-wide bug that can be exploited to steal sensitive information such as user credentials, and also private encryption keys if the attack is replayed often enough. One researcher in the CloudFlare Challenge, Russian Fedor Indutny, replayed his attack 2.5 million times before he was able to steal a key from a nginx server running an unpatched instance of OpenSSL set up by CloudFlare.

Researchers had speculated it was incredibly difficult and unlikely to steal private keys by exploiting Heartbleed, but that was proven incorrect as by Saturday morning there were four reported winners of the challenge, including Indutny who was the first. Making matters more challenging is that Heartbleed attacks do not leave a log entry, for example, and are undetectable.

The process of revoking old certificates and reissuing new ones involves working closely with a certificate authority, many of which offer self-service tools or APIs that help facilitate the process. The problem is that the wonky code was introduced into OpenSSL in December 2011 and there have been public reports that it has been exploited as far back as last November.

“You have to get your infrastructure patched so that any future damage will not be incurred because of the vulnerability, and the second priority is replacing or reissuing certificates to mitigate the risk from private keys stolen while the vulnerability existed in the wild,” said Marc Gaffan, cofounder of Incapsula. Users, for example, should make sure that sites on which they’re changing credentials have been patched, otherwise an attacker could continue to exploit an unpatched site stealing new credentials in the process.

Netcraft, meanwhile, estimates the cost of replacing compromised certs with new ones at more than $100 million; some CAs, however, are allowing customers to reissue and revoke certificates free of charge, Netcraft said. It points out also that many sites are buying new certificates rather than reissuing.

“Perhaps in the haste of resolving the problem, this seemed the easiest approach, making Heartbleed a bonanza for certificate authorities,” Mutton said.

Netcraft also points out that some companies—including large sites such as Yahoo’s mobile log-in page, the U.S. Senate large file transfer system, and GeoTrust’s SSL Toolbox—have deployed new certs but have yet to revoke old ones. Some of those not yet on a Certificate Revocation List are still sending OCSP responses that those certificates are “good,” Netcraft said.

Revocation may not help in some cases, Netcraft cautions, saying that four percent do not specify a URL for an OCSP responder and can only be revoked through a CRL.

“This makes the certificates effectively irrevocable in some browsers — for example, the latest version of Mozilla Firefox no longer uses CRLs at all (previously it would fall back to checking a CRL if an OCSP request failed, but only for Extended Validation certificates),” Mutton said.

There are still other certificates, Netcraft said, that may have been compromised and do specify either a OCSP or CRL address and cannot be revoked until they expire.

“These certificates are therefore completely irrevocable in all browsers and could be impersonated until their natural expiry dates if an attacker has already compromised the private keys,” Mutton said.

Eugene Kaspersky on Critical Infrastructure Security

Wed, 04/16/2014 - 11:00

Dennis Fisher talks with Eugene Kaspersky about the need for better critical infrastructure security, the major threats facing enterprises today and the specter of cyberwar.

http://threatpost.com/files/2014/04/digital_underground_150.mp3

Download: digital_underground_150.mp3

Crypto Examination Awaits in Phase Two of TrueCrypt Audit

Wed, 04/16/2014 - 10:22

Phase two of the TrueCrypt audit figures to be a labor-intensive, largely manual cryptanalysis, according to the two experts behind the Open Crypto Audit Project (OCAP).

Matthew Green, crypto expert and professor at Johns Hopkins University, said a small team of experts will have to, by hand, examine the cipher suites, key algorithms and random number generators used in the open source encryption software.

Green said he hopes to crowdsource experts for the second phase of the audit, attracting people skilled in examining cryptography.

“We’re still flushing out the idea, but it will be a group of people who are well respected in the industry who have done this type of thing on a smaller scale,” Green said, adding he was not yet ready to publicly name them. “We would not be doing this if it were not for these people. We’ve created a series of challenges and we’re going to divide them up. I’m sure it will be fairly successful; we’re still in the planning stages.”

ISEC Partners, the consultants who were hired to conduct the first phase of the TrueCrypt audit that looked at the TrueCrypt bootloader and Windows kernel driver, will not be involved in phase two, Green said, adding that the results for the second half of the audit may not be available for a few months.

The movement to audit TrueCrypt began last fall, a few months after the Snowden leaks began going public. TrueCrypt, which provides full disk and file encryption capabilities, has been downloaded close to 30 million times, making it a tempting target for intelligence agencies that have been accused of subverting other commercial and open source software.

ISEC on Monday released its report on the first phase of the audit and said it found no backdoors in the portions of the software it looked at. There were, however, worrisome vulnerabilities around the quality of the code and build processes.

“The good news is that there is nothing devastating in the code,” Green said. “The auditors said there were problems in code quality and pointed out other legitimate issues. These are not reasons to stop using it.”

One of the first concerns leading to suspicions that the Windows binary version of TrueCrypt had been backdoored was a mysterious string of 65,024 encrypted bytes in the header. Experts wondered why these random bytes were there and whether they could be an encrypted password. Adding to the intrigue was that, aside from the fact the Windows package behaves differently than versions built from source code, no one really knew who the developers behind TrueCrypt are.

In October, however, some of those concerns were laid to rest when Green and OCAP co-organizer Kenneth White, senior security engineer at Social & Scientific Systems, were contacted by the anonymous developers who endorsed the audit. Also, an independent audit of TrueCrypt conducted by Xavier de Carne de Carnavalet of Concordia University in Canada, was able to reproduce a deterministic compilation process for the Windows version that matches the binaries. He concluded TrueCrypt was not backdoored.

“We’re not going to say the issue is closed, but we’re a lot less panicked about it,” Green said. “That doesn’t mean there isn’t something there, it’s just not on my list of things to worry about.”

The relief with the initial results is that there isn’t a widespread bug in the software; while TrueCrypt isn’t deployed on a scale of OpenSSL or Apple software, the recent Heartbleed and so-called gotofail iOS bugs have left some in the security community a little shell-shocked. White, for one, is hoping the cryptanalysis turns up equally positive results as in phase one.

“Our confidence in encryption software is driven by the level of expertise afforded proper peer-to-peer review, by deep experts in the field. And there is a very small group of people who are qualified to conduct this kind of analysis, particularly with the encryption components,” White said. “What they find might be gross errors or might be a trivial single character mistake.”

While very few of these types of public audits have been conducted—perhaps the most high-profile security tool subjected to a public audit was open source private chat application Cryptocat—Green and White see the potential for more of these in the future.

“It’s much harder to do than it seems. It’s not just about getting the money and paying people; you have to find people who are interested doing it. Not every firm is interested in doing a public audit,” Green said, adding that the TrueCrypt audit is the first of its kind that was crowd funded. “We have a good technical advisory board who were willing to put in the time to make this happen. You need good organization with people whose job it is to do this; you can’t do this in your spare time.”

White said future projects are under consideration, but for now 100 percent of their efforts and funding is going toward the TrueCrypt audit.

“I think there is a subset of people who had their minds made up before we started, and have no intention of changing. For me, the appeal of this work has been to begin to establish a framework for conducting community-driven security audits and formal cryptanalysis on open source (or, in the case of TrueCrypt, source-available) software,” White said. “I think if after the final report we can say, ‘We marshaled some of the best minds in the field, and they looked at the code, the crypto, and the implementation and we found [X]’ then that’s a victory. As a privacy advocate, I’m obviously hoping for a clean verdict, but as a security engineer, I remain skeptical until the end.”

Financial Services Companies Facing Varied Threat Landscape

Wed, 04/16/2014 - 05:00

SAN FRANCISCO — Many of the stories about attacks on banks, payment processors and other portions of the financial services system around the world depict these intrusions as highly sophisticated operations conducted by top-level crews. However, the majority of the attacks these companies see aren’t much more advanced than a typical malware attack, experts say.

“About two thirds of the attacks on our merchant community are low to moderate complexity,” Ellen Richey, executive vice president and chief enterprise risk officer at Visa, said during a panel discussion on threats to the financial services industry at the Kaspersky Lab Cyber Security Summit here Tuesday.

The last couple of years have been tough on banks and other financial services companies when it comes to security. Many of the larger banks in the United States  and elsewhere have been the targets of massive DDoS attacks for more than a year now, with many of these attacks being attributed to hacktivist groups. These banks, of course, always are targets for cybercrime gangs looking for some quick money. But Richey and the other panelists said that while they certainly see attacks against their networks from determined, skilled attackers, a great deal of what they see every day is pretty mundane.

Attackers looking for a nice pay day often won’t target a bank directly, but will hit a partner or supplier the bank uses and go from there.

That strategy isn’t new, but it’s proven to be effective.

“People aren’t going to go after hard targets, because it exposes them,” said Steve Adegbite, senior vice president of enterprise information security program oversight and strategy organization at Wells Fargo & Co. “They go after the lower level merchants and walk up the chain from there.”

While figuring out who is attacking an organization can be an intriguing exercise, Adegbite said that in a lot of cases it doesn’t matter much who is doing what. The end result of a successful attack is the same: a disruption to the business.

“Within financial services, it’s about customer service and keeping things running and keeping the lights on. When I go in there after the fact and strip everything down, whether it’s a nation state or a kid in his basement, it’s forcing us to deal with an incident.”

Richey said that Visa, with its massive network of merchants and huge profile around the globe, sees all shapes and sizes of attacks, but has seen a big jump in the number of DDoS attacks in recent years.

“The piece we’re seeing in the last two to three years is denial of service attacks. It’s primarily hacktivists,” she said. “The industry has amped up its defenses to deal with it.”

That increase in defenses has occurred across the financial services industry, but as well-funded and sophisticated as the security teams in these companies are, they can’t go it alone. Adegbite said that he and the Wells Fargo security team collaborate with as many people and organizations as they can when it comes to defending their networks.

“Cybersecurity is a team sport. The amount of things we’re dealing with, we can’t handle it all ourselves,” he said. “We form a community of defenders all the way through.”

Microsoft Releases Updated Threat Modeling Tool 2014

Tue, 04/15/2014 - 15:07

Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that’s at the core of Trustworthy Computing.

Today, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring the practice closer to not only large enterprises, but also smaller companies with a growing target on their back.

Four new features have been added to the tool, including enhancements to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.

“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” said Tim Rains, a Trustworthy Computing manager. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”

The first iteration of Microsoft Threat Modeling Tool was issued in 2011, but Rains said customer feedback and suggestions for improvements since then have been rolled into this update. The improvements include a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams. The update also includes the ability migrate older, existing threat models built with version 3.1.8 to the new format. Users can also upload existing custom-built threat definitions into the tool, which also comes with its own definitions.

The biggest change in the new version is in its threat-generation logic. Where previous versions followed the STRIDE framework (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) per element, this one follows STRIDE per interaction of those elements. STRIDE helps users map threats to the properties guarding against them, for example, spoofing maps to authentication.

“We take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements,” Rains said.

At the RSA Conference in February, Trustworthy Computing program manager Adam Shostack said that there is no one defined way to model threats; that they must be specific to organizations and their particular risks.

“I now think of threat modeling like Legos. There are things you can snap together and use what you need,” Shostack said. “There’s no one way to threat model. The right way is the way that fixes good threats.”

Install April Windows 8.1 Update If You Want Security Patches

Tue, 04/15/2014 - 14:40

In a bizarre and somewhat befuddling move, Microsoft announced yesterday on its Technet blog that it would no longer provide security updates to users running out-of-date versions of Windows 8.1. In order to receive updates, customers will have to have updated their machines with the most recent Windows 8.1 Update, which the company pushed out in April.

Microsoft recently released a fairly large update for Windows 8.1. Users who installed the update (or have their updates installed automatically) and even users that never updated to 8.1 in the first place will continue to receive updates. However, users running older versions of Windows 8.1 will not receive any security updates moving forward. If they attempt to install an update, they will receive a message informing them that the update is “not applicable.”

Users running Windows 7 or Vista are not affected by this announcement. Users running Windows XP are no longer eligible for security updates either since Microsoft’s long-awaited cessation of support for the more-than-12-year-old operating system became official in April.

It’s not clear whether this decision is to become a precedent for future update cycles.

“Since Microsoft wants to ensure that customers benefit from the best support and servicing experience and to coordinate and simplify servicing across both Windows Server 2012 R2, Windows 8.1 RT and Windows 8.1, this update will be considered a new servicing/support baseline,” wrote Steve Thomas, a senior consultant at Microsoft.

Thomas goes on to explain that users who install updates manually will have 30 days to install the Windows 8.1 update from April. Beginning with the May Patch Tuesday, any Windows 8.1 devices that have not installed the update will no longer receive security updates.

The move is even more of a head-scratcher considering the trouble many users have reportedly faced while attempting to install that April update. Microsoft even references the troubles the patch has presented, saying:

“Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers.”

Despite its promise to cut off support for out-of-date versions of Windows 8.1, the company has little choice but to “recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue.”

Threatpost has reached out to Microsoft for clarification and will update this story with any comment.

Government, Private Sector Must Have a ‘Need to Share’ Mindset on Threats

Tue, 04/15/2014 - 14:22

SAN FRANCISCO–The security of both government and private enterprise systems going forward relies on the ability of those two parties to share threat, attack and compromise information on a real-time basis, former Department of Homeland Security secretary Tom Ridge said. Without that cooperation, he said, the critical infrastructure of the United States will continue to be “a target-rich environment”.

The idea of information sharing is a well-worn one in the security industry. Private companies have been trying to get timely intelligence on attacks and threats from the federal government for years, without much success. On the other side of that coin, the government has been ingesting threat intelligence from the private sector for decades, while typically not reciprocating. Ridge, speaking at the Kaspersky Lab Cybersecurity Summit here Tuesday, said that the federal government needs to change that situation if it hopes to make any real improvement in security.

“We’ve been trying for three years to get the government to create a protected avenue to share information from the government down to the private sector and from the private sector up to the government,” he said. “We’ve been unsuccessful.”

Part of the reason for that failure, Ridge said, is that the federal government often defaults to over-classifying information, especially as it relates to attacks and threats. That information often could be valuable to organizations in the private sector that may be affected by the same kinds of threats, but is sitting dormant somewhere because it’s not cleared for release to private companies. That mindset must be changed, Ridge said.

“The knowledge in the hands of the federal government relating to critical infrastructure and the security of our economy shouldn’t be held and parceled out,” he said. “We need to go from a need-to-know basis to a need-to-share mindset.”

Private enterprises have their own set of challenges surrounding security, and Ridge said that one of the main issues he still sees in large organizations is a lack of awareness that attackers are targeting them specifically.

“This isn’t a preventable risk, it’s a manageable risk,” he said.

“Private enterprises are foolish to think it won’t happen to them. We’re a target rich environment.”

Ridge said one of the other key obstacles to improving critical infrastructure security is the fact that the federal government must rely on the private sector to do nearly all the work. The government itself doesn’t own much in the way of utilities, power grids, financial systems or other prime targets. That’s all in the hands of private companies. So there’s a clear incentive for the two parties to share information, he said.

“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” Ridge said. “National security and economic security are intertwined.”

Attackers, of course, are well aware of that fact, and know that going after a country’s power grid or utilities other vital systems is a quick path to crippling the country’s economy. Those kinds of attacks, Ridge said, could be precursors to armed conflicts in the near future or part of an ongoing war.

“What if at some point someone infiltrates the power grid and plants malware? Is that a precursor to a larger attack? How do you respond, kinetically or electronically? What’s the threshold for response?” he said.

HD Manufacturer LaCie Admits Yearlong Data Breach

Tue, 04/15/2014 - 14:21

The French computer hardware company LaCie, perhaps best known for their external hard drives, announced this week it fell victim to a data breach that may have put at risk the sensitive information of anyone who has purchased a product off their website during the last year.

According to an incident notification posted today, an attacker used malware to infiltrate LaCie’s eCommerce website for almost a month, and in turn, glean customer information. Attackers had access from March 27, 2013 to March 10, 2014, but it wasn’t until last Friday when LaCie began to inform customers at risk.

In addition to its ubiquitous rugged orange external hard drives, LaCie, which is headquartered in Paris, also manufactures RAID arrays, flash drives, and optical drives.

The announcement warns that anyone who purchased an external hard drive or any form of LaCie hardware off of the company’s website during that time period may have had their data stolen. That information includes customers’ names, addresses, email addresses, as well as payment card information and card expiration dates.

While the company has hired a “leading forensic investigation firm” to continue looking into the technicalities of the breach – how many are affected, etc. – for the time being LaCie has suspended all online sales until they can “transition to a provider that specializes in secure payment processing services.”

A report from KrebsonSecurity.com last month speculated that the company’s storefront may have been hijacked by hackers using security vulnerabilities in Adobe’s ColdFusion development platform.

According to Krebs, LaCie’s eCommerce site was one of nearly 50 eCommerce websites spotted ensnared in a nasty ColdFusion botnet that was leaking consumer credit card information. The security reporter previously surmised that the hackers behind the botnet are the same attackers behind last year’s Adobe breach that leaked source code for Reader and ColdFusion, not to mention the personal information of millions of its customers.

At the time Clive Over, a spokesman for Seagate, who bought LaCie in 2012, told Krebs the company was not “aware that company or third party information was improperly accessed” when informed that one of its servers had been targeted and breached in 2013. Over went on to say that LaCie was “working with third party experts to do a deeper forensic analysis,” the same search that would eventually yield the breach’s discovery.

*Image via fncll‘s Flickr photostream, Creative Commons

Programming Language Security Examined

Tue, 04/15/2014 - 12:08

When building an enterprise Web application, the most foundational decision your developers make will be the language in which the app is written. But is there a barometer that measures the security of the programming languages developers have at their disposal, or are comfortable with, versus other options?

WhiteHat Security, an application security vendor, released its 2014 Website Security Statistics Report today that measures the security of programming languages and development frameworks and examines not only what classes of vulnerabilities they’re most susceptible to, but also how long it takes to remediate bugs and whether there’s a real difference that would impact a business decision as to which language to use.

The report is based on vulnerability assessments conducted against 30,000 customer websites using a proprietary scanner, and the results point toward negligible differences in the relative security of languages such as .NET, Java, PHP, ASP, ColdFusion and Perl. Those six shared relatively similar mean numbers of vulnerabilities, and problems such as SQL injection and cross-site scripting vulnerabilities remain pervasive.

“Ultimately, what we found was that across the board there were no significant differences between languages,” said Gabriel Gumbs, lead researcher on White Hat’s Website Security Statistics Report. “There are some peaks and valleys with regard to vulnerability classes and remediation rates, but no one stood out as a clear winner as more secure.”

One conclusion, therefore, is that web application security woes, including the chronic existence of SQL injection and cross-site scripting vulnerabilities in code, are a human issue.

“A lot of it is the human factor,” Gumbs said. Static and dynamic testing controls are available to developers that test code as it is being developed as well as in production. But they have to be used throughout the development lifecycle, Gumbs said. “During the design phase of an app, security implications must be taken into account.”

As for the numbers compiled by White Hat, .NET and Java are the most widely used languages, accounting for a combined 53 percent, while the creaky ASP is next at 16 percent. SQL injection were especially prevalent in ColdFusion sites, while Perl sites were found most vulnerable to cross-site scripting. ColdFusion sites, however, had the best overall remediation rates while PHP sites one of the lowest.

Cross-site scripting was the most prevalent vulnerability in five of the six languages, except for .NET where information leakage flaws were highest. It’s worse in Perl (67 percent of sites) and Java (57 percent). Content spoofing, SQL injection and cross-site request forgery round out the top five most prevalent vulnerabilities.

“The education is out there and the frameworks are out there [to address cross-site scripting]. My best guess is that it’s a combination of the speed at which companies are implementing new functionality and exposing it to the business that is driving that number,” Gumbs said. “We don’t know what it will take to tip the scales and make those numbers go down. It may be something we have to live with. If we can accept that and then approach how we address that based on risk assessments, it may drive down the number.”

Looking at specific industries, in particular those that are heavily regulated such as financials and health care, those don’t show a noticeable difference in either the number of vulnerabilities present or remediation rates. This is in spite of over-arching regulations such as PCI-DSS protecting credit cards and HIPAA protecting health care that mandate a certain minimum standard. The problem is that many organizations that are regulated do what it takes to reach that minimum standard, and not much else.

“What we found is that industries with more regulations are insecure because they fix vulnerabilities that the regulation only calls for,” Gumbs said. “If PCI says fix these five vulnerabilities, that’s all they fixed. It proved to me they were more insecure than the other industries because they put that effort into compliance, not security.”