Huawei denies helping governments of Uganda and Zambia spy on political opponents

The Wall Street Journal on Friday, refuting the publication’s bombshell report describing how China’s tech giant allegedly helped the governments of two African nations spy on their political opponents.” data-reactid=”18″>Huawei Technologies sent a letter to The Wall Street Journal on Friday, refuting the publication’s bombshell report describing how China’s tech giant allegedly helped the governments of two African nations spy on their political opponents.

Huge Survey of Firmware Finds No Security Gains In 15 Years

A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors. The Security Ledger reports: “Nobody is trying,” said Sarah Zatko, the Chief Scientist at the Cyber Independent Testing Lab (CITL), a non-profit organization that conducts independent tests of software security. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said. The CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018. It is the first longitudinal study of IoT software safety, according to Zatko. CITL researchers studied publicly available firmware images and evaluated them for the presence of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards, which prevent buffer overflow attacks.

The results were not encouraging. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware. For example: firmware for the ASUS RT-AC55U wifi router did not employ ASLR or stack guards to protect against buffer overflow attacks. Nor did it employ a non-executable stack to protect against “stack smashing,” another variety of overflow attack. CITL found the same was true of firmware for Ubiquiti’s UAP AC PRO wireless access points, as well as DLink’s DWL-6600 access point. Router firmware by vendors like Linksys and NETGEAR performed only slightly better on CITL’s assessment.

OWASP Appsec Tel Aviv 2019, Asher Genachowski’s & Chen Cohen’s ‘Breaking Out Of The Container Without Zero Day – Can That Happen To Me?’

Asher Genachowski is a Security Senior Principal, Cyber Readiness & Audit Lead at Accenture and Chen Cohen is a Linux Cyber Security Consultant at Accenture

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/b-800ROOlHo

We Asked Def Con Attendees Why People Are Still Getting Hacked

This year’s Def Con—the world’s biggest hacking conference—was more sprawling than ever. Held annually in Las Vegas, the conference has grown over the last 27 years from a small gathering of hackers huddled into the Alexis Park hotel to a nearly 30,000-person swarm spread across multiple hotels on the Strip.

PCI Compliance Checklist

PCI DSS stands for Payment Card Industry Data Security Standard. These standards are in place to help businesses protect themselves and their customers by outlining how sensitive personal information, like credit card data, gets stored. If you process payments using debit or credit cards, you must meet PCI DSS, or you might be fined or have your ability to process cards revoked altogether.