Vulnerabilities



A month after an unknown gray hat hacker calling himself “pr0f” used a three character password to hack his way onto computers used to manage water treatment equipment in South Houston, Texas, a security researcher is accusing the company that makes the industrial control system (ICS) software, Siemens, of trying to cover up the existence of other, more serious vulnerabilities.

by Fergal Glynn, Director of Marketing, VeracodeI recently read a blog post by CloudFlare and Shawn Graham that asked a fantastic (and timely) question: “Do Hackers Take The Holidays Off?” CloudFlare sees traffic for hundreds of thousands of websites and was able to answer the question. They looked at the average percentage of requests that constitute threats, graphed the deviation, and then overlaid any events happening on those days. Their conclusion: it depends on the holiday.

The federal government is planning to focus some of its research and development efforts on developing methods for building security into software and hardware systems used in federal agencies. This a major change for the government, which has historically focused its energies on defenses such as IDS, custom desktop images and firewalls.

Adobe plans to release a patch on Friday for the zero-day vulnerability in its Reader and Acrobat applications on Windows that is currently being used in some targeted attacks. The patches for the applications running on other platforms will be released next month during the next scheduled patch update.

A long list of industrial-control modules manufactured by Schneider Electric and used to control operations at various industrial facilities contain multiple weaknesses and vulnerabilities that could allow an attacker to modify the firmware, login remotely and run arbitrary code on the vulnerable components. Security researcher Ruben Santamarta discovered and disclosed the problems and the ICS-CERT is warning users about the issue, as well.