1089 matches found
What we’ve got here is failure to communicate: OS vendors misread CPU docs, create flaw
In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!” It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD...
May 2018 Patch Tuesday – Medium Weight, However One Active Exploit Needs Attention
This May's Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay...
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers. Twitter picks a good day for password-change call As “change your password”...
How To Prioritize Vulnerabilities in a Modern IT Environment
Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week. Given this large number of severe vulnerabilities, it’s...
Gaining Control over Your Digital Certificates
Digital certificate management is in an inadequate state at most organizations, a serious problem, considering that SSL/TLS certificates are critical for a host of e-business functions. “If you’re doing something on the Internet, you’re using SSL,” Asif Karel, a Qualys Director of Product...
When Preparing for GDPR, Don’t Neglect Public Cloud Security
With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU's General Data Protection Regulation GDPR. These public cloud platforms are being used to pow...
Orangeworm Targeting Healthcare Industry since 2015 Now Exposed
Operating since 2015, a threat group dubbed Orangeworm has been newly attributed to hacking and infiltrating healthcare groups around the world. Companies specifically targeted include hospitals, healthcare providers, pharmaceuticals, IT services firms serving the healthcare industry, and more...
Qualys WAS Introduces Swagger Support for REST API Security Testing
In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of...
The Sky Is Falling! Responding Rationally to Headline Vulnerabilities
It’s happening more and more. Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018 High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide. Even...
Dr. Michio Kaku Paints Fascinating Picture of the Future at Qualys’ RSA Booth
Contact lenses that access the Internet literally at the blink of an eye. Toilets that detect cancer-indicating enzymes. Human settlements on Mars. Beaming one’s mind into outer space using lasers. Watching a video of your dreams after you wake up. Those were just a few of the mind-blowing...
Qualys: Cloud Security Must Move Towards ‘Transparent Orchestration’
What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar. Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu,...
Indication of Compromise: Another Key Practice for GDPR Compliance
In this ongoing blog series on preparing for complying with the EU’s General Data Protection Regulation GDPR, we’ve explained the importance of having solid, foundational security practices like asset management and threat prioritization. Today, we’ll discuss how another such practice can help...
April Patch Tuesday – 63 Microsoft vulnerabilities, 19 for Adobe
Today's Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no acti...
Vendor Risk Bites Sears, Delta and Best Buy, while Saks, Lord & Taylor Deal With Breach
Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news. Sears, Delta and Best Buy: Another vendor risk incident What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines...
Call For Customer Presentations at Black Hat USA 2018!
Tell your security story to your peers at Black Hat USA 2018! Qualys is looking for customers excited to share their security and DevSecOps successes, best practices for building security into modern enterprises and case studies leveraging the use of the Qualys Cloud Platform. Take the stage in t...
Put FIM in Your GDPR Toolbox
File integrity monitoring, like other foundational security practices such as vulnerability management, helps organizations comply with the EU’s General Data Protection Regulation GDPR. FIM specifically provides security controls in three key areas for GDPR: Ensuring integrity of data stored in...
Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability. Microsoft...
A “Patch for the Meltdown Patch” released out of band Thursday night
The Meltdown/Spectre saga continues… Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did...
Continuous Web Security Assessment for Production and DevOps Environments
Web applications have become essential for business, as they simplify and automate key functions and processes for employees, customers and partners, making organizations more agile, innovative and efficient. Unfortunately, many web applications are also unsafe due to latent vulnerabilities and...
Securing your Cloud and Container DevOps Pipeline
Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments. Driving this growth in cloud computing adoption is its essential role in digital...
QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”
QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score. F5 BIG IP encodes private IP addresses in the persistent cookies, which could be collected by the attacker and decoded back. The...
Feds Take On Foreign Hackers, While 880K Orbitz Customers “Likely” Affected by Data Breach
In this edition of Qualys’ infosec news digest, we look at Orbitz’s data breach, AMD’s vulnerabilities controversy, and recent actions by the U.S. government against alleged Russian and Iranian cyber spies. Orbitz was kinda, sorta, maybe hacked Orbitz disclosed last week that personal information...
Qualys Cloud Platform (VM, PC) 8.13 New Features
This new release of the Qualys Cloud Platform VM, PC, version 8.13, includes several new feature improvements across the apps such as the ability to test authentication records, as well as improvements to UDC’s and report options in Qualys Policy Compliance. Feature Highlights Qualys Cloud Platfo...
Webcast Q&A: The GDPR Deadline Readiness and Impact to Global Organizations Outside the EU
With the EU’s General Data Protection Regulation GDPR going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendo...
March Patch Tuesday – 75 Microsoft vulnerabilities, 7 for Adobe
Today's Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities. All of the critical vulnerabilities from Microsoft are...
PCI DSS v3.2 & Exposing Session ID in URL
Passing the session ID in the URL such as QID 150068 “Session ID in URL” will be marked as a Fail for PCI as of April 15, 2018 in accordance with PCI DSS v3.2. QID 150068 is a PCI Fail according to PCI DSS v3.2 Requirement 6.5.10: 6.5.10 Examine software development policies and procedures and...
Cryptomining is all the rage among hackers, as DDoS amplification attacks continue
In this week’s InfoSec news review we’ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones. I, me, mine The freight train that’s cryptomining shows no sign of slowing down, and the cyber security...
GDPR: The Stakes Are High and Time Is of the Essence
With the General Data Protection Regulation GDPR going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents. GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lo...
TLS 1.0 Deprecation for Qualys Cloud Platform
Qualys will require all connections to our Cloud Platform to use TLS 1.1 or higher beginning April 2nd 2018, in order to align with industry best practices for security and data integrity. Please ensure that you are using TLSv1.1+, or your connectivity to the Cloud Platform will be impacted. This...
Apple in the InfoSec Spotlight, as GitHub Falls Prey to Amplified DDoS Attack
Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics' hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to...
Recline on the Qualys Couch: Examining Patching Behavior
In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks. Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months...
Qualys Cloud Platform 2.32 New Features
This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows. Post update...
Hackers Hit the Olympics, While Patch Tuesday and Meltdown / Spectre Keep IT Departments On Edge
This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program. Oh, and the gargantuan Equifax data breach may have been ev...
February Patch Tuesday – 55 Microsoft vulnerabilities patched, 45 for Adobe
For this month's Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week. From this list, there are patches for a vulnerability...
Securing IT Assets By Prioritizing Protection And Remediation
As hackers get faster at weaponizing exploits for disclosed bugs, InfoSec teams need — more than ever — automated, continuous and precise IT asset inventorying, vulnerability management, threat prioritization and patch deployment. Critical vulnerabilities that linger unpatched for weeks or months...
Intel Makes Spectre Patch Progress, while Adobe Grapples with Latest Flash Bug
It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild. Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, a...
If You Think File Integrity Monitoring is Boring, Think Again
You’ll be hard pressed to find file integrity monitoring on any list of cool, emerging, cutting-edge cybersecurity technologies. But if you choose to ignore this mature, foundational technology, it’ll be at great risk. File integrity monitoring, or FIM, plays a key role in critical security and...
Countdown to GDPR: For GDPR Compliance, Web App Security Is a Must
With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU's General Data Protection Regulation GDPR. First discussed in the 1990s and turned into law in 2016, GDPR goes into effect in May of thi...
SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT
Update March 1, 2018: The completion of these changes is documented under Version 1.31.0 in the SSL Labs Changelog. We are giving advance notification for following grading criteria changes applying from March 1, 2018: Not using forward secrecy, not using AEAD suites, and vulnerability to ROBOT...
Meltdown / Spectre: New Concerns Over Intel Patches, as Hackers Test Exploits
This week brought new developments in the Meltdown / Spectre saga, including more concerns about Intel’s buggy patches, and mounting evidence that hackers are trying to create exploits for the vulnerabilities. It seemed that after weeks of complaints and confusion, Intel’s issue had hit bottom an...
Continuous Security and Compliance Monitoring for Global IT Assets
In today’s information security world, all assets everywhere must be detected, visible, protected and compliant -- all the time. It’s no longer enough to rely on “point in time” security and compliance assessments, such as scheduled weekly or monthly scans on handpicked critical servers. “You mus...
Meltdown/Spectre: Intel Nixes Patches, Tech CEOs Questioned on Information Blackout
IT departments and tech vendors continued grappling with Spectre and Meltdown this week, as Intel pulled its glitchy patches and the U.S. Congress questioned the vulnerability disclosures' timing and scope. Spectre and Meltdown aren't typical vulnerabilities for a number of reasons, and as a...
Qualys Cloud Suite 8.12 New Features
This new release of the Qualys Cloud Suite, version 8.12 adds new reporting options for the PC Report, allowing you to include new summaries in the remediation section of the report for control failures. Feature Highlights Qualys Policy Compliance PC/SCAP PC Report: Failure Summary Section – You...
Meltdown and Spectre Aren’t Business as Usual
The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk. “Meltdown and Spectre are different...
Meltdown / Spectre Mitigation Is a Work in Progress
Since researchers disclosed the Meltdown and Spectre vulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs. By now, one thing we know for sure is that dealing with the...
Continuous Security & Compliance Demo Series
This series shows you how to effectively navigate security risks, new regulations and new technologies in support of a secure and compliant digital transformation. Qualys product managers walk you through the new features of Qualys Cloud Platform and Apps and show you how to get maximum leverage...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendo...
January Patch Tuesday – Meltdown/Spectre, 16 Critical Microsoft Patches, 1 Adobe Patch
Due to the disclosure of Meltdown and Spectre, Microsoft released several patches last week with the ranking "Important." While there are no active attacks against these vulnerabilities, a special focus should be placed on any of the browser patches, due to potential attacks using JavaScript. It ...
Meltdown/Spectre and Qualys Cloud Platform
In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities...