The FBI has reportedly told election officials in Arizona and Illinois that Russian hackers are pursuing their voters list. Federal officials have sent a warning to all state election officials that there could be attempts to hack any election related networks. Veracode Co-Founder Chris Wysopal (@WeldPond) and Harvard Cyber Security Project Postdoctoral Fellow Ben Buchanan (@BuchananBen) joined Jim to discuss potential election hacking.
Delivering key tech infrastructure and software through the cloud is one of the biggest technology trends today, driving billions in new revenue—and also much of the tech industry’s recent M&A activity.
The campaign of Republican presidential candidate Ted Cruz updated its mobile app after an independent review found security flaws that could have allowed hackers to access personal data from users. The computer-security firm Veracode performed audits of the "Cruz Crew" app and those released by other 2016 presidential contenders at the request of The Associated Press.
Who’s going to decide when you have negligent security or good security? There are certain common sense things you need to do. The thing is codifying those common sense things – like application security best practices. I think the cyber insurance industry will help do that because they don’t want to pay out, which in turn will create a baseline for security best practices.
Whenever you have a supply chain and the more complicated it is, and the more individual pieces it has, the more difficult it is to do security. There are so many different parties involved: infotainment, connectivity, and they’re going with someone else to do the OS, like Apple Car Play, for example. Ford and Toyota are going with their own OSes. Who’s building the apps? [Likely] a third party. For at least three years they are going to have to deal with in-bound vulns at a rate higher than today and have to respond to them.
Services like Veracode can help because their remediation services include consultation with coding experts so that developers see where mistakes are being made. "You need to start before you get to that point," Wysopal said. "You need to understand your application's threat model up-front, how you could be attacked, what data they might go after. Then test before you get hacked versus the threat model."
Chris Eng, VP of research at Veracode, points out DROWN is the most recent, but far from the only example of intentionally crippled encryption (or backdoors) that have come back to haunt security professionals. “In the security industry there are a number of examples. That’s happened over and over again. The most recent is the Juniper backdoor and Dual EC DRBG. These (backdoors) were meant to be secrets that maybe only the maintenance staff or only a few knew about. But once that secret gets out then the good guys know it and the bad guys know it. It then takes a lot of effort to go back and patch the long tail of deployed products.”
“When you think about the plans to allow customers to download apps for infotainment systems to control different environments the risks is only going to increase,” Wysopal said. “What’s going to happen when something goes wrong?” Eight-seven percent of drivers polled said car manufacturers should be liable for the safety of the car, including third-party app reliability, manufacturer apps and protection from hackers. “We have answered a lot of these questions in the smartphone world with iOS and Android,” Wysopal said. “But when it comes to automobile safety it gets much trickier.”
Like Heartbleed and Shellshock before it, the glibc vulnerability reinforces the reality that using components in the application development lifecycle introduces risk. ...our software is constructed like Legos, relying on components rather than coding. This is why it's important to have complete visibility into all of the components development team are using, as well as the versions being used to ensure they can quickly patch and/or update the component version when a new vulnerability is disclosed.
For decades, cities were built and developed with functionality and convenience in mind. It wasn’t until the Great Chicago Fire destroyed an entire city and cost the lives of hundreds of people did cities begin creating fire codes. They realized there was diminishing returns on building more fire stations. The buildings themselves needed to become more fireproof. Like a rapidly growing city, we’ve built our applications quickly and without regard for the fact they exist in a hostile environment. Every application that holds valuable data will be attacked, just like every car will drive on a slippery road and every person will be exposed to pathogens. We have to stop pretending we can keep the bad guys from attacking the code that protects our data.
Fortunately, the path to writing and deploying secure applications is not as hard as it’s made out to be. Any company can go from having an ad-hoc approach to having an advanced program, regardless of the number of applications that need securing.
Veracode’s Sam King comments that the strategic benefits of cloud and mobile adoption within organizations means that security professionals no longer have fight to be heard in their firms. "They don't have to convince anybody that there's something they have to be concerned about when you've got an application and you're retailing it through another person, like Apple iTunes or Google Play or what have you.”
Any vendor should be able show proof that they conduct code reviews on any applications that touch your applications. “If they say, 'No, we don't do that,' or 'We don't share results on our internal security,' they probably do, and they're just trying to make you go away," said Chris Wysopal, CTO for Veracode. "One of the things we've learned is that if you push hard enough, they say, 'Yeah, you're right. We have had a third-party audit, and we can show you the results.'"
The raise in healthcare mobile applications could cause headaches for the government. That's why it's vital that all applications which access confidential data are fully tested and protected from vulnerabilities which could be an easy target for cyber-criminals wishing to damage the NHS or profit from the wealth of sensitive data it holds.
Healthcare organizations need to carefully scrutinize the security of electronic health record and other applications they use because encryption and other features often have shortcomings.
The fear of cyberthugs exploiting vulnerabilities in web, mobile, and cloud-based apps is more worrying to healthcare organizations than user error like employee negligence, malicious insiders, and phishing attacks.
Veracode’s Chris Wysopal said that 80 percent of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms, which is why keeping security a priority as software is being built is essential for the industry.
One thing insecure applications have accomplished is to increase healthcare’s fear of liability. 57% of those surveyed are increasing spending on external security assessments; 56% are adding liability clauses into contracts with commercial-software vendors in their supply chain; 54% are implanting frameworks like the SANS Institute Security Controls.”
It is highly concerning that potentially millions of sites have been left vulnerable to attack through issues with Drupal's update process. Applying security patches to software in a timely fashion is an essential part of any good security management process and when this becomes unreliable it leaves users with an unknown and unmanaged risk in their environment.
Based on code analyses and scans of 50,000 different applications written within the past 18 months, cloud security firm Veracode has compiled a list of the most and least secure programming languages. Software engineers won't find it especially surprising, with PHP, venue for many a popular and ready-made hack, blowing away the competition.
The wave of WordPress and Drupal vulnerability warnings and patches over the past couple of years, as well as the never-ending discovery of SQL injection bugs in Web applications, can actually be traced back to their underlying scripting language – PHP.
When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said. Specifically, 87 percent of Android applications and 80 percent of iOS applications had cryptographic issues.
While it is encouraging that the largest software vendors in the world are beginning to consider the need for communicating about the security of the software products they produce, a focus on only the most-mature vendors sets the wrong expectation for buyers about the overall level of maturity in the market.
Coding vulnerabilities in web applications remain one of the most frequent patterns in confirmed breaches and account for up to 35 per cent of breaches in some industries. Understanding these threats and the security measure that developers must take to ensure they aren’t using exploitable or malicious code is essential to our global cyber hygiene. This was demonstrated earlier this Autumn when the XcodeGhost malware infiltrated the Chinese Apple App Store after developers used a local, bootlegged version of Xcode, rather than the original Apple version, which contained the malicious code.
The devices that make up what we call the IoT are subject to the same software mistakes as you'd find in any computer program. We know how to protect against them, we know how to code against them and yet the same mistakes still crop up.