Category: software

Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.

The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines—and then abandoned.

Naturally, we registered them, just to see what would happen—”how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?”, we naively thought to ourselves.

Turns out they got eight million requests over two months.

Had this been an actual attack, they would have modified the code in those buckets to contain malware and watch as it was incorporated in different software builds around the internet. This is basically the SolarWinds attack, but much more extensive.

But there’s a second dimension to this attack. Because these update buckets are abandoned, the developers who are using them also no longer have the power to patch them automatically to protect them. The mechanism they would use to do so is now in the hands of adversaries. Moreover, often—but not always—losing the bucket that they’d use for it also removes the original vendor’s ability to identify the vulnerable software in the first place. That hampers their ability to communicate with vulnerable installations.

Software supply-chain security is an absolute mess. And it’s not going to be easy, or cheap, to fix. Which means that it won’t be. Which is an even worse mess.

In today’s digital landscape, cyber threats are becoming more sophisticated and frequent, requiring organizations to adopt advanced security measures to protect sensitive information and critical infrastructure. Cyber Threat Intelligence (CTI) software plays a pivotal role in detecting, analyzing, and responding to potential threats, helping organizations stay one step ahead of cybercriminals. However, not all CTI software is created equal. To ensure the best protection, organizations must carefully evaluate the features and traits of the software they choose.

Here are some key traits to look out for when selecting cyber threat intelligence software:

1. Real-Time Threat Detection and Alerts- One of the most critical features of CTI software is its ability to provide real-time threat detection. Cybercriminals often use time-sensitive tactics, so the software must be capable of detecting threats as they emerge and sending instant alerts to security teams. Real-time analysis allows for quick response times and more effective mitigation, reducing the chances of a successful attack.

2. Comprehensive Threat Data Collection- Effective CTI software should have access to a broad range of data sources, such as open-source intelligence (OSINT), proprietary threat feeds, dark web monitoring, and internal network data. The more sources the software can pull from, the more accurate and actionable the threat intelligence becomes. Comprehensive data collection ensures a well-rounded view of potential threats, covering everything from known malware signatures to emerging tactics, techniques, and procedures (TTPs) used by attackers.

3. Contextualization of Threat Data- Cyber threats can be complex and involve large amounts of raw data. What sets high-quality CTI software apart is its ability to contextualize and prioritize the data. Rather than just providing a list of alerts, the software should offer detailed context about the threat, including its severity, attack vectors, potential impact, and recommended response actions. Contextualization helps security teams assess the risk posed by each threat and take appropriate action swiftly.

4. Automated Threat Analysis and Response- Manual analysis of threat data can be time-consuming and prone to human error. Modern CTI software often incorporates automation and machine learning to streamline the analysis process. Automated threat analysis tools can identify patterns, flag anomalies, and even suggest or execute responses to mitigate threats. By automating routine tasks, security teams can focus on more complex problems, and the organization can respond more quickly to emerging threats.

5. Integration with Existing Security Tools- Effective cyber defense requires a cohesive approach, and CTI software should seamlessly integrate with an organization’s existing security infrastructure. This includes firewalls, intrusion detection systems (IDS), endpoint protection platforms (EPP), security information and event management (SIEM) systems, and more. Integration ensures that threat intelligence feeds into broader security workflows, allowing for better coordination between tools and faster threat remediation.

6. Scalability- As organizations grow and expand their digital footprint, their security needs evolve as well. Scalable CTI software can accommodate these growing demands, whether that means handling more data, expanding coverage to new threat vectors, or providing support for more users. When selecting CTI software, it’s essential to ensure it can scale with the business and adapt to future challenges.

7. Threat Intelligence Sharing and Collaboration- Cybersecurity is rarely an isolated effort. Many organizations participate in information sharing and collaboration initiatives, such as Information Sharing and Analysis Centers (ISACs), to enhance collective defense against cyber threats. CTI software should support threat intelligence sharing, allowing users to contribute to and benefit from a broader community of threat data. Collaboration tools within the software can improve cross-team coordination and accelerate response times to emerging threats.

8. User-Friendly Interface and Reporting- Threat intelligence software can generate vast amounts of data, which can be overwhelming without proper visualization and reporting features. A user-friendly interface helps security teams navigate complex data sets and quickly identify critical threats. Clear, customizable dashboards, as well as automated reporting tools, can provide valuable insights to both technical and non-technical stakeholders, ensuring that the organization remains well-informed and ready to act.

9. Historical Data Analysis and Threat Hunting- While real-time detection is essential, it’s also valuable for CTI software to have historical data analysis capabilities. The ability to analyze past security incidents and detect patterns or recurring threats helps organizations fine-tune their defense strategies. Additionally, threat hunting features allow security teams to proactively search for potential vulnerabilities or threats that have not yet been detected by automated systems.

10. Compliance and Regulatory Support- Many industries are subject to strict data protection and cybersecurity regulations, such as GDPR, HIPAA, or PCI-DSS. CTI software should be designed to support compliance with these regulations, ensuring that threat intelligence is managed in a way that aligns with legal and industry standards. Features like data anonymization, secure storage, and detailed audit trails are important for maintaining compliance and protecting sensitive information.

11. Customization and Flexibility- Each organization faces unique threats depending on its industry, geographical location, and infrastructure. High-quality CTI software should be customizable to meet the specific needs of the organization. Whether adjusting threat feeds, setting up custom alert thresholds, or creating tailored reports, flexibility in configuration ensures that the software can be adapted to provide the most relevant intelligence for each organization’s specific environment.

12. Vendor Reputation and Support- Lastly, it’s essential to consider the reputation of the CTI software vendor. The vendor should be well-established in the cybersecurity space, with a proven track record of delivering reliable and effective threat intelligence solutions. Moreover, responsive customer support and ongoing software updates are critical for ensuring that the system remains current and capable of dealing with emerging threats.

Conclusion

As cyber threats continue to grow in complexity and frequency, having robust Cyber Threat Intelligence software is essential for organizations seeking to defend themselves against malicious actors. By evaluating the traits outlined above—real-time detection, comprehensive data collection, automation, integration with existing tools, scalability, and more—organizations can choose a CTI solution that aligns with their security needs and enhances their overall cyber defense posture. With the right software, organizations can better understand, prevent, and respond to cyber threats, minimizing the risks of data breaches and other security incidents.

The post Traits to look out for in Cyber threat intelligence software appeared first on Cybersecurity Insiders.

The Linux Foundation and OpenSSF released a report on the state of education in secure software development.

…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment ­ system operations, software developers, committers, and maintainers ­ self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

Auto manufacturers are just starting to realize the problems of supporting the software in older models:

Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servicing products seven years after they stop selling them.

That might not cut it in the auto world, where the average age of cars on US roads is only going up. A recent report found that cars and trucks just reached a new record average age of 12.6 years, up two months from 2023. That means the car software hitting the road today needs to work­—and maybe even improve—­beyond 2036. The average length of smartphone ownership is just 2.8 years.

I wrote about this in 2018, in Click Here to Kill Everything, talking about patching as a security mechanism:

This won’t work with more durable goods. We might buy a new DVR every 5 or 10 years, and a refrigerator every 25 years. We drive a car we buy today for a decade, sell it to someone else who drives it for another decade, and that person sells it to someone who ships it to a Third World country, where it’s resold yet again and driven for yet another decade or two. Go try to boot up a 1978 Commodore PET computer, or try to run that year’s VisiCalc, and see what happens; we simply don’t know how to maintain 40-year-old [consumer] software.

Consider a car company. It might sell a dozen different types of cars with a dozen different software builds each year. Even assuming that the software gets updated only every two years and the company supports the cars for only two decades, the company needs to maintain the capability to update 20 to 30 different software versions. (For a company like Bosch that supplies automotive parts for many different manufacturers, the number would be more like 200.) The expense and warehouse size for the test vehicles and associated equipment would be enormous. Alternatively, imagine if car companies announced that they would no longer support vehicles older than five, or ten, years. There would be serious environmental consequences.

We really don’t have a good solution here. Agile updates is how we maintain security in a world where new vulnerabilities arise all the time, and we don’t have the economic incentive to secure things properly from the start.

In the world of cybersecurity, software updates are a double-edged sword. On one hand, they are crucial for patching vulnerabilities, enhancing features, and improving overall system performance. On the other hand, if not managed properly, software updates can inadvertently create opportunities for cyber attacks. Here’s how software updates can sometimes lead to security risks and what can be done to mitigate these threats.

1. Unintended Vulnerabilities- When software developers release updates, they often introduce new features or modifications to existing code. While these changes are designed to improve functionality, they can also introduce new vulnerabilities. If a newly introduced vulnerability is not quickly identified and patched, it can be exploited by cybercriminals. Example: In 2024, a software update from a major cybersecurity firm inadvertently introduced a vulnerability that was exploited to launch widespread phishing attacks. The flaw allowed attackers to bypass security measures and gain unauthorized access to sensitive data.

2. Incomplete Patches- Sometimes, updates are released under tight deadlines or due to pressure from recent security incidents. This can lead to incomplete or rushed patches. An incomplete update may fix one vulnerability but leave others unaddressed, creating a false sense of security. Example: In a notable incident, a rushed patch for a critical security flaw in a popular operating system inadvertently left other parts of the system vulnerable. This oversight was exploited by attackers to gain elevated privileges on affected machines.

3. Supply Chain Attacks- Software updates often come from third-party vendors or through complex supply chains. If an attacker compromises a software provider or the update distribution mechanism, they can insert malicious code into legitimate updates. This type of attack can affect countless users if the compromised update is widely distributed. Example: The 2020 SolarWinds attack demonstrated how attackers infiltrated a widely used network management tool through a compromised update. The malicious code was pushed to thousands of organizations, including government agencies, enabling extensive data breaches and espionage.

4. User Behavior- User behavior plays a significant role in how software updates are handled. Many users delay or ignore updates, leaving their systems exposed to known vulnerabilities. Even when updates are applied, users may inadvertently disable security features or misconfigure settings during the update process. Example: A study revealed that users who frequently postponed updates were more likely to encounter malware infections. This is because the updates included patches for vulnerabilities that were actively being exploited by attackers.

5. Compatibility Issues- Software updates can sometimes cause compatibility issues with other applications or systems. When updates lead to system instability or functional problems, users may be tempted to disable security features or revert to older, less secure versions of the software. Example: An update to a widely used antivirus program caused conflicts with several other applications, leading users to disable certain security settings to restore functionality. This compromise exposed their systems to additional threats.

Mitigating Risks

To minimize the risks associated with software updates, organizations and individuals should adopt the following best practices:

a.) Test Updates: Before deploying updates broadly, test them in a controlled environment to identify potential issues or vulnerabilities.

b.) Monitor for Vulnerabilities: Stay informed about vulnerabilities and security advisories related to the software in use. Promptly apply patches and updates released by vendors.

c.) Educate Users: Provide training on the importance of software updates and secure update practices. Encourage users to apply updates promptly and avoid disabling security features.

d.) Secure Update Channels: Ensure that updates are obtained from trusted sources and that the update mechanism itself is secure to prevent supply chain attacks.

e.) Backup Data: Regularly back up critical data to ensure that it can be recovered in the event of an attack or update-related issue.

Conclusion

Software updates are a vital component of modern cybersecurity, but they are not without risks. By understanding how updates can lead to cyber attacks and implementing best practices, organizations and individuals can better protect themselves from potential threats. The key is to strike a balance between embracing the benefits of updates and managing the associated risks effectively.

 

The post How Software Updates Can Lead to Cyber Attacks appeared first on Cybersecurity Insiders.

[By Ross Bryant, Chief of Research at Phylum]

If there is one safe prediction that I can make in 2024, it is that software supply chain attacks will continue to grow at an alarming rate. My team’s job is to track bad actors across the open-source software ecosystem, and there was a lot to see in 2023. Our Q4 2023 research report revealed that the software supply chain is one of the easier and more popular attack vectors. This vector is an easy target since open source is used in 97% of projects and included in more than 70% of code bases.  The research discovered a significant increase in targeted organizations and attack sophistication, especially within financial and cryptocurrency organizations, with monetary gain as a top motivator. 

As 2024 evolves, popular attack methods such as production system credential theft and financial resources (e.g., personally identifiable information (PII), cryptocurrency, etc.) will remain top threats. Attackers will also continue to execute ransomware-style campaigns – leveraging access to customer data and assets and using the threat of stolen information to coerce organizations to pay the ransom. 

A Surprise in the Numbers

This quarterly research report showed a slight decrease in published packages compared to the previous quarter. However, the number of targeted organizations increased substantially—262.63% more targeted attacks compared to Q3 2023, which had risen 47% from Q2 2023. This showed a clear trend across 2023 of increased direct, targeted attacks.

While the number of published packages was lower than in previous reports, a larger portion focused on specific organizations and indicated specific methods associated with software supply chain threats. 

Mistaken identity 

One such attack method, dependency confusion, is a software supply chain attack that exploits a state of confusion in package managers – checking for named packages within a public registry first before searching in a private registry. An attacker can register an identically named, malicious package on the public registry, intending for the package manager to inadvertently download it, mistaking it for the legitimate package.

Another method that exploits public registries is brandsquatting. In this method, threat actors use popular brand names to mask their malicious code and lure, mislead, and trick the developer into downloading the malicious package.

Attacker Subtly = Greater Gains

In this recent research, two common approaches emerged for targeting the software supply chain: production system credential theft and stealing financial resources (e.g., bank account information, cryptocurrency, etc.). 

In one attack, a threat actor targeted a select group of widely used cloud provider SDKs. A review of the code revealed that the attacker was specifically interested in sensitive credentials to cloud infrastructure.

Exploiting developers’ trust in these packages, the attacker slightly modified a vital part of the code responsible for managing and handling credentials. This triggered a stealthy HTTP POST request for the users’ access and secret keys to a remote URL under the attacker’s control. By making subtle changes and republishing these altered packages on PyPI with similar names, the attacker blended in to remain undetected while maintaining the packages’ expected functionality.

This method, used in at least five packages, involved a simple and effective technique to obscure the remote URL, demonstrating a calculated approach to infiltrating trusted software components on developer workstations and production infrastructure.

Some Organizations Take Proactive Security Steps 

In Dec 2023, an article was published outlining the discovery of an additional set of oddly sophisticated packages. Unlike some of the other campaigns, this one was highly targeted.

These packages contained an encrypted component that could only be unlocked with data from the environment of a local machine in a specific network, where the decryption key was the hostname of a particular organization. Once decrypted, the payload was executed, and user credentials were moved laterally inside the network to a Microsoft Teams Webhook. This left few options: a threat actor had gained a deep foothold in the network, this was a security audit, or this was the work of an insider threat.

Realizing these packages’ specific focus, the targeted organization was contacted to warn and mitigate an attack. If this were an external threat actor, the organization needed to be notified of it before the attacker could do considerable damage.

The analysis continued to explore a very advanced and sophisticated attack comparable with other APT (Advanced Persistent Threat) campaigns.

However, once contact was established with the targeted company, it was discovered that this was part of a broad internal security assessment aimed at mimicking pressing real-world threats. The mimicked attack looked to replicate behaviors the organization was seeing from attackers leveraging the software supply chain as a conduit into their network.

Why Organizations Should Prioritize Software Supply Chain Security

In 2024, attackers will become even more sophisticated, finding new ways to access an organization’s valuable customer and corporate data by exploiting the software supply chain. Methods such as dependency confusion and brandsquatting are the beginning, easily fooling package managers and developers alike. 

Heightened focus on the software supply chain should be a critical component of an organization’s security portfolio, especially those in the financial and cryptocurrency arenas.

The post Software supply chain attacks are escalating at an alarming rate appeared first on Cybersecurity Insiders.

Quest Software, a systems management, data protection and security software, company, has announced what it calls its latest breakthrough in data management with the launch of erwin Data Modeler by Quest 12.5. Boasting cutting-edge features that enhance data quality, governance, and stakeholder collaboration, erwin Data Modeler 12.5 drives organisations towards data democratisation, facilitating strategic efforts such as AI Large Language Model (LLM) development, data intelligence and data platform modernisation.

 

Driving Innovation

Organisations that maintain mature data practices in support of their modernisation initiatives consistently realise better business outcomes. As enterprises increasingly adopt cloud-based data lakehouses, erwin Data Modeler 12.5 rises to the occasion with enhanced capabilities to support seamless data deployment. The solution meticulously documents existing data sets, facilitating accurate and efficient migration to new cloud environments, thereby optimising data operations and fostering data-driven innovation.

“While it has always been important, proven by erwin Data Modeler’s 30 years in the market, data modeling is now experiencing a resurgence in its role in ensuring unwavering data integrity and governance, making it a crucial aspect for precision-driven AI and other enterprise applications,” said Heath Thompson, General Manager at Quest Software. “In today’s data-driven landscape, where information can be a powerful advantage or a liability, organisations are increasingly embracing erwin solutions to democratise data access across their entire organisation, unlocking a myriad of untapped benefits.”

In the era of AI advancement, organisations are rapidly embracing Al Large language models (LLMs) for transformative applications. LLMs, however, are only as effective as the data underpinning them. erwin Data Modeler emerges as a pivotal tool to navigate the challenges of deploying LLMs effectively by creating a foundation of data accuracy, democratising access to data and increasing literacy and efficient communication among stakeholders. By empowering business analysts to define precise data requirements for AI model training, erwin Data Modeler creates accurate and well-formatted data sets that power reliable AI results.

 

Key Enhancements in erwin Data Modeler by Quest 12.5:

1. Stakeholder Collaboration with ER360 Integration: erwin Data Modeler fosters seamless communication among business, IT, and data teams with its integration with ER360, an online collaboration platform. This encourages data-driven decisions, enabling business users to grasp data models and align them with the right intelligence. Enterprise glossaries facilitate effective communication by describing business language associated with specific data sets.

2. Enhanced Governance with Databricks Unity Catalog Integration: erwin Data Modeler seamlessly integrates with Databricks Unity Catalog, amplifying its governance capabilities across diverse data lakehouse environments. Customers can effortlessly classify structured and unstructured data, define permissions, and identify performance issues, ensuring meticulous data governance.

3. Boosted Data Visibility and Literacy with erwin Data Intelligence Integration: Close collaboration between erwin Data Modeler and erwin Data Intelligence offers comprehensive visibility of data assets and guidelines for their usage. Consistent data policies and best practices are implemented, elevating model quality and data operations efficiency.

4. Ensuring Data Model Quality with Enterprise Modeling Compliance Feature: erwin Data Modeler users can build and customise policies designed to standardize and review documentation, verify data compliance and monitor metadata quality, helping data stewards increase the accuracy of, and reduce the time it takes to maintain, high-quality data models.

 

To explore what’s possible with erwin Data Modeler by Quest 12.5:

● Visit the erwin Data Modeler product page https://www.erwin.com/products/erwin-data-modeler/.

● Watch the “What’s New in erwin Data Modeler 12.5” video https://www.erwin.com/video/introducing-erwin-data-modeler-125/

● Register for the webinar on September 27, 2023 to experience erwin Data Modeler 12.5 and other major enhancements https://www.erwin.com/event/driving-data-maturity-through-governance-quality-and-collaboration-with-erwin-data-modeler-125-by-quest/.

● Visit the erwin website to learn more about the full data intelligence offering www.erwin.com

The post Quest Software Update appeared first on IT Security Guru.

Follies The Broadway Tower in Worcestershire, England is a famous structure. It’s inspiring, beautiful, and at 62 feet high, like other similar buildings, it’s a folly. While it looks grand inside and out, it serves no purpose than to be a decoration. It’s all too easy to buy a set of policies and procedures, change […]… Read More

The post Foundational Activities for Secure Software Development appeared first on The State of Security.

Cato Networks recently announced that it was named as a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar Report for Secure Service Access (SSA), GigaOm’s term for SASE/SSE. The report’s comprehensive review evaluates the degree to which suppliers converge security and networking into a single, global platform. Cato is only SASE provider to be ranked an SSA “Leader” and an “Outperformer” with perfect delivery of SD-WAN as well as the core network-based security capabilities – Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero-Trust Network Access (ZTNA).

“Since publishing the 2021 Radar for Service Access Solutions [GigaOm’s prior term for SSA], Cato Networks has moved from being a Challenger to a Leader and an Outperformer due to its innovation and execution against its roadmap,” writes GigaOm analyst and report author, Ivan McPhee.

“In the world of networking and securing the enterprise, the platform is critical. It’s the convergence of capabilities into a global platform that allows for the radical simplicity and operational efficiency promised by SASE and SSA. GigaOm’s thorough research underscore this architectural prerequisite and we’re honored to be named a Leader and Outperformer in the SSA Radar Report,” says Yishay Yovel, Chief Marketing Officer at Cato Networks.

Cato Networks: The Prototypical SASE/SSA Platform

The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.

The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications — on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.

Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked Exceptional in seven of eight categories:

  • Defense in Depth
  • Identity-Based Access
  • Dynamic Segmentation
  • Unified Threat Management
  • ML-Powered Security
  • Autonomous Network Security
  • Integrated Solution

And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.

“Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”

Delivering a Converged Networking and Security Platform Challenges the Industry

Since SASE’s inception, analysts have pointed to the importance of having one, converged cloud platform connecting and securing the complete enterprise — sites, users, and cloud resources. It’s this radical simplicity that enables the agility, cost savings, visibility, improved security, and operational improvements associated with SASE/SSA.

But the complexity of converging networking and security capabilities to form such a platform has long challenged legacy technology and service providers. As GigaOm notes, “The SSA landscape is becoming increasingly blurred with incumbent vendors repackaging and repositioning legacy products as integrated platforms, acquiring new technologies, or making strategic alliances to fill the gaps in their portfolios.”

Enterprises need not only consider functionality claimed by SSA vendors but the convergence of those capabilities. Says GigaOm, “When talking to vendors, verify the level of integration between individual SSA capabilities. Ensure that their vision is aligned with yours and their roadmap includes the features and integration you need.”

 

The post Cato Networks SASE Cloud: “leader” and “OutPerformer” in GigaOm SSA Radar appeared first on IT Security Guru.

The lack of healthcare cybersecurity is one of the most significant threats to the sanctity of the global healthcare industry. This is made evident by the fact that in 2020 more than 18 million patient records were affected by successful cyber-attacks on the U.S. healthcare system. Health professionals should not take this issue lightly, as […]… Read More

The post ICS Security in Healthcare: Why Software Vulnerabilities Pose a Threat to Patient Safety appeared first on The State of Security.