4 security discoveries that should raise the alarm

2244075454_e250a93b9f_b

Few things are as bad as a serious flaw found in the source code of an application at the wrong time. Vulnerabilities in software source code will have damaging impact on the vendor, the service provider and the end user. They incite mistrust and fear and hamper the reputation of developers and publisher. According to a study by Carnegie Mellon University, an approximate 90% of security incidents come from software bugs.

However, it’s both surprising and disappointing to see that developers aren’t putting enough energy in rooting out vulnerabilities from their source code before releasing their software. And I don’t mean small firms and developer studios. I’m talking about the big players as well. Here are four serious flaws found in recent months that definitely could have been discovered and eliminated long before the software went into production and warn us that something has to change in source code reviewing.

Backdoors in Juniper Networks

Last December, tech giant Juniper Networks, which offers service to the likes of AT&T, Verizon, NATO and the U.S. government, announced that it had found two backdoors that had been mysteriously embedded in software running on its firewalls and could be exploited to decrypt protected data passing through its virtual private networks (VPN). The backdoor was made possible thanks to a long-deprecated pseudo-random number generator (Dual_EC_DRBG) Juniper used in its encryption algorithms, an NSA-developed software that is known to have exploitable functions. Bad randomization mechanisms can enable malicious actors to predict key generation sequences.

Hard-coded passwords in FortiOS

Less than a month later, researchers found a different though not-less-critical flaw in source code belonging to Juniper competitor Fortinet. The vulnerability in question was a hard-coded password that would allow remote SSH access to servers running Fotinet’s FortiOS software. Fortinet denied any that its software was compromised by malicious parties and dismissed the bug as being a maintenance issue that has been patched in newer versions of FortiOS. The loophole was a serious enough to be classified as a backdoor by experts, and has been active in versions of the software shipped between 2013 and 2014.

Superhero account hidden in AMX conferencing gear

Earlier this year, AMX, a provider of audio-visual conferencing gear which equips government and military facilities, declared to have removed a “deliberate” backdoor that was discovered by experts at SEC Consult. The vulnerability consisted of an account deliberately hidden in a list of database users – which the manufacturer described as a debugging account – with administrative privileges to AMX devices. The account was initially named after Black Widow, a superhero from Marvel Comics’ Avengers series, but was later renamed to feature DC’s Batman after it was discovered and reported by SEC Consult.

Non-prime encryption keys in Socat

In a more recent case, Socat, the famous open-source network utility widely used by administrators and security professionals, was found to use a non-prime parameter to negotiate encryption keys. Prime numbers are one of the most basic rules of asymmetric encryption algorithms, and omitting them can practically allow hackers to calculate secret keys and decrypt protected communications. This particular flaw was introduced into the program by a source code patch uploaded in January 2015, which means that it had remained in the dark for more than a year.

What’s the lesson

Source code reviewing processes and tools are lacking sorely, and a lot of damage is being dealt because the insufficiencies in these areas. We need a new perspective on testing and debugging applications from a security standpoint, and we definitely need to put an end to the “security as an afterthought mindset.”

I’ll be writing about the solutions in a future article. Until then, code safely and share your comments

Advertisements

30 comments on “4 security discoveries that should raise the alarm

  1. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  2. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  3. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  4. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  5. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  6. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  7. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  8. […] yra tik keletas įmonių, teikiančių tinklo arba su internetu susijusias paslaugas, kurios buvo neseniai nukentėjo pažeidžiamumą šaltinio kodą savo produktus, tiesiogiai išleisti saugumą ir privatumą milijonų vartotojų […]

    Like

  9. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  10. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  11. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  12. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  13. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  14. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  15. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  16. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  17. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  18. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  19. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  20. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  21. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  22. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  23. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  24. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  25. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  26. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  27. […] are usually some of a companies providing network- and Internet-related services that have been recently strike with vulnerabilities in a source formula of their products, directly putting a confidence and remoteness of millions of […]

    Like

  28. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  29. […] are just some of the companies providing network- and Internet-related services that have been recently hit with vulnerabilities in the source code of their products, directly putting the security and privacy of millions of […]

    Like

  30. […] assets and resources such as database servers, encryption keys and classified documents. A look at these recent data breaches shows how destructive coding flaws can […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s