Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime

As the Supreme Court prepares to consider a controversial federal anti-hacking law, a group of prominent cybersecurity researchers and legal advocates is pleading with the court not to criminalize digital research in the public interest. In a brief filed with the court Wednesday led by digital rights group Electronic Frontier Foundation, the researchers warned that if violations of a company’s “terms of service” are deemed to be illegal, it risks chilling important research into voting systems, medical devices and other key equipment. “Despite widespread agreement about the importance of this work—including by the government itself— researchers face legal threat for engaging in socially beneficial security testing,” wrote the EFF, the nonprofit Center for Democracy & Technology, and cybersecurity companies Bugcrowd, Rapid7, SCYTHE and Tenable. Famous security researchers like Peiter “Mudge” Zatko and Chris Wysopal, who warned Congress of the internet’s insecurities in the 1990s as members of the L0pht hacking collective, […]

The post Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime appeared first on CyberScoop.

Continue reading Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime

Backdoor vulnerability in open source tool exposes thousands of apps to remote code execution

Roughly 28 million users have downloaded a malicious version of a popular open source framework that masquerades as the real thing, but in fact gives a hackers a back door into applications. A compromised version of the website development tool bootstrap-sass was published to the official RubyGems repository, a hub where programmers can share their application code. The open source security firm Snyk alerted developers to the issue Wednesday, advising users to update their systems away from the infected framework (version 3.2.0.3). “That doesn’t mean there are something like 27 million apps out there using this,” said Chris Wysopal, chief technology officer at app security company Veracode. “[But] when you’re using open source packages to build your applications, you’re inheriting many of the vulnerabilities. … But bootstrap-sass is a popular component used by enterprises and startups so there’s potentially thousands of applications affected by this.” While the vulnerability is serious — hackers […]

The post Backdoor vulnerability in open source tool exposes thousands of apps to remote code execution appeared first on CyberScoop.

Continue reading Backdoor vulnerability in open source tool exposes thousands of apps to remote code execution

Veracode sells to CA Technologies for $614 million

CA Technologies Inc. announced Monday it had purchased the security firm Veracode for $614 million in cash. The move comes two years after Veracode reportedly came close to an IPO and was valued around $800 million. Veracode launched a decade ago to offer developers automated security analysis of applications. CA Technologies, based in New York City, is a $4.5 billion behemoth focused mostly on business-to-business deals, keeping it largely out of the public eye. Veracode made headlines recently when Cloudflare, fresh off a high-profile data leak, announced the Burlington, Mass.-based company would independently audit its code. Veracode co-founder Chris Wysopal was part the hacker think tank L0pht, which in 1998 told the U.S. Senate about the cybersecurity disasters looming as the internet approached ubiquity. The punkish group of hackers were the first — aside from members of federal witness protection programs — to go before Congress using psuedonyms (Wysopal was “Weld Pond”). The group […]

The post Veracode sells to CA Technologies for $614 million appeared first on Cyberscoop.

Continue reading Veracode sells to CA Technologies for $614 million