Open-Source Bugs Affect to Web Applications

An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.

If the Heartbleed and Shellshock vulnerability scares didn't drive home the increasing risk that open-source software poses to today's applications, consider this: Open-source and third-party code brings an average of 24 known security bugs to every web application, according to new data.

Open-source and third-party software components also introduced an average of eight "very high severity" or "high severity" security flaws to applications, according to Veracode, which today released findings from an analysis it conducted of more than 5,300 enterprise web applications uploaded to its code-scanning service over the past two months.

"The use of open source has increased heavily over time. Enterprises have become more comfortable using it," says Chris Wysopal, CTO at Veracode. "At the same time, the researcher community and attacker communities have woken up to this, too… That's why you're seeing Heartbleed and Shellshock, because people are looking at it and scrutinizing it. In the last year or two, all that code has been reviewed and made better. But it's probably only going to get worse" as researchers find more bugs and attackers start using them.

Dennis Chu, senior product manager at Coverity, which discovered 688 OWASP Top 10 security issues in 37 open-source projects it recently studied, says open-source bugs are often the cause of stealthy attacks. "A lot of times open-source bugs manifest themselves in very invisible security breaches."

It's not that open-source and third-party code is necessarily inherently more or less secure than commercial software, security experts say. Some open-source projects have been strapped for resources to keep the code clean -- leading to problems like Heartbleed, for instance -- but the real issue now is that more enterprises use open-source code, and researchers, as well as attackers, are taking notice.


Read More: http://www.darkreading.com/application-security/open-source-software-brings-bugs-to-web-applications/d/d-id/1316878?_mc=NL_DR_EDT_DR_weekly_20141023&cid=NL_DR_EDT_DR_weekly_20141023&elq=39da7f9fc52a4cd6ada82d9d5e34a2e9&elqCampaignId=9872 

Malvertising campaigns hit US military industry to steal secrets and intellectual property

A new wave of malvertising attacks finalized to cyber espionage is targeting military contractors to military secrets and intellectual property.

Security experts at security company Invincea have uncovered a new malvertisingcampaign used as a attack vector for highly-targeted cyber espionage operations against at least three firms in the US military industry.

The malvertising is becoming even more popular in the criminal underground, many cases were spotted recently which exploited the ad network of IT giants like Googleand Yahoo.

According the experts at Invincea, malvertising campaign allowed threat actors to steal military secrets or intellectual property rather than click-fraud or financial frauds( e.g. Phishing). The circumstance is alarming because many of the targeted companies are providing technology for use in combat zones.

“In the past, we have seen organized cyber crime learn attack techniques from advanced nation state actors,” Invincea Chief Executive Anup Ghosh said, using industry parlance for cyber spies. “This is a case where advanced state actors would be learning from cyber crime in terms of methods and tactics.”

The researchers discovered that using high targeted online advertising threat actors hit major U.S. military contractors in the past few weeks, Invincea declined to name the victims of the malvertising campaigns.

Data security breaches now regularly hit high-profile businesses such asbanks and retailers, leaving millions of consumers vulnerable to identity theft and financial fraud. But research into malvertising has revealed how cyber-criminals and spies can use the marketing industry’s latest tools to pinpoint high-value targets.” reports the Reuters Agency.

The experts at Invincea spotted up to six malvertising attacks that targeted one aerospace contractor and other military contractors in the last weeks of September.

The experts haven’t provided any information on the alleged source of the malvertising attacks, instead they confirmed that attackers used demographic targeting toolsavailable to any online marketer to exploit advertising bidding networks.


“Perpetrators can set up a corporate front to deliver normal ads, then swap landing pages from time to time for malicious code. They place these ads on advertising exchanges and bid up prices for placement on sites that its targets are known to visit, based on what they glean from these intended victims’ advertising profiles.” states the Reuters.

Malvertising website are difficult to be localized, the majority of them belong to the category of One Day Wonders, so the stay online just for the time of the attack, typically for less than four hours. A study conducted by Blue Coat on 660 million unique hostnames reports that 470 Million websites are One Day Wonders and 22 Percent are malicious.

The analysis conducted by experts at Invincea firm confirms the presence of serious flaw in most online advertising networks that could be easily exploited by threat actors.

“Any real-time ad bidding service that allows for automatic redirection is inherently insecure,” said Pat Belcher, who heads Invincea’s security analytics team, which conducted the forensic research. “It is across the board.”

Unfortunately, cyber criminals are winning the fight against the online advertising industry, recent cases demonstrate that the web ad industry is still vulnerable to malvertising campaigns.

Ad networks are too easy to compromise and unaware users haven’t necessary skills and tools to protect their machines.

The major advertising organizations in the US will collaborate to monitor and prevent illegal activities.

“Criminal activity threatens to erode trust in the digital ecosystem,” Randall Rothenberg, chief executive of the Interactive Advertising Bureau said. “It is time that publishers, marketers and agencies stand together to combat these dangerous forces as a unified entity.”

Unfortunately as explained by Invincea malversting is a common practice that is not properly addressed by Advertising industry, it’s time to consider security an indispensable investment and not a cost to reduce.

Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware

Attackers add in fail safes to prevent innocents from triggering attack and money mules from going rogue.

Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

Once access is gained, the attackers reboot the machine using a bootable CD that installs Tyupkin. The malware then runs in a loop, waiting for a command. It only accepts commands on Sunday and Monday nights, when the mules' suspicious withdrawals are less likely to be noticed.

During those hours, a unique key, based on a random set of numbers displayed by the ATM machine, is generated for each session. Video evidence shows that the mule collecting the cash calls another gang member on the phone and gives them that random combination. The person on the other side of the call then runs those digits through an algorithm to generate the session key, and gives the key to the mule. Once the key is entered, the machine displays the amount of cash located in each cassette, and dispenses 40 banknotes from whichever cassette the attacker chooses.

The process prevents both regular customers from accidentally triggering the attack and money mules from trying to steal the money themselves without the rest of the gang knowing about it.

Watch video at: http://www.darkreading.com/hackers-steal-millions-in-cash-from-atms-using-tyupkin-malware/d/d-id/1316421?_mc=sm_dr