RGPD SSI – French data revolution – millions of records exposed by a job agency

 »

On the 21st of December 2018, while researching another output of Shodan search results, we discovered an unprotected Elasticsearch cluster exposing millions of records with very sensitive data.

MisterTemp data base exposure

The names of the indexes and their content left no doubt as to the owner of data – an “online temp agency” known as MisterTemp – which claims to be a place where anyone can quickly apply for a temporary job and offers “temporary assignments throughout France” in a variety of sectors. »

blog.hackenproof.com/industry-news/millions-of-records-exposed-by-french-job-agency/

China – Millions of CVs exposed

BBC Cyber News – Millions of Chinese CVs exposed on cloud server

« In early January, Beijing police arrested a man who was allegedly stole data on five million rail travellers. The hacker is believed to have targeted the widely used 12306 online rail booking system.

In August 2018, Chinese police were reportedly investigating a data breach that involved 500 million records about customers of the Huazhu Group, which operates hotels across the country.

The data lost included customer registration information, booking records and personal data. »

http://www.bbc.co.uk/news/technology-46864584

Hardware attacks – Hackers aims for the jackpot

« There are two main types of hardware attack. » ;

« One is to try to subvert the device in normal operation, generally by attaching something to an I/O port or to the PCB itself. »

« Another level of attack is to try to peer more deeply into the target in the hope of reverse-engineering the design or to pull out encryption keys and other sensitive data …  »

www.newelectronics.co.uk/electronics-technology-ezine/Hackers-aims-for-the-jackpot/199672/183634/

CLUSIF – Panorama de la cybercriminalité – Année 2018

« Le Panorama de la Cybercriminalité du CLUSIF s’est imposé depuis plusieurs années comme un événement incontournable dans le monde de la sécurité de l’information.

Cette conférence dresse le bilan en matière de cybercriminalité mais également en matière d’événements sociétaux et parfois accidentels en relation avec la sécurité de l’information. »

clusif.fr/conferences/panorama-de-la-cybercriminalite-annee-2018/

Linux – Systemd Privilege Escalation Flaws

#RGPD – Security by design

#CyberEdu – Education à la sécurité; du bon usage d’un compilateur et de ses options

« Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the « systemd-journald » service that collects information from different sources and creates event logs by logging information in the journal.

The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian, according to the researchers.

However, some Linux distros such as SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not affected, as « their userspace [code] is compiled with GCC’s -fstack-clash-protection. » »

thehackernews.com/2019/01/linux-systemd-exploit.html

DCP – Index AFCDP 2019 du Droit d’accès 60,3 % des entités sollicitées ont répondu

« Index AFCDP 2019 du Droit d’accès 60,3 % des entités sollicitées ont répondu dans les deux mois impartis par l’ancien cadre légal, ce qui représente une nette amélioration. »
9-11 minutes

« Quelques jours avant sa grande conférence annuelle (l’Université AFCDP des DPO, qui se tiendra le 16 janvier 2019 à la Maison de la Chimie, à Paris), l’AFCDP, association qui regroupe les DPO, publie son Index annuel du Droit d’accès. Au titre de la loi Informatique & Libertés, chacun peut demander à accéder à ses données personnelles. L’édition 2019 montre une meilleure prise en compte du droit des personnes. Mais qu’en sera-t-il l’an prochain, avec l’application des règles plus strictes imposées par le RGPD ? »

https://afcdp.net/spip.php?article837

Communiqué :

cp_afcdp_index_droit_acces_-_8_janvier_2019.pdf

« Le « noyau dur » des entreprises qui fait le mort descend à 33 %, contre 40 % les années précédentes

Bien que le pourcentage soit encore trop élevé, c’est une excellente nouvelle, mais il est regrettable de constater que le tiers d’entre eux avaient pourtant désigné un Correspondant Informatique et Libertés (le précurseur du Délégué à la Protection des Données). Faut-il aller jusqu’à, pour ces professionnels de la conformité, mettre en place des tests basés sur le principe du « client mystère » afin de leur permettre de vérifier que leur procédure de gestion des demandes de droits d’accès est connue et appliquée ?

Les personnes concernées étant de mieux en mieux informées et conscientes de leurs droits, elles n’hésitent plus à déposer une plainte auprès de la CNIL, ce qui se traduit par des saisines de plus en plus nombreuses des responsables de traitement par la Commission Nationale Informatique et Libertés. »

State of Software Security Volume 9: Top 5 Takeaways for CISOs

https://www.veracode.com/blog/research/state-software-security-volume-9-top-5-takeaways-cisos

veracode.com
State of Software Security Volume 9: Top 5 Takeaways for CISOs
By Suzanne Ciccone
7-8 minutes

We’ve just released the 9th volume of our State of Software Security report and, as always, it’s a treasure trove of valuable security insights. This year’s report analyzes our scans of more than 2 trillion lines of code, all performed over a 12-month period between April 1, 2017 and April 30, 2018. The data reveals a clear picture of both the security of code organizations are producing today, plus how organizations are working to lower their risk from software vulnerabilities. There are many significant and actionable takeaways, but we’ve pulled out what we consider the top 5 for security professionals.
1. Most code is still rife with vulnerabilities

More than 85 percent of all applications have at least one vulnerability in them; more than 13 percent of applications have at least one very high severity flaw. Clearly, we’ve got work to do. Most organizations are leaving themselves open to attack, and we need to focus on and keep at the application security problem.
2. The usual suspects continue to plague code security

We continue to see the same vulnerabilities pop up in code year after year. The majority of applications this year suffered from information leakage, cryptographic problems, poor code quality, and CRLF Injection. Other heavy-hitters also showed up in statistically significant populations of software. For example, we discovered highly exploitable Cross-Site Scripting flaws in nearly 49 percent of applications, and SQL injection appeared nearly as much as ever, showing up in almost 28 percent of tested software.

Why do these same vulnerabilities continue to emerge year in and year out? Most likely several factors are coming into play, but developer education clearly plays a big role. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security.
3. It’s taking organizations a long time to address most of their flaws

Finding flaws is one thing; fixing them is another. The true measure of AppSec success is the percentage of found flaws you are remediating or mitigating. This year, we took a detailed look at our data surrounding fix rates, and unearthed some troubling, and some promising, findings.

One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations haven’t even made it halfway, closing only a little more than 45 percent of all flaws. Overall, one in four vulnerabilities remain open well over a year after first discovery.

Why does that slow fix rate matter? Because cyberattackers move fast. If you’ve discovered a flaw, chances are, the bad guys have too. And the time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in hours or days. A big window between find and fix leaves a big security risk.
4. The volume of vulnerabilities means prioritization is king

Clearly, most code contains a significant number of security-related defects. And also clearly, fixing those defects is not a simple or quick task. Therefore, prioritization rules in application security today. And this year’s data shows that, although organizations are prioritizing their flaws, they aren’t always considering all the important variables. Most are prioritizing by severity of flaw, but not considering criticality or exploitability.

This is a big deal when you consider that a low severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit. Or a low severity credentials management flaw, which might not be considered very dangerous, could hand the attackers the keys to an account that could be used to attack more serious flaws elsewhere in the software.

The bottom line is that organizations need to start thinking more critically about the factors that impact what they fix first.
5. DevSecOps practices are moving the needle on AppSec

In the good news department, this year’s data shows that customers taking advantage of DevSecOps’ continuous software delivery are closing their vulnerabilities more quickly than the typical organization.

What’s the connection? It stems from the focus on incrementalism in DevOps, which focuses heavily on deploying small, frequent software builds. Doing it this way makes it easier to deliver gradual improvements to all aspects of the application. When organizations embrace DevSecOps, they embed security checks into those ongoing builds, folding in continuous improvement of the application’s security posture alongside feature improvement.

Over the past three years, we’ve examined scanning frequency as a bellwether for the prevalence of DevSecOps adoption in our customer base. Our hypothesis is that the more frequently organizations are scanning their software, the more likely it is that they’re engaging in DevSecOps practices. And this year’s data shows that there is a very strong correlation between how many times in a year an organization scans and how quickly they address their vulnerabilities.

When apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organization can bump that up to seven to 12 scans annually. Organizations really start to take a bite out of risk when they increase frequency beyond that. Each step up in scan rate results in shorter and shorter flaw persistence intervals. Once organizations are scanning more than 300 times per year, they’re able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Get the full report

Read the full SoSS report to get all the software security insights and best practices from our scan data. This year’s report contains details on the above points, plus data and insights on specific vulnerability types, the security implications of programming language choice, which industries are more secure than others, and more.

Stay up to date on Application Security

sciccone’s picture

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.