BlackBerry pushes further into security as it announces an R&D initiative dubbed Centre for High Assurance Computing Excellence (CHACE) and acquires enterprise data security specialist WatchDox.

The aim of CHACE is to reverse the current fail-then-patch security approach by developing tools and techniques for "far higher level" security. It also promises "nation-state level sophistication" in vulnerability assessment and will collaborate with academic institutions and other industry groups.

“There’s a belief that the key to the world’s security issues is to patch faster, but this hamster wheel fails to address the root issue," the company says. "Systems that require regular patching always contain vulnerabilities unknown to developers, and some of these vulnerabilities are in fact known by would-be attackers."

Security researcher Cylance uncovers a variation of an old Windows weakness, Reuters reports-- "Redirect to SMB," a potential means for hackers to steal login detains from "hundred of millions" of PCs.

Redirect to SMB is similar to a 1997 vulnerability taking advantage of a Windows and Internet Explorer weakness allowing attackers to trick users into logging into a hacker-controlled server. However, while the previous vulnerability required clicking on a malicious link (from either email or website), the new variant does not even need that, as uses automated login requests sent by applications running in the background.

To do so it takes advantage of Windows Server Message Block (SMB) and 31 different applications, including Adobe Reader, Apple Quick Time, Apple Software Update for ITunes, Box Sync client, Microsoft's Internet Explorer 11, Excel 2010 and Windows Media Player and Symantec Norton Security Scan.

Cisco shifts its attention towards the SMB segment as it launches addition to its ASA with FirePOWER Services, a threat-focused next-generation firewall (NGFW) aimed at midsize companies and branch offices.

ASA with FirePOWER combines stageful firewall, application visibility and control (AVC), advanced malware protection (AMP) and next-generation intrusion prevention capabilities (NGIPS) into a single device. According to the company, it presents multi-layered protection and closes blind spots with many detection techniques, including continuous analysis, big data analytic and Cisco threat intelligence.

Furthermore it carries automated tuning and correlation capabilities while flagging previously unknown malware to reduce time to detection and time to resolution.

Danish security vendor Secunia records 15343 vulnerabilities across 3870 applications from 500 different vendors during 2014-- an 18% increase over 2013 and a 22% increase in the number of products.

Of that amount 25 vulnerabilities are of the zero-day variety (up from 14 for the previous year), 20 of which are in the 25 most popular products and 7 in operating systems. Such flaws are of the most dangerous kind, together with "Highly Critical" (11%) and "Extremely Critical" (0.3%) vulnerabilities.

The report also has some good news-- over 83% of the 15343 vulnerabilities got patched on day of disclosure.

"Every year, we see an increase in the number of vulnerabilities discovered, emphasising the need for organisations to stay on top of their environment," Secunia says. "IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed."

Read more...