Audit

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity


The Register - Security

</head><body id="readabilityBody"> </p> <p>%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤qo@peÕ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)R@ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—</p> <p>hbàÛ‘ÉÎC‡xTì<:<9 ›8<em>< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv</em></p> <p><em><¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æV@c'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´øpN@p|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß V8@ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ!Zq@¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰</em></p> <p></body></div> <div><html xmlns="http://www.w3.org/1999/xhtml"><head><title/></head><body id="readabilityBody"> </p> <p>%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤qo@peÕ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)R@ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—</p> <p>hbàÛ‘ÉÎC‡xTì<:<9 ›8<em>< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv</em></p> <p><em><¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æV@c'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´øpN@p|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß V8@ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ!Zq@¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰</em></p> <p></body></html></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="https://www.sans.org/reading-room/whitepapers/auditing/checklist-audit-docker-containers-37437">SANS Information Security Reading Room</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/audit/" rel="tag">Audit</a>, <a href="http://www.ineedachick.com/tag/checklist/" rel="tag">Checklist</a>, <a href="http://www.ineedachick.com/tag/containers/" rel="tag">Containers</a>, <a href="http://www.ineedachick.com/tag/docker/" rel="tag">Docker</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/a-checklist-for-audit-of-docker-containers/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-2216 post type-post status-publish format-standard has-post-thumbnail hentry category-uncategorized tag-audit tag-cyberattacks tag-risk tag-sensitive tag-systems" id="post-2216"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/sensitive-fda-systems-at-risk-of-cyberattacks-audit/" rel="bookmark" title="Sensitive FDA Systems at Risk of Cyberattacks: Audit">Sensitive FDA Systems at Risk of Cyberattacks: Audit</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="6:39 pm">October 2, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/roberto-martinez/" title="View all posts by Roberto Martinez">Roberto Martinez</a></span></span></div></div><div class="avatar alignleft"><a href="http://www.ineedachick.com/sensitive-fda-systems-at-risk-of-cyberattacks-audit/" title="Sensitive FDA Systems at Risk of Cyberattacks: Audit"><img width="16" height="14" src="http://www.ineedachick.com/wp-content/uploads/2016/10/tag_icon-3.jpg" class="attachment-128x128 size-128x128 wp-post-image" alt="" title="Sensitive FDA Systems at Risk of Cyberattacks: Audit" /></a></div> <div class="romeo-postcontent"> <!-- article-content --> <div> <p><strong><span class="c10">A report made available this week by the U.S. Government Accountability Office (GAO) shows that the Food and Drug Administration (FDA) needs to address some serious cybersecurity weaknesses that expose industry and public health data.</span></strong></p> <p><span class="c10">An audit conducted by the GAO between February 2015 and August 2016 revealed several problems that put the confidentiality, integrity, and availability of the FDA’s systems at risk.</span></p> <p><span class="c10">The GAO’s analysis targeted seven of the FDA’s 80 systems. The machines covered by the audit receive and process sensitive drug information and are essential to the agency’s mission. Since they have a Federal Information Processing Standard of moderate or high impact, if the systems or their information is compromised, it could have a serious or catastrophic impact on the organization.</span></p> <p><span class="c10">A total of 87 weaknesses have been identified by GAO, including failure to protect network boundaries, identify and authenticate users, restrict user permissions, encrypt sensitive data, monitor system activity, and conduct physical security reviews.</span></p> <p><span class="c10">For instance, the FDA’s internal network was not isolated from the network of the contractor in charge of the agency’s public website. The internal network was also accessible from one of the organization’s untrusted networks.</span></p> <p><span class="c10">Another example refers to the FDA’s failure to implement strong password controls, including passwords that remained unchanged for several years, weak credentials and default settings.</span></p> <p><span class="c10">As for authorization-related concerns, the GAO discovered that hundreds and even thousands of user accounts had unnecessary or uncontrolled access to file shares. The audit also revealed that sensitive data, including passwords, were not properly encrypted.</span></p> <p><span class="c10">The FDA did not properly audit and monitor its systems, which could allow malicious actors to remain undetected for extended periods of time. The GAO pointed out that the agency did not always retain audit logs, and it failed to preserve evidence related to a 2013 security breach that resulted in an external attacker gaining access to sensitive user account information.</span></p> <p><span class="c10">“FDA has taken steps to safeguard its systems that receive, process, and maintain sensitive data by, for example, implementing policies and procedures for controlling access to and securely configuring those systems. However, a significant number of weaknesses remain in technical controls — including access controls, change controls, and patch management — that jeopardize the confidentiality, integrity, and availability of its systems,” the GAO said in its report.</span></p> <p><span class="c10">One of the causes of weak security controls, according to the GAO, is the lack of a properly implemented agency-wide information security program as required by federal laws. These laws require government organizations to implement risk assessments, incident response procedures, regular testing of security controls, reviews and updates for security policies and procedures, vulnerability patching mechanisms, and security training.</span></p> <p><span class="c10">The GAO has made over a dozen recommendations for the implementation of an agency-wide information security program and 166 recommendations on addressing specific problems.</span></p> <p><span class="c10"><strong>Related:</strong> Huge US Facial Recognition Database Flawed</span></p> <p><span class="c10"><strong>Related:</strong> DHS's Einstein Security System Has Limited Capabilities</span></p> <p><span class="c10"><strong>Related:</strong> Internet Connectivity Could Expose Aircraft Systems to Cyberattacks</span></p> <div class="ad_in_content c12"> <p><img src="http://www.securityweek.com/sites/all/modules/ad/serve.php?o=image&a=1296" height="0" width="0" alt="view counter" /></p> </p></div> <div class="sharethis"> <div class="c8"><img class="c7" src="http://www.ineedachick.com/wp-content/uploads/2016/10/RSS-Icon-3.png" /></div> </p></div> <div class="author_content"> <p><img src="http://www.ineedachick.com/wp-content/uploads/2016/10/picture-106.gif" alt="" title="" width="68" height="67" class="imagecache imagecache-auth_story" /></p> <div class="author_title"><span class="headline">Previous Columns by Eduard Kovacs:</span> </div> </p></div> <div class="author-terms"> <div class="terms"><img height="14" width="16" alt="" src="http://www.ineedachick.com/wp-content/uploads/2016/10/tag_icon-3.jpg" /><strong>Tags:</strong> </div> </p></div> <p> <noscript> </noscript></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://feedproxy.google.com/~r/Securityweek/~3/ZjGiTg-0QRQ/sensitive-fda-systems-risk-cyberattacks-audit">SecurityWeek RSS Feed</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/audit/" rel="tag">Audit</a>, <a href="http://www.ineedachick.com/tag/cyberattacks/" rel="tag">Cyberattacks</a>, <a href="http://www.ineedachick.com/tag/risk/" rel="tag">risk</a>, <a href="http://www.ineedachick.com/tag/sensitive/" rel="tag">Sensitive</a>, <a href="http://www.ineedachick.com/tag/systems/" rel="tag">Systems</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/sensitive-fda-systems-at-risk-of-cyberattacks-audit/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-1000 post type-post status-publish format-standard has-post-thumbnail hentry category-ransonware tag-audit tag-come tag-governance tag-identity tag-intelligence tag-misti tag-security tag-superstrategies tag-together" id="post-1000"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/audit-and-security-come-together-with-identity-governance-and-intelligence-at-misti-superstrategies/" rel="bookmark" title="Audit and Security Come Together with Identity Governance and Intelligence at MISTI: SuperStrategies">Audit and Security Come Together with Identity Governance and Intelligence at MISTI: SuperStrategies</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="9:39 pm">August 17, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/parv/" title="View all posts by Parv">Parv</a></span></span></div></div><div class="avatar alignleft"><a href="http://www.ineedachick.com/audit-and-security-come-together-with-identity-governance-and-intelligence-at-misti-superstrategies/" title="Audit and Security Come Together with Identity Governance and Intelligence at MISTI: SuperStrategies"><img width="128" height="128" src="http://www.ineedachick.com/wp-content/uploads/2016/08/Security-Intelligence-150x150.jpg" class="attachment-128x128 size-128x128 wp-post-image" alt="" title="Audit and Security Come Together with Identity Governance and Intelligence at MISTI: SuperStrategies" /></a></div> <div class="romeo-postcontent"> <!-- article-content --> <div> <hr class="space"/> <div class="author"><img alt="" src="http://www.ineedachick.com/wp-content/uploads/2016/08/Security-Intelligence.jpg" class="avatar avatar-70 photo" height="70" width="70"/> </p> <p class="author_name">Nick Oropall</p> <p class="author_title">WW Market Segment Manager, IBM Security Identity Governance and Administration</p> <p class="author_bio">Nick Oropall is the worldwide marketing manager for IBM Identity Governance and Intelligence. He frequently comments on IAM's impact on emerging security requirements, such as...</p> <p> See All Posts</p></div> <p><em>“Internal auditors are being asked by audit committees and senior managers to step outside their comfort zones. How are you addressing the fast-paced changes in technology, information security, risk management, governance and compliance?”</em></p> <p>The lines above serve as MISTI’s introduction to the SuperStrategies conference, but they’re also an introduction to the direction of IT audit and information security. Once upon a time, these two areas were separate islands. That is no longer the case.</p> <h2>What Is Identity Governance?</h2> <p>Identity governance helps to answer the questions:</p> <ul> <li>How can we verify who has access to what?</li> <li>How can we understand if this is access that they actually need?</li> </ul> <p>But there’s more to identity governance and intelligence. It has become a security control, a safeguard against insider threats and a means of effective communications between the business, IT and audit.</p> <h2>Worlds Colliding: Identity Governance and IT Security</h2> <p>It is critical to select the right identity governance and intelligence solution. It can help to identify who has access to what and whether they should have that access. Analytics can help optimize roles and user access while simultaneously helping to prioritize high risk access or users.</p> <p>Gone are the days when identity and access management could be separate from IT security. The two are intertwined, and that makes communication critical. Identity governance and intelligence needs to be the solution that fosters communication between the audit and IT teams, as well as the solution that enables business managers to make the right access decisions.</p> <h2>Discover More at SuperStrategies 2016</h2> <p>The 2016 SuperStrategies agenda is designed to help internal audit executives better understand the challenges they are facing every day. Featured keynotes include Thierry Dessange, the VP of Technology Audit at Visa., and Robert King, CVP and chief audit executive at FedEx.</p> <p>If you are interested in hearing more about how identity governance and intelligence brings security and compliance together, please come to MISTI SuperStrategies, which is taking place Sept. 27 to 29 in Las Vegas. Be sure to stop by IBM’s booth. We look forward to seeing you there!</p> <p>For additional information on this topic, check out the on-demand webinar “How Identity Governance Can Help Protect Your Organization,” presented in July by MISTI and IBM.</p> <p class="bottom_topics">Topics: Identity and Access Governance (IAG), Identity and Access Management (IAM), Identity Governance, Security Conferences</p> </p></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://feedproxy.google.com/~r/SecurityIntelligence/~3/X49qpG9k_xo/">Security Intelligence</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/ransonware/" rel="category tag">Ransonware</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/audit/" rel="tag">Audit</a>, <a href="http://www.ineedachick.com/tag/come/" rel="tag">Come</a>, <a href="http://www.ineedachick.com/tag/governance/" rel="tag">Governance</a>, <a href="http://www.ineedachick.com/tag/identity/" rel="tag">Identity</a>, <a href="http://www.ineedachick.com/tag/intelligence/" rel="tag">intelligence</a>, <a href="http://www.ineedachick.com/tag/misti/" rel="tag">MISTI</a>, <a href="http://www.ineedachick.com/tag/security/" rel="tag">security</a>, <a href="http://www.ineedachick.com/tag/superstrategies/" rel="tag">SuperStrategies</a>, <a href="http://www.ineedachick.com/tag/together/" rel="tag">Together</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/audit-and-security-come-together-with-identity-governance-and-intelligence-at-misti-superstrategies/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-906 post type-post status-publish format-standard hentry category-uncategorized tag-audit tag-cleared tag-email tag-mystery tag-under tag-veracrypt" id="post-906"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/veracrypt-audit-under-way-email-mystery-cleared-up/" rel="bookmark" title="VeraCrypt Audit Under Way; Email Mystery Cleared Up">VeraCrypt Audit Under Way; Email Mystery Cleared Up</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="9:46 pm">August 16, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/juan-ellis/" title="View all posts by Juan Ellis">Juan Ellis</a></span></span></div></div> <div class="romeo-postcontent"> <!-- article-content --> <div> <h4 class="entry-title">Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update</h4> <p><span class="date">July 20, 2016 , 9:21 am</span></p> <h4 class="entry-title">Latest Windows UAC Bypass Permits Code Execution</h4> <p><span class="date">August 15, 2016 , 3:35 pm</span></p> <h4 class="entry-title">ProjectSauron APT On Par With Equation, Flame, Duqu</h4> <p><span class="date">August 8, 2016 , 1:40 pm</span></p> <h4 class="entry-title">Miller, Valasek Deliver Final Car Hacking Talk</h4> <p><span class="date">August 4, 2016 , 3:26 pm</span></p> <h4 class="entry-title">Researchers Go Inside a Business Email Compromise Scam</h4> <p><span class="date">August 4, 2016 , 10:00 am</span></p> <h4 class="entry-title">Export-Grade Crypto Patching Improves</h4> <p><span class="date">August 3, 2016 , 10:00 am</span></p> <h4 class="entry-title">Kaspersky Lab Launches Bug Bounty Program</h4> <p><span class="date">August 2, 2016 , 9:00 am</span></p> <h4 class="entry-title">Threatpost News Wrap, July 29, 2016</h4> <p><span class="date">July 29, 2016 , 10:45 am</span></p> <h4 class="entry-title">KeySniffer Vulnerability Opens Wireless Keyboards to Snooping</h4> <p><span class="date">July 26, 2016 , 9:30 am</span></p> <h4 class="entry-title">Upcoming Tor Design Battles Hidden Services Snooping</h4> <p><span class="date">July 25, 2016 , 3:51 pm</span></p> <h4 class="entry-title">EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers</h4> <p><span class="date">July 21, 2016 , 1:18 pm</span></p> <h4 class="entry-title">Threatpost News Wrap, July 15, 2016</h4> <p><span class="date">July 15, 2016 , 11:00 am</span></p> <h4 class="entry-title">Academics Build Early-Warning Ransomware Detection System</h4> <p><span class="date">July 14, 2016 , 1:05 pm</span></p> <h4 class="entry-title">xDedic Hacked Server Market Resurfaces on Tor Domain</h4> <p><span class="date">July 12, 2016 , 11:40 am</span></p> <h4 class="entry-title">Conficker Used in New Wave of Hospital IoT Device Attacks</h4> <p><span class="date">June 30, 2016 , 11:48 am</span></p> <h4 class="entry-title">655,000 Healthcare Records Being Sold on Dark Web</h4> <p><span class="date">June 28, 2016 , 10:00 am</span></p> <h4 class="entry-title">Windows Zero Day Selling for $ 90,000</h4> <p><span class="date">May 31, 2016 , 5:44 pm</span></p> <h4 class="entry-title">Millions of Stolen MySpace, Tumblr Credentials Being Sold Online</h4> <p><span class="date">May 31, 2016 , 1:37 pm</span></p> <h4 class="entry-title">OTR Protocol Patched Against Remote Code Execution Flaw</h4> <p><span class="date">March 10, 2016 , 10:23 am</span></p> <h4 class="entry-title">Android KeyStore Encryption Scheme Broken, Researchers Say</h4> <p><span class="date">July 7, 2016 , 11:52 am</span></p> <h4 class="entry-title">Necurs Botnet is Back, Updated With Smarter Locky Variant</h4> <p><span class="date">June 23, 2016 , 4:10 pm</span></p> <h4 class="entry-title">Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye</h4> <p><span class="date">June 29, 2016 , 8:19 am</span></p> <h4 class="entry-title">WordPress Security Update Patches Two Dozen Flaws</h4> <p><span class="date">June 23, 2016 , 8:00 am</span></p> <h4 class="entry-title">Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons</h4> <p><span class="date">June 27, 2016 , 5:13 pm</span></p> <h4 class="entry-title">Voter Database Leak Exposes 154 Million Sensitive Records</h4> <p><span class="date">June 24, 2016 , 10:14 am</span></p> <h4 class="entry-title">Popular Anime Site Infected, Redirecting to Exploit Kit, Ransomware</h4> <p><span class="date">June 24, 2016 , 7:00 am</span></p> </p></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://threatpost.com/veracrypt-audit-under-way-email-mystery-cleared-up/119924/">Threatpost | The first stop for security news</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/audit/" rel="tag">Audit</a>, <a href="http://www.ineedachick.com/tag/cleared/" rel="tag">Cleared</a>, <a href="http://www.ineedachick.com/tag/email/" rel="tag">Email</a>, <a href="http://www.ineedachick.com/tag/mystery/" rel="tag">Mystery</a>, <a href="http://www.ineedachick.com/tag/under/" rel="tag">Under</a>, <a href="http://www.ineedachick.com/tag/veracrypt/" rel="tag">VeraCrypt</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/veracrypt-audit-under-way-email-mystery-cleared-up/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="cleared"></div> </div> </div> </div> </div> <div class="cleared"></div> <div class="cleared"></div> </div> </div> <div class="romeo-footer"> <div class="romeo-footer-body"> <div class="romeo-footer-center"> <div class="romeo-footer-wrapper"> <div class="romeo-footer-text"> <a href="http://www.ineedachick.com/feed/" class='romeo-rss-tag-icon' title="I Need A Chick RSS Feed"></a> <p>Copyright © 2017. All Rights Reserved.</p> <div class="cleared"></div> <p class="romeo-page-footer"></p> </div> </div> </div> <div class="cleared"></div> </div> </div> <div class="cleared"></div> </div> <div id="wp-footer"> <script type='text/javascript' src='http://www.ineedachick.com/wp-includes/js/wp-embed.min.js?ver=4.8'></script> <!-- 63 queries. 1.406 seconds. --> </div> </body> </html>