AWS’ CodeGuru uses machine learning to automate code reviews

AWS today announced CodeGuru, a new machine learning-based service that automates code reviews based on the data the company has gathered from doing code reviews internally.

Developers write the code and simply add CodeGuru to the pull requests. It supports GitHub and CodeCommit, for the time being. CodeGuru uses its knowledge of reviews from Amazon and about 10,000 open-source projects to find issues, then comments on the pull request as needed. It will obviously identify the issues, but it also will suggest remediations and offer links to the relevant documentation.

Encoded in CodeGuru are AWS’s own best practices. Among other things, it also finds concurrency issues, incorrect handling of resources and issues with input validation.

AWS and Amazon’s consumer side have used the profiler part of CodeGuru for the last few years to find the “most expensive line of code.” Over the last few years, even as some of the company’s applications grew, some teams were able to increase their CPU utilization by more than 325% at 36% lower cost.

Verizon and AWS announce 5G Edge computing partnership

Just as Qualcomm was starting to highlight its 5G plans for the coming years, Verizon CEO Hans Vestberg hit the stage at AWS re:Invent to discuss the carrier’s team up with the cloud computing giant.

As part of Verizon’s (TechCrunch’s parent company, disclosure, disclosure, disclosure) upcoming focus on 5G edge computing, the carrier will be the first to use the newly announced AWS Wavelength. The platform is designed to let developers build super-low-latency apps for 5G devices.

Currently, it’s being piloted in Chicago with a handful of high-profile partners, including the NFL and Bethesda, the game developer behind Fallout and Elder Scrolls. No details yet on those specific applications (though remote gaming and live streaming seem like the obvious ones), but potential future uses include things like smart cars, IoT devices, AR/VR — you know, the sorts of things people cite when discussing 5G’s life beyond the smartphone.

“AWS Wavelength provides the same AWS environment — APIs, management console and tools — that they’re using today at the edge of the 5G network,” AWS CEO Andy Jassy said onstage. Starting with Verizon’s 5G network locations in the U.S., customers will be able to deploy the latency-sensitive portions of an application at the edge to provide single-digit millisecond latency to mobile and connected devices.”

As Verizon’s CEO joined Vestberg onstage, CNO Nicki Palmer joined Qualcomm in Hawaii to discuss the carrier’s mmwave approach to the next-gen wireless. The technology has raised some questions around its coverage area. Verizon has addressed this to some degree with partnerships with third-parties like Boingo.

The company plans to have coverage in 30 U.S. cities by end of year. That number is currently at 18.

AWS announces new enterprise search tool powered by machine learning

Today at AWS re:Invent in Las Vegas, the company announced a new search tool called Kendra, which provides natural language search across a variety of content repositories using machine learning.

Matt Wood, AWS VP of artificial intelligence, said the new search tool uses machine learning, but doesn’t actually require machine learning expertise of any kind. Amazon is taking care of that for customers under the hood.

You start by identifying your content repositories. This could be anything from an S3 storage repository to OneDrive to Salesforce — anywhere you store content. You can use pre-built connectors from AWS, provide your credentials and connect to all of these different tools.

Kendra then builds an index based on the content it finds in the connected repositories, and users can begin to interact with the search tool using natural language queries. The tool understands concepts like time, so if the question is something like “When is the IT Help Desk is open,” the search engine understands that this is about time, checks the index and delivers the right information to the user.

The beauty of this search tool is not only that it uses machine learning, but based on simple feedback from a user, like a smiley face or sad face emoji, it can learn which answers are good and which ones require improvement, and it does this automatically for the search team.

Once you have it set up, you can drop the search on your company intranet or you can use it internally inside an application and it behaves as you would expect a search tool to do, with features like type ahead.

OrbitsEdge partners with HPE on orbital data center computing and analytics

What kinds of businesses might be able to operate in space? Well, data centers are one potential target you might not have thought of. Space provides an interesting environment for data center operations, including advanced analytics operations and even artificial intelligence, due in part to the excellent cooling conditions and reasonable access to renewable power supply (solar). But there are challenges, which is why a new partnership between Florida-based space startup OrbitsEdge and Hewlett Packard Enterprises (HPE) makes a lot of sense.

The partnership will make OrbitsEdge a hardware supplier for HPE’s Edgeline Converged Edge Systems, and basically it means that the space startup will be handling everything required to “harden” the standard HPE micro-data center equipment for use in outer space. Hardening is a standard process for getting stuff ready to use in space, and essentially prepares equipment to withstand the increased radiation, extreme temperatures and other stressors that space adds to the mix.

OrbitsEdge, founded earlier this year, has developed a proprietary piece of hardware called the “SatFrame” which is designed to counter the stress of a space-based operating environment, making it relatively easy to take off-the-shelf Earth equipment like the HPE Edgeline system and get it working in space without requiring a huge amount of additional, custom work.

In terms of what this will potentially provide, the partnership will mean it’s more feasible than ever to set up a small-scale data center in orbit to handle at least some of the processing of space-based data right near where it’s collected, rather than having to shuttle it back down to Earth. That process can be expensive, and difficult to source in terms of even finding companies and infrastructure to use. As with in-space manufacturing, doing things locally could save a lot of overhead and unlock tons of potential down the line.

AWS launches discounted spot capacity for its Fargate container platform

AWS today quietly brought spot capacity to Fargate, its serverless compute engine for containers that supports both the company’s Elastic Container Service and, now, its Elastic Kubernetes service.

Like spot instances for the EC2 compute platform, Fargate Spot pricing is significantly cheaper, both for storage and compute, than regular Fargate pricing. In return, though, you have to be able to accept the fact that your instance may get terminated when AWS needs additional capacity. While that means Fargate Spot may not be perfect for every workload, there are plenty of applications that can easily handle an interruption.

“Fargate now has on-demand, savings plan, spot,” AWS VP of Compute Services Deepak Singh told me. “If you think about Fargate as a compute layer for, as we call it, serverless compute for containers, you now have the pricing worked out and you now have both orchestrators on top of it.”

He also noted that containers already drive a significant percentage of spot usage on AWS in general, so adding this functionality to Fargate makes a lot of sense (and may save users a few dollars here and there). Pricing, of course, is the major draw here, and an hour of CPU time on Fargate Spot will only cost $0.01245364 (yes, AWS is pretty precise there) compared to $0.04048 for the on-demand price,

With this, AWS is also launching another important new feature: capacity providers. The idea here is to automate capacity provisioning for Fargate and EC2, both of which now offer on-demand and spot instances, after all. You simply write a config file that, for example, says you want to run 70% of your capacity on EC2 and the rest on spot instances. The scheduler will then keep that capacity on spot as instances come and go, and if there are no spot instances available, it will move it to on-demand instances and back to spot once instances are available again.

In the future, you will also be able to mix and match EC2 and Fargate. “You can say, I want some of my services running on EC2 on demand, some running on Fargate on demand, and the rest running on Fargate Spot,” Singh explained. “And the scheduler manages it for you. You squint hard, capacity is capacity. We can attach other capacity providers.” Outpost, AWS’ fully managed service for running AWS services in your data center, could be a capacity provider, for example.

These new features and prices will be officially announced in Thursday’s re:Invent keynote, but the documentation and pricing is already live today.

The iPhone 11 Pro’s Location Data Puzzler

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching “Location Services” to “off”). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled.

The policy continues: “You can also disable location-based system services by tapping on System Services and turning off each location-based system service.” But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.

On Nov. 13, KrebsOnSecurity contacted Apple to report this as a possible privacy bug in the new iPhone Pro and/or in iOS 13.x, sharing a video showing how the device still seeks the user’s location when each app and system service is set to “never” request location information (but with the main Location Data service still turned on).

The video above was recorded on a brand new iPhone 11 Pro. The behavior appears to persist in the latest iPhone operating system (iOS 13.2.3) on iPhone 11 Pro devices. A review of Apple’s support forum indicates other users are experiencing the same issue. I was not able replicate this behavior on an older model iPhone 8 with the latest iOS.

This week Apple responded that the company does not see any concerns here and that the iPhone was performing as designed.

“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].

Apple has not yet responded to follow-up questions, but it seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services.

Granted, the latest versions of iOS give users far more granular control over the sharing of this data than in the past, especially with respect to third-party apps. And perhaps this oddity is somehow related to adding support for super-fast new WiFi 6 routers, which may have involved the introduction of new hardware.

But it would be nice to know what has changed in the iPhone 11 and why, particularly given Apple’s recent commercials on how they respect user privacy choices — including location information. This post will be updated in the event Apple provides a more detailed response.

IoT in the Enterprise | How Dangerous Are Today’s ‘Smart’ Devices to Network Security?

As we’ve noted in a previous post, IoT devices greatly increase the security challenges of defending corporate networks. However, this well-known fact does not seem to have slowed down the adoption of IoT in the enterprise. A recent PwC survey reported that 71% of manufacturers plan to deploy IoT devices despite the associated cyber risks.

So it seems like the IoT train has left the station and is rushing full steam ahead towards the horizon. In order to continue to travel safely, enterprises must understand the risks of deploying IoT devices and how to mitigate them. This assessment process should consider the devices that create the risk, an analysis of the type of attacks that they can be used for and the potential implications and regulatory risks.

image iot enterprise

IoT Devices That Are Susceptible to Hacking

Let’s start by identifying the devices that pose the greatest risks to enterprise networks.

1. Printers

The shy, corner printer could be your greatest adversary. NCC Group researchers identified vulnerabilities and exploitations related to six of the largest enterprise printer makers in the world: Xerox, HP, Lexmark, Kyocera, Brother, and Ricoh. These vulnerabilities include susceptibility to Denial of Service (DoS) attacks and a potential for those devices to be used as entry points into corporate networks, with remote code execution and the bypassing of security layers.

A compromised IoT Printer could allow threat actors to spy on your print jobs, send electronic copies of documents to themselves or establish a backdoor into the corporate network.

Hackers have known about these vulnerabilities for quite some time, and have abused these in several APT campaigns. Russian government-linked hackers used printers with weak security to access several global enterprise networks, then tried infiltrating more privileged accounts, according to a Microsoft report.  

2. Security Cameras

IP cameras are used in many enterprises as security and safety devices. It’s unsettling to think that these same devices could be used to bypass security mechanisms and put your company at risk. But this is exactly what has happened (and will likely happen again). Back in September 2016, numerous security cameras were breached and “recruited” to a botnet, the likes of which have never been seen before. The infamous Mirai botnet launched what was, back then, the world’s largest DDoS attack, and most of the owners of these devices were not even aware of it. Mirai used a simple script that identified security cameras with built-in default credentials and used these to gain control of the devices.

Ever since, manufacturers worldwide have done a lot to improve the basic security of these devices, but very recently a number of wireless cameras and baby monitors tested by consumer group Which? were found to contain multiple security flaws that could allow hackers to spy on employees and abuse these devices in other ways.

3. Personal Assistants

Personal Assistants like Alexa and Echo are becoming increasingly popular at home, and these devices are also finding their way into enterprises. Unfortunately, Personal Assistants have also been found to be vulnerable to cyber attackers.  

For instance, security researchers exploited a flaw in Amazon Echo at a hacking contest. Previous generations of Amazon Echo are susceptible to an old WiFi vulnerability called KRACK , which allows an attacker to perform a man in the middle attack against a WPA2 protected network.

Key Reinstallation Attack (KRACK) exploits flaws in the WPA2 Wifi protocol (CVE-2017-13077, CVE-2-17-13078) and allows threat actors to decrypt packets and steal sensitive data sent over plain text. KRACK affects millions of 1st gen Amazon Echo devices and 8th Gen Amazon Kindles.

4. Wearables and Mobile Phones

While the risk of mobile phones and “BYOD” to the enterprise has been acknowledged (but mostly overlooked by many enterprises), their next of kin, wearables, may also pose a considerable risk. Even though wearables don’t store data like emails and files, they can connect to corporate networks and endpoints using Wifi or Bluetooth connections and expose these to the outer world.

5. Novelty Office Items

Threats come in all shapes and sizes, and that includes those novelty items that might make your office seem “cooler” or more efficient but may contain a hidden security risk. A startling example of this is the case of the smart fish tank that was exploited to achieve data exfiltration from a Casino in Las Vegas. The tank’s Internet connectivity allowed it to be remotely monitored, automatically adjusted for temperature and salinity, and to dispense automated feedings. That doesn’t sound too risky and probably seemed like a good way to automate some tiresome chores. However, there were unexpected consequences: the ‘Smart’ fish tank also enabled hackers to swipe 10 gigabytes of data from the casino and to send that data to a remote server in Finland.

How Can IoT Devices Be Used to Attack the Enterprise?

After covering the types of IoT devices that are susceptible to hacking, lets see what could be the implications of such hacks:

Infiltrating Corporate Networks

The biggest risk from an enterprise point of view is that connected devices could be used to gain access to corporate networks. Moreover, as these devices are usually running a minimal Linux install with little RAM or disk space, they cannot be secured by traditional means since its impossible to install AV or endpoint security solutions on them.

In addition, many existing network management and security tools are “blind” to these devices, meaning that a compromised device could operate in the network for prolonged periods of time and be used to syphon data from the organization to an external party. For almost a year, an attacker was able to remain undetected on NASA’s <a href="http://Jet Propulsion Lab’s internal network by means of a Raspberry PI. A lack of visibility across JPL’s network meant the device’s activity, initially connected legitimately by an employee but later compromised by a hacker, went unnoticed by security teams. If it can happen to NASA, it could happen to any other enterprise that doesn’t ensure full visibility across the network.

Becoming a Target for Ransomware

A recent Forrester report suggests that enterprise IoT devices might fall victim to ransomware attacks. Rather than demanding bitcoin to unencrypt files, organizations could be forced to pay the attackers in order to resume control of their devices. This might not seem like a plausible attack scenario until you think about a smart elevator or HVAC (air conditioner) system being held to ransom, and suddenly this might not sound crazy after all.

Being Recruited into a Botnet

Recruiting your connected devices to a botnet could impact their performance and usability, the network performance and even expose your organization to legal liabilities such as if negligence led to these devices participating in a denial of service attack.

Causing Loss of Resources Through Cryptojacking

In a similar manner, a device that mines crypto currencies will use more resources (power, bandwidth), which in turn can have an adverse effect on the performance of both the individual device and the network at large.  

Facilitating Personal and Business Data Leaks

Of course, connected devices pose more than a security risk; they also pose a privacy risk. Recent research found that 65% of those surveyed were concerned with how connected devices collect data, while 55% did not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be “creepy.” Given that there have been numerous cases of such devices recording their owners without their knowledge or consent, this is hardly surprising.

IoT devices can leak stored data such as device status, device identifier and personally identifiable information provided by the user, sensor data like audio recordings or video surveillance, and interaction data such as when, where and how the device was activated.

These leaks do not necessarily have to be a result of malicious hacking activity to present a risk. Device manufacturers may be able to access and retrieve such data, which may or may not be shared by the manufacturer with partners or third parties without the device owner being aware.

Even locations that ought to be recorded (like border passes) can be a cause for concern, as was demonstrated when US Customs and Border Patrol agency (CBP) was hacked and images of 100,000 people, along with their vehicle license plate numbers, were stolen.

Are Regulators Addressing the Risks from IoT Devices?

As the risks are becoming more tangible, regulators and law-makers are being called upon to establish laws and regulations to mitigate the risk.

A recent hearing on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security highlighted the risks stemming from connected devices and the need for devices with built in security.

States are also taking notice: California’s IoT Security Law requires that a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

Other regulations like California CCPA and the EU GDPR are concerned with the privacy and integrity of user’s data (which includes employees and customers) that can also be impacted by IoT devices. Above all, the question lingers whether an organization is liable for a device residing on its network that is subsequently recruited to a botnet and then participates in a DDoS attack on another organization.

How To Protect The Enterprise from IoT Devices

Procuring IoT devices should always be done with great care. Ensure that the manufacturer does not use hardcoded admin passwords, and that the device does not ‘phone home’ any data that could represent a breach of your security or privacy regulations. Assess the manufacturer’s track record of supplying firmware updates, and choose one that takes security seriously and responsibly.

On acquisition of any IoT device, make certain to change any default passwords so that your device is not susceptible to simple brute force dictionary attacks such as those used by Mirai and similar copycat IoT botnets.

It is also essential that you find out from the manufacturer or supplier what their notification policy is regarding firmware updates and that you have processes in place to patch as soon as possible when an update notification is received.

Where possible, consider the options for physical hardening of the device to prevent tampering and unauthorized access. Is the device located externally to the premises (for example, security cameras in parking lots or other publicly accessible areas)? If so, consider how and under what circumstances you would be able to detect if it had been tampered with.

Securing your IoT devices also encompasses your process for decomissioning used and obsolete equipment. IoT devices can contain sensitive data about your network or business, so they need to be disposed of carefully. In one experiment, researchers reverse engineered a simple ‘smart’ light bulb after use, and were able to retrieve the WPA2 key for the network it had been connected to as well as the root certificate and RSA private key hardcoded by the device manufacturer.

Check to see whether the manufacturer provides a means to reset the device to factory defaults or otherwise wipe any stored data and be sure to dispose of your unwanted IoT devices securely.

Given such considerations, purchasing dedicated IoT security solutions might be suitable for some organizations, especially ones with specialized devices such as medical equipment. For others, seek solutions such as SentinelOne Ranger that leverages existing infrastructure and architecture to provide visibility into IoT devices on your network. Ranger allows enterprises to monitor and manage IoT devices before they become a security hazard.

Summary

There’s no doubt that IoT ‘smart’ devices are here to stay in enterprise environments and along with that comes a number of security risks as we’ve outlined above. The recent International Botnet and IoT Security Guide by the CSDE (Council to Secure Digital Economy) states that botnets are more frequently targeting enterprise IoT and other IoT devices with more complex processors and architectures. And indeed, the risk will increase as more devices find their way into corporate environments. 

It’s vital that your enterprise is aware of the risks IoT devices present and that it develops policies to govern how these devices are procured, monitored and decommissioned. If you would like to know more about how SentinelOne’s Ranger technology can help keep your IoT devices secure, contact us today.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

New Amazon tool simplifies delivery of containerized machine learning models

As part of the flurry of announcements coming this week out of AWS re:Invent, Amazon announced the release of Amazon SageMaker Operators for Kubernetes, a way for data scientists and developers to simplify training, tuning and deploying containerized machine learning models.

Packaging machine learning models in containers can help put them to work inside organizations faster, but getting there often requires a lot of extra management to make it all work. Amazon SageMaker Operators for Kubernetes is supposed to make it easier to run and manage those containers, the underlying infrastructure needed to run the models and the workflows associated with all of it.

“While Kubernetes gives customers control and portability, running ML workloads on a Kubernetes cluster brings unique challenges. For example, the underlying infrastructure requires additional management such as optimizing for utilization, cost and performance; complying with appropriate security and regulatory requirements; and ensuring high availability and reliability,” AWS’ Aditya Bindal wrote in a blog post introducing the new feature.

When you combine that with the workflows associated with delivering a machine learning model inside an organization at scale, it becomes part of a much bigger delivery pipeline, one that is challenging to manage across departments and a variety of resource requirements.

This is precisely what Amazon SageMaker Operators for Kubernetes has been designed to help DevOps teams do. “Amazon SageMaker Operators for Kubernetes bridges this gap, and customers are now spared all the heavy lifting of integrating their Amazon SageMaker and Kubernetes workflows. Starting today, customers using Kubernetes can make a simple call to Amazon SageMaker, a modular and fully-managed service that makes it easier to build, train, and deploy machine learning (ML) models at scale,” Bindal wrote.

The promise of Kubernetes is that it can orchestrate the delivery of containers at the right moment, but if you haven’t automated delivery of the underlying infrastructure, you can over (or under) provision and not provide the correct amount of resources required to run the job. That’s where this new tool, combined with SageMaker, can help.

“With workflows in Amazon SageMaker, compute resources are pre-configured and optimized, only provisioned when requested, scaled as needed, and shut down automatically when jobs complete, offering near 100% utilization,” Bindal wrote.

Amazon SageMaker Operators for Kubernetes are available today in select AWS regions.

CircleCI launches improved AWS support

For about a year now, continuous integration and delivery service CircleCI has offered Orbs, a way to easily reuse commands and integrations with third-party services. Unsurprisingly, some of the most popular Orbs focus on AWS, as that’s where most of the company’s developers are either testing their code or deploying it. Today, right in time for AWS’s annual re:Invent developer conference in Las Vegas, the company announced that it has now added Orb support for the AWS Serverless Application Model (SAM), which makes setting up automated CI/CD platforms for testing and deploying to AWS Lambda significantly easier.

In total, the company says, more than 11,000 organizations started using Orbs since it launched a year ago. Among the AWS-centric Orbs are those for building and updating images for the Amazon Elastic Container Services and the Elastic Container Service for Kubernetes (EKS), for example, as well as AWS CodeDeploy support, an Orb for installing and configuring the AWS command line interface, an Orb for working with the S3 storage service and more.

“We’re just seeing a momentum of more and more companies being ready to adopt [managed services like Lambda, ECS and EKS], so this became really the ideal time to do most of the work with the product team at AWS that manages their serverless ecosystem and to add in this capability to leverage that serverless application model and really have this out of the box CI/CD flow ready for users who wanted to start adding these into to Lambda,” CircleCI VP of business development Tom Trahan told me. “I think when Lambda was in its earlier days, a lot of people would use it and they would use it and not necessarily follow the same software patterns and delivery flow that they might have with their traditional software. As they put more and more into Lambda and are really putting a lot more what I would call ‘production quality code’ out there to leverage. They realize they do want to have that same software delivery capability and discipline for Lambda as well.”

Trahan stressed that he’s still talking about early adopters and companies that started out as cloud-native companies, but these days, this group includes a lot of traditional companies, as well, that are now rapidly going through their own digital transformations.

The Good, the Bad and the Ugly in Cybersecurity – Week 48

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Aside from their vast resources, the one characteristic that usually marks out an APT group is stealth. Good news this week, then, as it was reported that some 12,000 Google services users were warned of government-backed threat actors targeting their accounts during the third quarter of 2019. Google’s Threat Analysis Group (TAG) keeps tabs on over 270 state-sponsored APTs and alerts users if their accounts have been hit with phishing emails, malware or other malicious methods. Users in 149 countries were sent warnings of phishing attempts, the vast majority of which (90%) were attempts to steal passwords or other credentials in order to hijack their accounts. The most heavily targeted countries were the US, Pakistan, South Korea and Vietnam. Google say the number of threats detected was consistent with the same period last year, so it’s also at least a little comforting to know that there hasn’t been any significant rise in APT attacks on Google users.

image of APT attacks worldwide
Distribution of government-backed phishing targets in Q3 (Jul-Sep 2019) Source.

The Bad

If you spend much time looking up CVEs, you might have noticed an increasing trend recently: a CVE entry exists, but it is marked as “RESERVED”, which means that details about the vulnerability have not yet been populated to the database. There’s nothing unusual in that, but according to one rival source of vulnerability intelligence, the publicly accessible CVE list has almost 1,000 new vulnerabilities listed in 2019 that are still in RESERVED status but whose details have already been made public elsewhere. Worse, there’s estimated to be around 7000 disclosed vulnerabilities this year that have no CVE ID at all. The danger here is that with such a large number of vulnerabilities missing from the CVE database, organizations that rely solely on that information for vulnerability intelligence could be leaving themselves open to attacks. Although CVE does provide mechanisms for reporting omissions, and stresses that its purpose is not to function as a vulnerability database, it’s clear by the sheer scale of missing data that MITRE has got some catching up to do if CVE is not to lose relevance.

image of cve reserved

The Ugly

It’s the kind of news that can leave you speechless, at least in polite company: a major security vendor hardcodes the encryption key that is meant to keep user data safe right into several of its products. It was revealed this week that that’s precisely what Fortinet had done, and it’s taken them 18 months to fix it! FortiOS for FortiGate firewalls and FortiClient endpoint protection software for both Mac and Windows used a simple XOR cipher and hardcoded cryptographic keys to encrypt traffic between the products and the company’s cloud services. An observer of that traffic could not only use the hardcoded encryption keys to reveal the contents of the traffic, worse they could have maliciously altered the traffic to silence malware detections or malicious URLs. At least the year and a half it took to finally patch all the affected products ensured that CVE had this one covered; see CVE-2018-9195.

image of tweet about fortinet vuln

Time could literally be running out for your Hewlett-Packard Enterprise SSDs. Some of the company’s products have a flaw that will kick in after exactly 32,768 hours of operation; put another way, that’s 3 years, 270 days and 8 hours of run time. At that point, the drive will fail and all data will be lost.

image of hpe ssd bug

HPE say that if the firmware defect occurs neither the SSD nor the data are recoverable. Worryingly, any organization that deployed multiple drives with an HPE firmware version prior to HPD8 at the same time will likely experience the drives all failing near simultaneously. The company advises that such catastrophic data loss can be avoided by applying HPE’s critical firmware upgrade without delay.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security