“ most ” of the reported bugs and is “ working hard ” on the remainder . It expects the mainnet launch to stay on schedule . Qihoo 360 , a China-based internet security firm , says it has notifiedVulnerability-related.DiscoverVulnerabilitythe EOS blockchain project about “ a series of epic vulnerabilities ” discoveredVulnerability-related.DiscoverVulnerabilityon its platform . The firm said in a Tuesday reportVulnerability-related.DiscoverVulnerabilitythat loopholes foundVulnerability-related.DiscoverVulnerabilityin the EOS platform could expose nodes on the network to attackers , giving them the ability to execute code remotely and take “ full control ” of transactions . The firm claims that such an attack could potentially “ decimate ” the entire cryptocurrency network . Qihoo 360 went on to explain that bad actors would be able to attack the network by constructing and publishing smart contracts containing malicious code on the EOS mainnet and have EOS supernodes pack them into new blocks . Subsequently the code would affect all nodes on the network , including those of cryptocurrency wallets and exchanges , letting the attackers gain control of private keys to cryptocurrency transactions . While EOS has not yet made any public comment on the issue , Qihoo 360 said in another blog update that the project ’ s lead developer , Daniel Larimer , was notifiedVulnerability-related.DiscoverVulnerabilityof the issues and that he has since saidVulnerability-related.DiscoverVulnerabilitythe vulnerabilities – identified as issue number 3498 on Github – have been fixedVulnerability-related.PatchVulnerability. “ If any of these asserts trigger in release it shouldn ’ t pass , but should throw . Allowing the code to continue running in release is a potential security vulnerability and will likely result in crashes elsewhere , ” Larimer wrote on the Github page . Meanwhile , Larimer has today appealed for more external assistance in identifyingVulnerability-related.DiscoverVulnerabilitycritical bugs in the system with the project ’ s mainnet launch just days away .
There was a caveat to the hack , however—the hijack involved older models of Samsung TVs and required the CIA have physical access to a TV to install the malware via a USB stick . But the window to this sort of hijacking is far wider than originally thought because a researcher in Israel has uncoveredVulnerability-related.DiscoverVulnerability40 unknown vulnerabilities , or zero-days , that would allow someone to remotely hack millions of newer Samsung smart TVs , smart watches , and mobile phones already on the market , as well as ones slated for future release , without needing physical access to them . The security holes are inVulnerability-related.DiscoverVulnerabilityan open-source operating system called Tizen that Samsung has been rolling out in its devices over the last few years . It already has Tizen running on some 30 million smart TVs , as well as Samsung Gear smartwatches and in some Samsung phones in a limited number of countries like Russia , India and Bangladesh—the company plans to have 10 million Tizen phones in the market this year . Samsung also announced earlier this year that Tizen would be the operating system on its new line of smart washing machines and refrigerators too . But the operating system is riddledVulnerability-related.DiscoverVulnerabilitywith serious security vulnerabilities that make it easy for a hacker to take control of Tizen-powered devices , according to Israeli researcher Amihai Neiderman . A Samsung Z1 with the Tizen operating system on display at the Mobile World Congress 2015 in Barcelona , Spain . But one security hole Neiderman uncoveredVulnerability-related.DiscoverVulnerabilitywas particularly critical . It involves Samsung 's TizenStore app—Samsung 's version of Google Play Store—which delivers apps and software updates to Tizen devices . Neiderman saysVulnerability-related.DiscoverVulnerabilitya flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV . Because the TizenStore software operates with the highest privileges you can get on a device , it 's the Holy Grail for a hacker who can abuse it . `` You can update a Tizen system with any malicious code you want , '' he says . Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device , Neiderman foundVulnerability-related.DiscoverVulnerabilitya heap-overflow vulnerability that gave him control before that authentication function kicked in . Although researchers have uncoveredVulnerability-related.DiscoverVulnerabilityproblems with other Samsung devices in the past , Tizen has escaped extensive scrutiny from the security community , probably because it 's not widely used on phones yet . It did n't take long for Neiderman to noticeVulnerability-related.DiscoverVulnerabilityhow bad the Tizen code was on his TV , which caused him to purchase a few Tizen phones to see what he could do with them as well . He says much of the Tizen code base is old and borrows from previous Samsung coding projects , including Bada , a previous mobile phone operating system that Samsung discontinued . `` You can see that they took all this code and tried to push it into Tizen , '' Neiderman says . But most of the vulnerabilities he foundVulnerability-related.DiscoverVulnerabilitywere actually in new code written specifically for Tizen within the last two years . Many of them are the kind of mistakes programmers were making twenty years ago , indicating that Samsung lacks basic code development and review practices to prevent and catch such flaws . But there 's a basic flaw in it whereby it fails to check if there is enough space to write the data , which can create a buffer overrun condition that attackers can exploit . A buffer overrun occurs when the space to which data is being written is too small for the data , causing the data to write to adjacent areas of memory . A Tizen stand at the at the Mobile World Congress 2015 in Barcelona , Spain . They use it on some data transmissions but not others , and usually not on ones that need it most . `` They made a lot of wrong assumptions about where they needed encryption , '' he says , noting that `` it 's extra work to move between secure connections and unsecure connections . '' This indicates that they did n't do it inadvertently but were making conscious decisions not to use SSL in those places , he says . Neiderman contacted Samsung months ago to reportVulnerability-related.DiscoverVulnerabilitythe problems he foundVulnerability-related.DiscoverVulnerabilitybut got only an automated email in response .
ClaimsVulnerability-related.DiscoverVulnerabilityof a backdoor in WhatsApp that could be used for third-party snooping were shot down by WhatsApp , which called the allegations false . On Friday , news outlet The Guardian reportedVulnerability-related.DiscoverVulnerabilitythat a cryptography researcher had discoveredVulnerability-related.DiscoverVulnerabilitya backdoor in WhatsApp ’ s messaging service that could “ allow Facebook and others to intercept and read encrypted messages ” . In a short statement , WhatsApp said the claim was false : “ WhatsApp does not give governments a ‘ backdoor ’ into its systems and would fight any government request to create a backdoor . The design decision referenced in The Guardian story prevents millions of messages from being lost , and WhatsApp offers people security notifications to alert them to potential security risks . WhatsApp published a technical white paper on its encryption design , and has been transparent about the government requests it receives , publishing data about those requests in the Facebook Government Requests Report ” . The Guardian reportVulnerability-related.DiscoverVulnerabilitycited researchVulnerability-related.DiscoverVulnerabilityby Tobias Boelter , a cryptography and security researcher at the University of California , Berkeley . Last April , Boelter disclosedVulnerability-related.DiscoverVulnerabilityhis findings to WhatsApp and published a reportVulnerability-related.DiscoverVulnerabilityon what he posited could be either a backdoor or a flaw in WhatsApp ’ s messaging platform . Boelter later toldVulnerability-related.DiscoverVulnerabilityThe Guardian the “ backdoor ” gave WhatsApp the ability to read messages because of the way the company had implemented its end-to-end encryption protocol . Reporters quoted Kirstie Ball , co-director and founder of the Centre for Research into Information , Surveillance and Privacy who verified Boelter ’ s research and stated the “ backdoor ” made WhatsApp an “ an extremely insecure platform ” . The Guardian explains Boelter ’ s alleged backdoor like this : WhatsApp ’ s end-to-end encryption relies on the generation of unique security keys , using the acclaimed Signal protocol , developed by Open Whisper Systems , that are traded and verified between users to guarantee communications are secure and can not be intercepted by a middleman . However , WhatsApp has the ability to force the generation of new encryption keys for offline users , unbeknown to the sender and recipient of the messages , and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered . The recipient is not made aware of this change in encryption , while the sender is only notified if they have opted-in to encryption warnings in settings , and only after the messages have been re-sent . This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users ’ messages . WhatsApp , acquired by Facebook in 2014 , supports end-to-end encryption and is considered a secure messaging platform based on the highly regarded Signal protocol , developed by Open Whisper Systems . The app boasts one billion users and has been endorsed by the likes of Edward Snowden for keeping private messages private . ClaimsVulnerability-related.DiscoverVulnerabilityof a WhatsApp backdoor have been staunchly dismissedVulnerability-related.DiscoverVulnerabilityby a number security researchers and cryptography experts . Moxie Marlinspike , the founder of Open Whisper Systems also agrees with WhatsApp telling Threatpost , “ The Guardian reporting is inaccurate , there is no ‘ backdoor ’ in WhatsApp encryption . Unfortunately it appears that they did not speak with any cryptography experts in order to verify their claims ” . Marlinspike also posted a more technical explanation behind what Boelter found . In a nutshell , he explains what Boelter saysVulnerability-related.DiscoverVulnerabilityis a backdoor is actually something all public key cryptography system have to deal with . “ WhatsApp gives users the option to be notified when those changes occur , ” he wrote . Frederic Jacobs , a key developer of the private messaging app Signal , called the claims of a backdoor “ ridiculous ” . In a tweet he said “ It ’ s ridiculous that this is presented as a backdoor . If you don ’ t verify keys , authenticity of keys is not guaranteed . It 's ridiculous that this is presented as a backdoor . If you do n't verify keys , authenticity of keys is not guaranteed . — Frederic Jacobs ( @ FredericJacobs ) January 13 , 2017 Jacobs and other security researchers explainVulnerability-related.DiscoverVulnerabilitythe “ backdoor ” is a feature designed to allow WhatsApp users who obtain a new phone to reinstall the WhatsApp app and continue a preexisting conversation thread . There is a renegotiation of encryption keys allows for the continuity of WhatsApp conversations . The WhatsApp sender is only notified of the change in encryption if they have opted-in to an encryption warning setting within settings . Marlinspike and other security experts say snooping on WhatsApp ’ s re-encrypting of messages by Facebook or any other agency would be extremely difficult and improbable . In post to his personal site Friday he doubled-down on his assertion that what he foundVulnerability-related.DiscoverVulnerabilitywas a flaw . “ WhatsApp has stated recently that this is not a bug , it is a feature . Because now senders don ’ t have to press an extra ‘ OK ’ button in the rare case they sent a message , the receiver is offline and has a new phone when coming back online , ” he said . I agree that it ’ s a flaw , but calling it a backdoor is hyperbole . Remember , Moxie removed SMS encryption from his previous app TextSecure because of the same reasons that the current flaw exists : it is difficult to have secure conversations with people wtih changing phones , changing apps , etc .
Adobe is no stranger to finding itself in the security headlines for all the wrong reasons , and it seems that things may not be changing as we enter 2017 . There was controversy earlier this month when news broke about how Adobe took the opportunity on Patch Tuesday of using its regular security updates to force Adobe Acrobat DC users into silently installing a Google Chrome extension . As Bleeping Computer reports , most people first found out about the extension , which offers the ability to easily convert webpages into PDF files , when they saw a prompt asking them to approve the following permissions : Of course , you could choose to remove the extension , but it ’ s the “ Enable ” option which is set by default – and it is probably what many people would click on without thinking of the possible consequences . Users expressed their outrage on social media about Adobe silently installing the Windows-only extension , leaving poor reviews in the Chrome web store : “ How DARE Adobe install this extension automatically and silently as part of a ‘ security ’ update for Acrobat . Not only am I removing the extension from the browser , I am permanently removing Acrobat from ALL systems on my network and blocking any further installations . My school district will be Acrobat free AS SOON AS HUMANLY POSSIBLE . Further , I will recommend to the Department of Education a different solution for PDF viewing and editing . I will push and fight to get as many people as I can to stop using this disgusting trash ” . What further upset some users was that the Adobe Acrobat Chrome extension sends “ anonymous product usage data ” back to Adobe , although the company stresses that it does not receive details of the URLs visited by users . It wasn ’ t long before headlines appeared comparing the sneakily-installed extension to “ spyware ” . Well , perhaps… Controversial Google security researcher Tavis Ormandy ’ s interest was piqued by all of the attention being given to the extension , so he made his own examination of its code and foundVulnerability-related.DiscoverVulnerabilitythat it was vulnerableVulnerability-related.DiscoverVulnerabilityto cross-site scripting ( XSS ) attacks . According to statistics displayed on the Chrome web store , the controversial extension has tens of millions of users – all of whom are potentially vulnerable because of the flaw in its code . Every time you add additional software to your computer , you are increasing your potential attack surface . And be wary of software that is installed without your permission or that vendors bundle with their software against your wishes . Adobe has responded to Ormandy ’ s reportVulnerability-related.DiscoverVulnerabilityby saying it has now issuedVulnerability-related.PatchVulnerabilityan update to the extension that fixesVulnerability-related.PatchVulnerabilitythe security holes
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
Developers are once again being blamedVulnerability-related.DiscoverVulnerabilityfor cloud back-end security vulnerabilities , this time in a new reportVulnerability-related.DiscoverVulnerabilityfrom Appthority . The company published investigation results that found nearly 43 TB of enterprise data was exposedAttack.Databreachon cloud back-ends , including personally identifiable information ( PII ) . This comes just shortly after a similar report from a different security company . In the new `` 2017 Q2 Enterprise Mobile Threat Report '' report ( free upon providing registration info ) , Appthority found `` data leakageAttack.Databreach`` from mobile apps that send data to unsecured cloud back-ends . While security concerns typically focus on a triad of other factors -- apps , device threats and network threats -- this data leakageAttack.Databreachon the back-end was dubbed the `` HospitalGown '' threat because of that garment 's open back-end . `` In total , we foundVulnerability-related.DiscoverVulnerabilityalmost 43 TB of data exposedAttack.Databreachand 1,000 apps affectedVulnerability-related.DiscoverVulnerabilityby the HospitalGown vulnerability , '' Appthority saidVulnerability-related.DiscoverVulnerabilityin a blog post last week . `` Looking at a subset of 39 apps , we still found 280 million records exposedAttack.Databreach, a total of about 163 GB of data . This is a staggering amount of leaked information , and in some cases represents the entirety of customer or operational data for an enterprise . '' The reportVulnerability-related.DiscoverVulnerabilityechoes the findings of an earlier reportVulnerability-related.DiscoverVulnerabilityby RedLock Inc. , which revealedVulnerability-related.DiscoverVulnerabilitymany security issues primarily caused by user misconfigurations on public cloud platforms . RedLock claimed it found 82 percent of hosted databases remain unencrypted , among many other problems . As with the RedLock reportVulnerability-related.DiscoverVulnerability, developers were blamedVulnerability-related.DiscoverVulnerabilityfor the HospitalGown vulnerabilities. `` HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ' failure to properly secure the back-end ( hence its name ) servers with which the app communicates and where sensitive data is stored , '' Appthority said . Unsecured Elasticsearch servers and MongoDB databases were prime targets of a series of ransomware attacksAttack.Ransomearlier this year that generated widespread publicity in the security field . However , that publicity apparently was n't enough to significantly alleviate the issue . `` As our findings show , weakly secured back-ends in apps used by employees , partners and customers create a range of security risks including extensive data leaksAttack.Databreachof personally identifiable information ( PII ) and other sensitive data , '' the report states . `` They also significantly increase the risk of spear phishingAttack.Phishing, brute force login , social engineering , data ransomAttack.Ransom, and other attacks . And , HospitalGown makes data accessAttack.Databreachand exfiltrationAttack.Databreachfar easier than other types of attacks . '' Key findings of the report as listed by the company include : Affected apps are connecting to unsecured data stores on popular enterprise services , such as Elasticsearch and MySQL , which are leakingAttack.Databreachlarge amounts of sensitive data . Apps using just one of these services revealed almost 43TB of exposed data . Multiple affected apps leakedAttack.Databreachsome form of PII , including passwords , location , travel and payment details , corporate profile data ( including employees ' VPN PINs , emails , phone numbers ) , and retail customer data . Enterprise security teams do not have visibility into the risk due to the risk 's location in the mobile app vendor 's architecture stack . In multiple cases , data has already been accessedAttack.Databreachby unauthorized individuals and ransomedAttack.Ransom. Even apps that have been removed from devices and the app stores still pose an exposureAttack.Databreachrisk due to the sensitive data that remains stored on unsecured servers . The company saidVulnerability-related.DiscoverVulnerabilityits Mobile Threat Team identifiedVulnerability-related.DiscoverVulnerabilitythe HospitalGown vulnerabilities with a combination of its dynamic app analysis tool and a new back-end scanning method , looking at the network traffic on more than 1 million enterprise mobile apps , both iOS and Android . As with the misconfiguration problems identifiedVulnerability-related.DiscoverVulnerabilityin the RedLock reportVulnerability-related.DiscoverVulnerability, Appthority emphasizedVulnerability-related.DiscoverVulnerabilitythat all cases of HospitalGown vulnerabilities were caused by human errors , not malicious intent or inherent infrastructure problems . That human error was especially prevalent in two app implementations investigated by Appthority : Pulse Workspace ( for accessing enterprise network and Web applications ) and Jacto apps ( from an agricultural machinery company ) .
That lingering Heartbleed flaw recently discoveredVulnerability-related.DiscoverVulnerabilityin 200,000 devices is more insidious than that number indicates . According to a report postedVulnerability-related.DiscoverVulnerabilityby Shodan , the Heartbleed vulnerability first exposedVulnerability-related.DiscoverVulnerabilityin April 2014 was still foundVulnerability-related.DiscoverVulnerabilityin 199,594 internet-accessible devices during a scan it performed last weekend . But according to open-source security firm Black Duck , about 11 % of more than 200 applications it audited between Oct 2015 and March 2016 containedVulnerability-related.DiscoverVulnerabilitythe flaw , which enables a buffer overread that endangers data from clients and servers running affected versions of OpenSSL . The company ’ s vice president of security strategy Mike Pittenger says it ’ s likely most of those machines have been remediated , but it doesn ’ t address the countless other applications – commercial and proprietary - Black Duck didn ’ t audit . “ However , I would not extrapolate that to say 11 % of all commercial applications were vulnerable to Heartbleed at that time ” . That 11 % is a number from the company ’ s last published report . In a new report due out next month that hasn ’ t been wrapped up yet , that number is likely to dip into the single digits , but is still significant . The problem is that commercial software in general uses a great deal of open source code – 35 % on average - and authors of the code don ’ t necessarily have processes in place to track when vulnerabilities are foundVulnerability-related.DiscoverVulnerabilityin that code and to then patchVulnerability-related.PatchVulnerabilitythem , he says . He says Black Duck’s studyVulnerability-related.DiscoverVulnerabilityfindsVulnerability-related.DiscoverVulnerabilitythat two-thirds of these applications have open-source vulnerabilities of one kind or another and that they average 5 years old . In regard to Heartbleed in particular , he says the reports draw on anonymized data about its audits so they don’t revealVulnerability-related.DiscoverVulnerabilitythe specific applications in which the Heartbleed vulnerability was foundVulnerability-related.DiscoverVulnerability. Running vulnerable applications in a regulated environment could have consequences for the enterprises using them , he says , because the security threat they represent could violate HIPAA or PCI security and privacy requirements . The Shodan reportVulnerability-related.DiscoverVulnerabilityon the prevalence of Heartbleed showed that the individual entities hosting the largest number of Heartbleed-vulnerable devices were service providers . That may be because these machines were set up a while ago and are no longer in use but were never taken offline , Pittenger says .