Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade. Update 1/16/2020: The grade change is now live on the development server at dev.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade on the development server. Deployment [...]

This week Microsoft released a patch for a critical Silverlight issue, MS16-006, and since I worked on Silverlight signatures in the past it caught my eye. It's a Remote Code Execution vulnerability which allows attackers to run code of his or her choice on the victim machine. I had a hunch that something more was hiding. I started to analyze it as soon as I finished writing signatures for the existing patch. When I was working on the analysis Kaspersky Lab published a great blog post about the story of this vulnerability.In this blog, I'm presenting analysis of a different function that was also fixed in the same patch.Hide the remainder of this articleAnalysis of CVE-2016-0034 and the PatchSilverlight is powered by the .NET Framework. Microsoft bulletin mentions "malicious decoder that can return negative offsets". Since there were too many files that were changed in the patch, I decided to just google ".net framework decoder" from which I came across mscorlib.dll. I decided to analyze it and below is a screen capture of the diff between the unpatched and patched file:In the changed function list, most changes are related to the "GetChars()" function or related calls. The discoverer from Kaspersky had already reported that the vulnerability existed in “GetChars()“. But I decide to investigate further for any other vulnerable entry points. I found the System.IO.BinaryWrite_Write_15 function which takes a string as its parameter:

Open redirection is listed in the OWASP Top 10 for 2013 and 2010 (10th position in both lists) since it is still an active threat in modern web applications. Open redirection occurs when a vulnerable web page is redirected to an untrusted and malicious page that may compromise the user. Open redirection attacks usually come with a phishing attack because the modified vulnerable link is identical to the original site, which increases the likelihood of success for the phishing attack.While open redirection is not exactly common, my research was able to uncover several open source applications that were vulnerable. In this article, I describe the results of my research, and some recommendations for avoiding open redirection vulnerabilities in your code.Hide the remainder of this articleVulnerability Found and Fixed in MoodleSix months ago when I was evaluating the popular open source learning management software Moodle, I discovered an open redirect vulnerability caused by a lack of constraints on the referer parameter. This vulnerability could redirect users to a non-local website and launch a phishing attack. It has been fixed (by adding code to replace the referer with a local URI when the referer value was used as a redirection vector), and the detail has been listed in CVE-2015-3175 and MSA-15-0019.Here's how the vulnerability could be exploited:Proof of Concept

A number of security researchers recently discovered that Dell laptops come pre-installed with an additional root certificate call eDellRoot. Since the private key is also available on the machine this exposes their customers to the risk of a Man-in-the-Middle (MITM) attack. In a MITM attack, the attacker sits on the network between server and client […]

A number of security researchers recently discovered that Dell laptops come pre-installed with an additional root certificate call eDellRoot. Since the private key is also available on the machine this exposes their customers to the risk of a Man-in-the-Middle (MITM) attack. In a MITM attack, the attacker sits on the network between server and client and uses the eDellRoot certificate to intercept and manipulate HTTPS connections. This vulnerability leaves anyone using these Dell laptops at risk for sensitive data exposure and even infections with malicious payload, all under the cover of a trusted connection.Hide the remainder of this articleDell has released an automatic update to uninstall the certificate; however, we can’t assume that all affected machines will receive this update in a timely fashion. In the meantime, the crucial next step is to know immediately which machines have the eDellRoot certificate, so that they can be fixed. We’d recommend using the power of our Cloud Agent and AssetView query service to instantly determine which machines are at risk and automatically group and tag these assets for remediation.Find Affected Machines Instantly and ContinuouslyWith a simple query, you can instantly find all machines that have eDellRoot installed. You can also convert this query into a dynamic dashboard, to constantly monitor the scope and impact of this vulnerability. Continuous monitoring is essential, because if any of these Dell computers are ever set back to the factory default, the eDellRoot certificate will once again be restored and the vulnerability reinstated.Here’s the specific query syntax you can use to find systems with the eDellRoot certificate:manufacturer.name=dell and vulnerability.vulnerabilities.qid=1018Qualys Cloud Agent transmits installed Certificate Authorities to the Qualys platform and makes them available for reporting in AssetView. That way, you can continue to monitor the health and validity of all of your SSL certificates.

A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.Hide the remainder of this articleVulnerabilities discovered by Orpani are:

How boring would social networking websites, blogs, forums and other web applications with a social component be if they didn't allow their users to upload rich media like photos, videos and MP3s? The answer is easy: very, very boring! Thankfully, these social sites allow end-users to upload rich media and other files, and this makes communication on the world wide web more impactful and interesting.But user-uploaded files also give hackers a potential entry-point into the same web apps, making their safe handling an extremely important task for administrators and the security team. If these files are not validated properly, a remote attacker could upload a malicious file on the web server and cause a serious breach.Hide the remainder of this articleQualys Web Application Firewall protects against uploads of malicious files by providing automatic validation of uploaded files. Specifically, it inspects the contents of the HTTP request and response associated with the file upload, which allows it to identify specific indicators of whether the contents of the file upload are legitimate or not.This blog post describes how Qualys WAF does its magic.About Unrestricted File Upload VulnerabilitiesMalicious files uploads are the result of improper file validation: OWASP calls it Unrestricted File Upload, and Mitre calls it Unrestricted Upload of File with Dangerous Type. According to OWASP, unrestricted file upload vulnerabilities can allow two different types of attacks:1) Missing proper validation of file nameThis can allow an attacker to overwrite application files using a specially crafted request, for example “../../../index.php”. If not handled correctly, the request in this scenario may overwrite the default application home page, or worse, upload the file to a user-accessible location which is outside the file storage sandbox.2) Missing proper validation of file content and sizeAllowing attackers to upload a file of any size without restriction may allow consuming all storage space on the server, potentially causing a denial of service and even crashing the server in some cases.The allowed file content type is the most critical issue. This should be taken care of properly, otherwise it may result in arbitrary code execution on the server. Let’s discuss more about this second case. If we look at software affected by unrestricted file upload issues on exploit sharing sites such as exploit-db we can find hundreds of applications affected. Most of these are unauthenticated issues, meaning attackers don’t need to have valid credentials to exploit the issue. This gives us a rough idea of the scope of the issue; it is quite common.Common But Ineffective MitigationsAn examination of some common but ineffective mitigation techniques gives insight into how hackers can attack your web apps.File Extension VerificationBlacklisting and whitelisting of file extensions is the most common validation method implemented by developers.To implement blacklisting, the developer needs to gather all executable extensions disallowed by the server, which is obviously a tricky task, which can be defeated several ways in practice:

The X-Frame-Options HTTP response header is a common method to protect against the clickjacking vulnerability since it is easy to implement and configure, and all modern browsers support it. As awareness of clickjacking has grown in the past several years, I have seen more and more Qualys customers adopt X-Frame-Options to improve the security of their web applications.However, I have also noticed there is a common implementation mistake that causes some web applications to be vulnerable to clickjacking attack even though they have X-Frame-Options configured. In this article, I describe the implementation mistake and show how to check your web applications to ensure X-Frame-Options is implemented correctly.Hide the remainder of this articleAbout Clickjacking and X-Frame-OptionsAs I wrote in my previous article, clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with a (typically transparent) iframe. The user thinks he is clicking the link on the legitimate page, but actually clicks an unseen overlaid link or button. This malicious technique can potentially expose confidential information or, less commonly, take control of the user’s computer. For example, on Facebook, a clickjack can lead to an unauthorized user spamming your entire network of friends from your account. We’ve known about clickjacking, also called “UI redress attacks,” for years now, which Robert Hansen and Jeremiah Grossman originally described in 2008.So, how do X-Frame Options work? The X-Frame-Options HTTP response header can be used to specify whether or not the browser should be allowed to render content in a <frame> or <iframe>. If an iframe can’t be loaded in the browser and overlaid on the legitimate page, then a clickjacking attack is not possible.Multiple X-Frame-Options in the Response HeaderI have seen claims by Qualys customers that Qualys Web Application Scanning (WAS) flagged false positives of the Clickjacking vulnerability during scanning, even though they had deployed X-Frame-Options countermeasures in their web applications. These typically turn out to be true positives because of a common implementation error: more than one X-Frame-Options item presented in the response headers.To understand the error, imagine making a request to http://foo.org and getting the following response headers with two X-Frame-Options fields:HTTP/1.1 200 OKServer: Apache-Coyote/1.1X-FRAME-OPTIONS: SAMEORIGINSet-Cookie: JSESSIONID=E0BF8BA2829148A9D3C5370FB2A03820; Path=/; HttpOnlyX-FRAME-OPTIONS: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockWhen more than one X-Frame-Options item is used, browser engines will combine the multiple header fields into one by appending each subsequent field-value to the first when multiple message-headers fields with the same field name according to the HTTP RFC 2616 section 4. It means browser engines will modify the previous response header into the following format.HTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=E0BF8BA2829148A9D3C5370FB2A03820; Path=/; HttpOnlyX-FRAME-OPTIONS: SAMEORIGIN, SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockAccording to RFC7034, only these three values, DENY, SAMEORIGIN and ALLOW FROM are valid values and they are mutually exclusive; that is, the header field must be set to exactly one of these three values. Some browsers will take the header item “X-Frame-Options: SAMEORIGIN, SAMEORIGIN” as invalid because the field value “SAMEORIGIN, SAMEORIGIN” is not any of the three values. As a consequence, the X-Frame-Options feature will not be effective in some browsers, such as Safari browser (6.0.5) and an attacker could launch clickjacking attacks against the victim when they are using an older version Safari browser to view the website. I have tested this with Safari (5.1.7) on a Windows machine and Safari 6.0.5 on Mac. Although Safari 7 (tested with Safari 7.1.7) has fixed this issue, it still imposes a danger if the user is using old Safari browsers.How Common Are X-Frame-Options Implementation Errors?I did some extra research on the Alexa Top 20 after deciding to write this article in order to check whether this kind of implementation error could also happen to some popular and big websites or if this is just a small issue caused by inexperienced developers. The result was surprising. I found out that several domains from one website in the Alexa Top 20 suffered from this error.After some investigation, I found I could launch an attack using this vulnerability, and I am sure damage could be done if an attacker combined an attack against this vulnerability with some social engineering work. I've informed the owners of the vulnerable website, and they are working on mitigations.Root Cause of the Implementation ErrorMultiple reasons could lead to this kind of implementation errors. From the feedback of our customers that are suffering from these mistakes and my own developing experience, these two conditions will cause the more than one X-Frame-Options in the response header:Condition 1: X-Frame-Options header is added in the source code and got deployed again in apache, IIS serverCondition 2: X-Frame-Options header is added in the source code or configure in apache/IIS server, meanwhile, load balance set “x-frame-options” again in its policyFor those in charge, I would advise them to check whether the response headers contain more than one X-Frame-Options headers if they are deploying X-Frame-Options to protect against a clickjacking attack.

For more than two decades SSL has ruled the roost as the predominant encryption protocol on the Web. This is unfortunate, at least because in recent years many vulnerabilities have surfaced in SSL. It’s had its day, done its job, and is now battle weary. Today, to say the least, early versions of SSL and […]

For more than two decades SSL has ruled the roost as the predominant encryption protocol on the Web. This is unfortunate, at least because in recent years many vulnerabilities have surfaced in SSL. It’s had its day, done its job, and is now battle weary. Today, to say the least, early versions of SSL and TLS don’t get the job done when it comes to securing website traffic.Hide the remainder of this articleIn fact, earlier this year, the PCI Security Standards Council removed SSL from its list of strong crypto protocols in the PCI Data Security Standard, and as of June 30, 2016 it will no longer be permitted as a security control. “That isn’t much time for everyone who needs to become compliant to become compliant,” said Ivan Ristic, director of application security at Qualys during his presentation The TLS Maturity Model here at Qualys Security Conference 2015 in Las Vegas.“Life was much simpler back when we thought that encrypted communication via TLS was just secure. Not so any longer,” Ristic said.Why does it matter? SSL and TLS, simply put, encrypt traffic between two endpoints, such as the web browser of a shopper and the server of an eCommerce provider. SSL has shown that it remains vulnerable to all sorts of attacks, such as the ability to grab data during communications, man in the middle attacks, among others.“The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol,” the PCI Security Standards organization wrote in its report Migrating from SSL and Early TLS.What should organizations do? One would think that it would be very straightforward, but it's not, Ristic explained in his keynote. He developed a TLS Maturity Model that is designed to help enterprises get to where they need to be, not only to be compliant, but to be secure.The model has five levels, which range from utter chaos in Level 1 to a Level 5 which is probably more security than is necessary for most mere mortals. Level 4 is were most organizations will want to be, Ristic said.Here is the model as he described in this post:At level 1, there is chaos. Because you don't have any policies or rules related to TLS, you're leaving your security to chance (e.g., vendor defaults), individuals, and ad-hoc efforts generally. As a result, you don't know what you have or what your security will be. Even if your existing sites have good security, you can't guarantee that your new projects will do equally well. Everyone starts at this level.Level 2, configuration, concerns itself only with the security of the TLS protocol, ignoring higher protocols. This is the level that we spend most time talking about, but it's usually the easiest one to achieve. With modern systems, it's largely a matter of server reconfiguration. Older systems might require an upgrade, or, as a last resort, a more secure proxy installed in front of them.Level 3, application security, is about securing those higher application protocols, avoiding issues that might otherwise compromise the encryption. If we're talking about websites, this level requires avoiding mixing plaintext and encrypted areas in the same application, or within the same page. In other words, the entire application surface must be encrypted. Also, all application cookies must be secure and checked for integrity as they arrive in order to defend against cookie injection attacks.Level 4, commitment, is about long-term commitment to encryption. For web sites, you achieve this level by activating HTTP Strict Transport Security (HSTS), which is a relatively new standard supported by modern browsers (IE support coming in Windows 10). HSTS enforces a stricter TLS security model and, as a result, defeats SSL stripping attacks and attacks that rely on users clicking-through certificate warnings.Finally, at level 5, robust security, you're carving out your own private sliver of the PKI cloud to insulate yourself from the PKI's biggest weakness, which is the fact that any CA can issue a certificate for any website without the owner's permission. You do this by deploying public key pinning. In one approach, you restrict which CAs can issue certificates for your web sites. Or, in a more secure case, you effectively approve each certificate individually.

Enterprises are having a challenging time securing their data and systems. But it doesn’t have to be that way. We recently reached out to Tyler Shields, principal analyst at Forrester to discuss his presentation at Qualys Security Conference 2015, and what it means to be able to secure enterprises at “cloud scale.” And what it’s going to take for enterprises to succeed in security in the years ahead.Hide the remainder of this articleShields is an expert on mobile and application security. Before joining Forrester, Shields was product owner and manager for mobile solutions at Veracode. Previously, he was a security consultant for the boutique consulting firm @Stake, which was acquired by Symantec in 2006. There, he assessed the security of Fortune 500 customers, financial firms, educational institutions, and segments of the U.S. government.George: A good place to start this discussion would be how mobile, cloud, and all of the network connectivity surrounding the Internet of Things is changing the enterprise threat posture and how they are securing themselves?Tyler: Realistically, it’s a completely new paradigm for security right? When you add always on, always connected, high enough data and bandwidth to make that always connected useful. That has to be coupled with the fact that we no longer are keeping data in our own premises. We're putting all of our enterprise data into the cloud. It completely changes how we have to do security. The only way to truly effectively do security in this new environment is to do it at cloud scale, meaning you have to actually be able to capture security data, analyze that data, and then make decisions on it and enforce your security controls all at cloud scale; because to do it at anything less they'll never be able to keep up with the pace of the movement of the data.It's very different now than a decade ago. You take the IDS model of just looking at some data and looking for anomalous behavior on network traffic inside your environment. That’s not going to do it now. Now the right way to do security is to look at data movement. Look at containers for example, you have to look at metadata underneath your containers to look at application events, and look at log files in real time. The quantity of data is now so immense that it's unreal.George: What does it mean for mid and large enterprises to manage security at “cloud scale”?Tyler: The enterprise has to look at security differently than they ever have in the past. They have to look at security in places that they never had to before. They have to look at security in a operational model instead of the CAPEX model. It's an OPEX versus CAPEX difference too, because you’re no longer spending CAPEX on the things you own and securing items you own, but you're actually spending OPEX; operational expenditure around operations resources and the time to secure it. That OPEX spend is going to be so much higher than the CAPEX spend that we've seen in the past, both on our products that we use, our services we use and our security of those services.I think what that means is that the enterprise has to look at things very, very differently. They have to become procurement experts. The CISO needs to understand every service that he buys from a security perspective. That's so weird when the CISO used to have to care about security in the data center and that was it. It's just a very different world.George: This move to continuous integration and continuous development is changing how enterprises handle risk. How do you see this changing how enterprises handle risk in how they secure their internal infrastructure and application development lifecycle?Tyler: It certainly does. It used to be where your development life cycle could be 18 months long. You had security stage gates that would trigger within that life cycle, such as a design security stage gate, a code review stage gate, a pre-production pen test and then a post production pen test. You used to have these stage gates across 18 months that you could run the tests. Once every 3 months, you'd have a little project you had to run or whatever and it wasn't that big a deal, but when you're pushing the production to say 20, 30, 50 times a day, how do you maintain those 4 traditional stage gates in a model where you're pushing 30 to 50 times a day?That completely flips itself upside down on its head as well and now it's less about stage gates and security being the team that sits in the middle and block and stops, and blocks and tackles things. Instead now it's embedding security right into the developer. Not even the development life cycle, but the developer the person. It’s so the developer can do unit tests in real time that are security-centric unit tests. It's about actually doing security in real time and then even more so than that, it's about having the ability to respond in seconds versus days, weeks, months, or years.George: The first thing that comes to mind is anything that can be automated must be automated if you’re going to survive.Tyler: That's the fundamental piece. Everything needs to be automated. There's two things. Everything needs to be automated, fully automated from a security continuous security review perspective. If you’re not automated, forget it. You'll never keep up. The other side to that coin is to spend a lot of resources on when you do find a problem, handling it in the quickest, most expeditious way possible.

LAS VEGAS – Philippe Courtot, Qualys (QLYS) founder and CEO, in his keynote address today at the Qualys Security Conference 2015, spoke to the massive and rapid evolution in business-technology systems currently underway in the enterprise. They are grappling with the complexities of securing their information in the public and private cloud, on mobile devices, and the data gathered by all of the sensors associated with the Internet of Things. Enterprises are “faced with the challenge of having to retool their entire infrastructure,” Courtot said.Hide the remainder of this articleWhile all of these new, emerging, and some rapidly maturing technologies are helping the enterprise to be more agile and respond to changing market conditions – all of these efforts need to be done securely.“We still need to secure everything,” Courtot said. “In the old days everything was essentially perimeter-centric, and we were living very happily as the networks were evolving. But the problem with security started to become very critical as we needed to deploy more and more applications. “Unfortunately, enterprises are still architected for the old client/server world,” Courtot said.So how do enterprises secure themselves in an "everything is connected to everything” world, Courtot asked? Well, what enterprises have been doing to date has not been working well for anyone. They’ve been turning to a plethora of point solutions: data leak protection/prevention, anti-virus and anti-malware, intrusion detection/prevention systems, network and next-generation firewalls, vulnerability assessment tools, threat intelligence and more. It’s very difficult to adequately protect enterprise systems when those enterprise systems, applications, and data are so dispersed across so many cloud services and endpoint devices, Courtot said.Sensors and the CloudWhen it comes to building a security framework that would work for the modern and highly-agile enterprise, Courtot pointed to an analogy that is familiar to most everyone: home security systems. How are homes secured today? Home security systems rely on sensors and management systems that monitor homes for changes in heat, or signs of fire or flooding, motion detectors for intruders, and the status of garage and building doors and windows. "All of that information is beamed up to a cloud platform were all of that data is analyzed. And depending on conditions it then sends alerts and information to incident response, such as the local fire department, police, or perhaps private services. And all of that information is centrally managed [by the homeowner] on their phone,” Courtot said.That’s how cloud security services for the enterprise need to also work: sensors in the enterprise environment that gather security and compliance information, asset information, and other data about the state of the systems and all of that data is then sent to a cloud service for analysis, which then provides security teams the information they need to protect their environments.“Our appliance is unique from others,” Courtot said, and made the parallel to home security systems regarding how the Qualys Cloud Platform gathers all of the information security teams need about the state of their network, and how they can manage their security from anywhere in an app.Going forward, that’s the kind of security capability enterprises will need to manage security at the scale that their clouds services are growing. “You need sensors that are gathering data from everywhere in the enterprise. And you need to integrate that security data with information about your assets, and analyze it all to see if they are secure and in compliance. If not, it needs to be acted upon,” Courtot said. “And today that means it has to scale, it has to be in the cloud,” he said.

Let’s face it, cloud computing, artificial intelligence, mobile, big data, automation, DevOps, and the Internet of Things have all been hyped for some time. While the impact of these trends has likely been overstated in the short run, they’ve been likely understated over the long run. That is to say when it comes to the next decade, buckle up and get ready for there is a significant amount of disruption on its way.Hide the remainder of this articleSpeaking of disruption, when it comes to cybersecurity, with the many high profile government and private sector breaches in the past year and the rapid growth in mobile and cloud computing have all created enough disruption for most of us. The research firm IDC expects cloud spending on public cloud alone to reach $70 billion this year.Security spending is also up, and more enterprises are using cloud-based security toolsets to secure their systems. In the CSO story, Survey says enterprises are stepping up their security game I covered how that PwC, CIO, and CSO survey showed that enterprises are reaping benefits from cloud based security services.These benefits include: real-time monitoring and analytics (56%), authentication (55%), identity and access management (48%), threat intelligence (47%), and end-point protection (44%).At Qualys Security Conference 2015 which kicked off today, the increased importance in cloud-based security services will be an important focus. In addition to keeping attendees informed about the latest enhancements to the Qualys Cloud Platform, as well as future Qualys roadmaps, the conference will show how enterprises can obtain more insight through security and compliance data, and how enterprises must evolve as technology trends evolve.Cloud, mobile, and automation were big themes last year, and will be themes that are built upon even more this year. Enterprises need to get better at continuously monitoring their systems for security defects and vulnerabilities, policy violations, and intrusions. But as more of the data center is automated, teams are going to have to get better at automating security policies and in security and compliance control enforcement.The impact all of this disruption is having on enterprise security teams will be a central part of the presentation by Tyler Shields’, principal analyst, at Forrester Research: Security is Breaking Down... Why Now, and What Can We Do About It? Shields will show how we came to arrive here and where the security industry and enterprise teams need to improve in order to succeed in the age of mobile, cloud, and IoT. What has to be done to secure applications and data when networks, operating systems, and applications have been so transformed? Shields promises to delve into these trends “and see what they really mean to our security future.”The conference will conclude with a broader view from author and entrepreneur Martin Ford, who will provide a warning about how unjust an automated economy can become and what must be done to avoid a dismal future. Ford is the author of the New York Times Bestselling Rise of the Robots: Technology and the Threat of a Jobless Future and The Lights in the Tunnel: Automation, Accelerating Technology and the Economy of the Future.

Sometimes standard web application scanning techniques are too intrusive. The web application owner may not want to run a scan that tests for a vulnerability by uploading application data because that might have negative side effects for the application. It can be better to use an indirect method like web application fingerprinting which inspects static files in the web app to determine its version, and then reports the known vulnerabilities for that version.Hide the remainder of this articleBlind Elephant is a trustworthy open-source static-file web application fingerprinter. It attempts to discover the version of a (known) web application by comparing static files at known locations against pre-computed hashes for versions of those files in all available releases. This technique works well when the static files change with every release, allowing the fingerprinter to identify the application version based on the contents of the files. This technique is non-invasive and generic, and the use of pre-computed hashes means it is fast, low-bandwidth and highly automatable.Over the five years since the open source Blind Elephant project was introduced, Qualys has maintained it, integrated it with the Qualys Cloud Suite, and added lots and lots of detections. That makes the Qualys integration a useful tool for web application security teams.Qualys Integration & DetectionsQualys has been steadily adding detectable applications to the Qualys integration, which now detects over 200 web applications, plugins and extensions, and this number continues to grow every week. Qualys customers can look up QID 45114 in their scan reports and see a listing of the web applications found in their environment.In order to add a detection, the Qualys team needs access to the source code and a few versions of the web application. With too few versions or files that remain unchanged across versions, it is not possible to create detections.Uses CasesThe Blind Elephant engine can be most effective in the following scenarios that are too intrusive into the customer's application, and where it's better to determine the existence of the vulnerability indirectly, i.e. via fingerprinting:

Here’s a short story about a simple vulnerability that was easy to fix, but nonetheless could have had serious consequences.Imagine an attacker, who doesn’t even have root access, being able to:- Get source code from the community of Pebble watch developers- Replace their binaries with malicious ones- Deploy the malicious binaries to the developers’ watches when they click the ‘Remote Deployment’ button.Hide the remainder of this articleThe above was possible (until Pebble made a quick fix -- kudos to them!). And Pebble is not alone: researchers at Black Hat and DEF CON this year demonstrated a wide array of device hacks. The lesson for developers is to always include secure coding practices and testing in your software lifecycle.About PebblePebble is a well-known player in the expanding wearables (smart watch) market. One of their key strengths has been their apps market which currently has more than 6000 apps and watch faces. In 2013 Pebble launched the cloudpebble.net portal where developers can code, build and remotely deploy apps to their smartwatch without installing any SDK on their machines.The VulnerabilityWhile building a Pebble watch app through cloudpebble.net, I observed that the build logs contain output from build commands run on the Linux shell. I was interested to check if I could inject a custom command during the build process and get its output from the build log. After a few tries, I was able to successfully demonstrate the attack. Following Qualys’ responsible disclosure policy, I contacted Pebble and provided details of the attack. Pebble acknowledged the issue and provided a fix within 6 hours, which was quite impressive. As a token of appreciation they added me to their ‘White Hat Hall Of Fame’.Proof of ConceptFollowing are the details about how I was able to carry out this attack.

The OpenSSL team has announced a fix to resolve a high severity vulnerability (CVE-2015-1793) which allows certificate forgery. During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. It affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1oHide the remainder of this articleOpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2dOpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1pStable distributions of many Linux flavors are not affected:RedHat: No Red Hat products are affected by the CVE-2015-1793 flaw. No actions need to be performed to fix or mitigate this issue in any way.OpenSUSE: The OpenSSL versions shipped in openSUSE 13.1 and 13.2 are not affected. The openSUSE Tumbleweed distribution never received a vulnerable version and was never affected. The next submission into Factory will skip any vulnerable versions.Ubuntu: Ubuntu versions 12.04LTS, 14.04LTS, 14.10LTS, 15.04 and 15.10 are not affected.Debian: The stable and old stable versions are not vulnerable. The 'testing' and 'unstable' versions are affected.Qualys has released QID 38104. Please refer to the knowledge base for more information on this check.

Most organizations enforce system configuration policies to reduce the chance of misconfiguration and improve their overall security posture. For Microsoft Windows systems, many organizations rely on guidance from Microsoft Security Compliance Manager (SCM) for proper configuration. For organizations deploying Windows 8.1, this Top 4 list helps you understand and implement the new settings introduced in SCM for Windows 8.1.Hide the remainder of this articleAs an engineer on the Qualys Policy Compliance product team, I routinely compare compliance benchmarks, and have compiled this list based on my work. If you are already familiar with previous version of Windows, this blog post can help you to quickly adopt the new changes.1. Windows DefenderWindows Defender is your first line of defense against spyware, viruses and malicious software. It helps to identify and remove them. On Windows 8 and above, it runs in the background and notifies when some action is needed from the user.In Windows 8.1, Microsoft has introduced more options related to scanning, reporting, real-time protection and many more in Windows Defender. Of the over 90 settings in Windows Defender, the following are the most important ones you should enable if Windows Defender is the only anti-malware present on the target system.

Would you buy a cellphone with a hardcoded password? Definitely not. I wouldn’t either.But as is sometimes the case with non-mass-market devices, security can be overlooked in favor of convenience, even if in retrospect it’s clearly a mistake to do so. Fortunately, this story has a happy ending, thanks to responsible disclosure and quick vendor response.Hide the remainder of this articleAs a vulnerability research engineer at Qualys, I routinely audit various devices, and today Qualys is releasing information on three new vulnerabilities I found on the Garrettcom Magnum 6k and Magnum 10k Series managed switches.These devices had the following security issues: