Standards are, without a doubt, important in any industry. Swipe your credit card at the cash register, and behind scenes there’s PCI-DSS safeguarding how the credit card information is processed and stored. For wireless communications there’s IEEE 802. And for the automotive industry there’s ISO 26262, a standard which covers electronic systems in automobiles and road vehicles.

You can listen to the podcast on SoundCloud or read the transcript below.

This week my guest this week is Mark van Elderen, Strategic Communications at Synopsys. He’s here to talk about the announcement that two Synopsys products, Coverity and Test Advisor, have been certified as ISO 26262 and IEC 61508 compliant. But first I asked Mark to explain what ISO 26262 does and why it is important.

van Elderen: That’s a good question. ISO 26262 is an international standard for functional safety of electronic systems in automobiles and road vehicles. It is based loosely on the more generic IEC 61508 standard but it has specific refinements for the automotive industry. Essentially the standard was created to provide guidance to the automotive industry to avoid the risk of systematic failures and random hardware failures by providing feasible requirements and processes.

Vamosi: If I’m hearing you correctly this is more of a safety standard, is that correct?

van Elderen: That’s absolutely correct. ISO 26262 is focused primarily on functional safety of road vehicles and the electronic or electrical systems within those road vehicles.

Vamosi: What is the news that Synospys is releasing this week regarding ISO 26262?

van Elderen: The big news this week is that two of the tools in our Software Integrity Platform have been ISO 26262 certified. And you may be asking why must our tools be certified if they are not components of a vehicle, well the ISO 26262 standard actually requires that essential tools used in the development of these systems need to be qualified to ensure that they are catching or helping to identify and fix safety critical issues. So the two products are Coverity, Synopsys’ static analysis tool, and Test Advisor, Synopsys’ automated test optimization tool. Essentially what that means is an independent certification body has reviewed our documentation, reviewed our tools and ascertained that these two tools are qualified for use in the development of functional, safety critical, systems in automobiles. And any auto maker or supplier that this developing or building a safety critical system can actually use and is actually seeking ISO certification for that system can actually use our tools and our tools can streamline that development process.

Vamosi: So a lot of the standards like ISO 26262 focus on the safety and reliability of the vehicle but when we start talking about software we get into cybersecurity, particularly if that auto is connected to the internet, 3G, 4G, what is the status of standards today regarding that frontier.

van Elderen: That’s an interesting point, and when I say that our tools have been certified to ISO 26262 it really only applies to a subset ISO 26262 which is part 6, which is the development of software. Now when you start talking about software and when you look at modern vehicles with more and more cars being connected networks and there’s increasingly complex software systems being used, you really have to start thinking about security. Security is a very big issue today as demonstrated by several public hacks. These vehicles can be hacked, they can be disabled, they can be controlled and the security issues really pose a very real threat to the operators or consumers of these vehicles. One thing to point out, ISO 26262 is a very important standard. It’s a great starting point to automobiles are safe and reliable. But it does not address some of these security concerns. And what I would say about existing standards is they need to be augmented or new standards need to be developed that actually address these new needs.

Vamosi: When you say augmented or developed you’re speaking about cybersecurity aspects of the automobile.

van Elderen: That’s absolutely correct. There are several standards like ISO 26262 that address functional safety, quality, reliability in standards but there are not any standards that fully address cyber security issues that we’re seeing today in vehicles.

Vamosi: So what is Synopsys today doing to help that situation?

van Elderen: We think that cybersecurity in vehicles is a very important issue and we’re taking it very seriously. We’re working stakeholders in the automotive industry and we’re members in certification bodies, etc. One of the things we’re really pushing is a new set of standards that address these issues, so we’re not just talking about it, we’re rolling up our sleeves and helping the industry. Cybersecurity is a completely new issue for the automotive industry and in many ways they’re not equipped or prepared to deal with these issues on their own. With that said there is an entire community of security professionals, security vendors, as well as other industries that have implemented best practices and cybersecurity standards that the automotive industry can draw on. At Synopsys we view ourselves as a partner that the automotive can look to. So specifically one of the things that Synopsys is doing is helping raise awareness among automotive manufacturers and their suppliers. We’ve provided them with some guidance and cursory instruction as to how they can start addressing these issues. Following the jeep hack back in summer of last year, Synopsys was approached by several automotive manufacturers and suppliers asking for help and advice and what we did was we produced a procurement document that would essentially be used by the automotive manufacturer to request or require a minimum set of cybersecurity testing requirements from their suppliers of software systems. IF you recall, the jeep hack it actually wasn’t a vulnerability or a security problem in any of Jeep’s software, it was actually one of their suppliers, several of their suppliers. Really that’s one of the approaches that we’re taking is giving them, giving the automotive manufactures the information they need or the right questions they should be asking from their suppliers That’s a starting point. This procurement document is free and available to anyone who wants it on Synopsys.com.

Vamosi: So you mentioned after the Jeep hack Synopsys was approached by several of the auto makers, what became of that discussion?

van Elderen: That’s a great question. That discussion ultimately ended up leading to the formation of a grassroots working group. Initially it was call the Featherstone Working Group after the location of one of their first meetings. And Mike Ahmadi our Global Director of Critical Systems Security really lead that effort. He gathered a group of interested stake holders and they started to meet regularly to not only identify the challenges that the automotive industry was facing but also provide a path forward toward resolving those challenges. That working group ultimately evolved into a formalized task force under SAE. A task force that is called the Cybersecurity Assurance Testing Task Force and they meet, I believe, every other week. And they have members from all of the major automakers as well as their suppliers, and essentially the charter of that task force is to help develop new SAE endorsed standards that help the automotive industry, that provide the automotive industry with a common framework for testing requirements that apply to all of the software and electronic components throughout the extended automotive supply chain.

Vamosi: Is there anything else I haven’t asked you that you’d like to bring up?

van Elderen: Yes, Robert, I think it’s important for automotive manufacturer, for their suppliers, for vendors, for the larger automotive ecosystem to first embrace the standards that are out there today. I think it is an important first step for functional safety cannot be ignored and the standards that are out there today are really good at helping to address functional safety issues. I think moving forward we need to shift our focus along the same lines as what Synopsys is doing which is working with stake holders to develop new standards. We really need to look to the future and assess how the automotive industry is changes, how vehicles have changed, the increasing amount of code, complexity of the software systems, the interconnecting of these software systems, as well as the vastly extensive supply chain for software that goes into automobiles. There are hundreds and hundreds of suppliers and each of those suppliers has so many third party software components and open source components that they are pulling into their systems, it’s a daunting task but it is something that needs to be addressed. And I think moving forward having the industry come together, work together to not only identify the challenges at hand but develop new solutions that apply to modern vehicles and the software that is in them is really important.

Vamosi: Thank you Mark for your time today.

van Elderen: Thank you for having me, Robert.

According to a security researcher, a popular video conferencing system leaks not only videos but also files.

Researcher Jamieson O’Reilly disclosed late last week that during a client test he found Vidyo, was leaking data. O’Reilly reported that he could see videos and content that should have remained private. By doing a Google search for files associated with the vulnerability, he said he discovered the video conference system was used by large corporations as well as the US Army, NASA, and CERN.

O’Reilly reported the arbitrary file disclosure vulnerability to the company and Vidyo has since patched the bug. Version 3.0.1.2 patches the vulnerability.

“I ended up finding an arbitrary file disclosure vulnerability,” O’Reilly told The Register. “It’s more than just [leaked] videos, also Linux filesystem files (/etc/passwd) and other conf files. I’ve never heard of this software before and thought that the risk exposure was quite low until I looked at the clients. There are a lot of publicly accessible Vidyo endpoints that are probably vulnerable that you can identify using Google.”

On Wednesday, representatives from MITRE proposed risk assessments for medical devices using existing frameworks.

Presenting at SOURCE Boston Penny Chase and Steve Christey Coley, of the MITRE Corporation noted that that medical devices incorporate the use of third-party software, operating systems, and workstations; are subject to regulation, which can limit ability to patch and reconfigure them; are exposed to limited clinical trials, so many flaws aren’t discovered until devices are on the market, and are often made by manufacturers who don’t incorporate security testing.

Synopsys recently found one medical product had 1418 vulnerabilities.

Chase and Coley, in their talk “Toward Consistent, Usable Security Risk Assessment of Medical Devices”, said determining risk requires, “a delicate balance of security, safety and privacy – they overlap. “Each can interfere with the other,”said Chase, according to CSO Online. “You don’t want the AV (antivirus) firing during surgery.”

The greater good of the use of a device often offsets the small risk of compromise.

Nonetheless there are efforts to adapt MITRE’s Common Vulnerability Scoring System (CVSS) to healthcare. This would focus the scoring what the actual impact of a vulnerability would be for patient safety, and put it into the context of its value to the providers and patients.

Often a “base score” can exaggerate the risk because it is assessed generally and not in context.

Context, Chase and Coley said, could be found in other frameworks like the Common Weakness Scoring System (CWSS) and the related Common Weakness Risk Assessment Framework (CWRAF).

“The goal is to take the environment into consideration along with the base score,” Coley said. “We don’t want FUD (fear, uncertainty and doubt) to make patients fearful of life-saving therapy.”

A web site heralding the second season of the hacker-based television show Mr. Robot was itself the victim of sloppy coding, according to a few white hat hackers.

If you ask your browser to view source on the official Mr. Robot website you will see the show’s site coders have a sense of humor. However, a few white hat hackers have discovered more than a few jokes within the code. They found vulnerabilities.

Mr. Robot is a TV series that uses real-world hacking techniques to advance the show’s larger story about evil corporate cultures.

On May 10, just as NBC Universal launched the new web site, a hacker named Zemnmez found a cross site scripting error that gave him the means to trick fans of the show into giving over much of their Facebook information. Instead, he wrote to the show’s creator, Sam Esmail. Shortly after, the vulnerability disappeared.

“A threat actor with XSS on whoismrrobot.com could use the XSS to inject Javascript [programming language] which inherits the ability to read Facebook information from the fsociety game… This could be done mostly silently if correctly engineered with a short popup window,” Zemnmez told Forbes.com over email.

Unfortunately, that was not end of it.

Last Friday another “white hat” hacker who calls himself “corenumb” looked at the site’s e-mail registration code and found that the PHP code behind it was vulnerable to a type of attack called blind SQL injection. This is an attack that embeds SQL commands into text sent to a website. The point here is to bypass error messages that would normally block those attacks.

According to Ars Technica this blind SQL vulnerability would have allowed a malicious attacker to execute SQL commands against the database used for the show’s e-mail list. For example, Corenumb was able to retrieve information about the backend database and the server it runs on using SQLmap, an open source penetration testing toolkit used specifically for checking for SQL injection vulnerabilities.

According to the US Securities and Exchanges Commission chair, cyber hacking is the biggest risk facing the world’s financial markets today.

US SEC Chair Mary Jo White made her comments Wednesday at a conference organized by the Reuters news service. She specifically cited the March 2016 theft of $81 million from the Bangladesh central bank. Last week investigators reported a bank in Vietnam was hit with a similiar attack, with speculation the attack was also similar to the Sony Pictures data breach in 2014.

Speaking of attacks in the financial services space, White told Reuters, “What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks. As we go out there now, we are pointing that out.”

SWIFT, the company that handles international banking transfers, patched last month some of the vulnerabilities associated with the Bangladesh attack and gave customers up until last week to patch their systems.

That wasn’t good enough for some. On Wednesday, JPMorgan Chase announced it would suspend the use of SWIFT interbank transfers for some of its employees.

The technology and policy division of the bank-backed Financial Services Roundtable, BITS, is working to mediate between the banks and SWIFT, says Bloomberg.

Google Project Zero Researcher Tavis Ormandy disclosed a Remote Heap/Pool memory corruption vulnerability in all versions of Symantec and Norton branded Antivirus products.

In a forum post said that the way the Symantec filter works, just emailing a compromised file or sending a compromised link to a victim is enough to exploit the vulnerability, CVE-2016-2208.

The flaw centers around how the Symantec/Norton antivirus engine handles executable files packed by early versions of aspack. In certain cases it can result in a buffer overflow. Ormandy explained “on Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get.”

Symantec has responded with confirmation and a patch. “We have confirmed your findings and have resolutions as well as doing additional reviews,” the company wrote on Ormandy’s forum post. “We can easily update a version of one of our products, Norton Security for example, with an updated engine by the end of the week and if you would like can provide you with an beta release of that for your review. Unfortunately, not all products will be updated the same which of course has impacts on final release of updates and an associated Security Advisory. Some are quick and fairly simple updates, live update of course, but others require a maintenance patch build, test, release which takes a bit longer.”

Over past last year or so, Ormandy has focused on the antivirus market. He recently demonstrated flaws in Trend Micro’s Password Manager as well as vulnerabilities in in Kaspersky Lab, FireEye, and Sophos antimalware products.

Researchers have found that a Chinese chip manufacturer for low-cost Android tablets, set-top boxes, ARM-based PCs, and other devices has shipped a vulnerable Linux kernel in its latest product.

The operating system 3.4 legacy Linux kernel for H3/A83T/H8 produced by Allwinner, a Chinese system-on-a-chip company, apparently contains a serious vulnerability that can produce local privileges escalation. A backdoor. According to security researchers, the company’s ARM Linux kernel includes code, “rootmydevice”, that gives apps running on the device root.

According to Ambian, a company that makes Linux distros for prototyping and development boards, the vulnerability affects every OS image for H3, A83T or H8 devices that rely on Kernel 3.4. For example Orange Pi, a low-cost prototyping board, currently runs on H3.

Ambian reported a fix within a few hours. Other products affected include FriendlyARM, SinoVoip M3, SinoVoip M2+, Cubietruck +, and LinkSprite pcDuino8 Uno .

Analysis suggests this was perhaps debugging code left in the production units.

An investigation into a Bangladesh bank hack last month has revealed another victim bank and a possible link to the Sony Pictures data breach in 2014.

Investigators from BAE Systems probing into the theft of $81 million from the Bangladesh central bank have found a second bank, this one in Vietnam. On Friday BAE said the Vietnamese bank, which it did not name, had been a target with a very similar attack profile. The two banks apparently had already compromised internal systems, allowing remote attackers to obtain user credentials to bank transfers, and then begin submitting fraudulent requests for money. In the case of the Bangladesh central bank, $81 million was transferred out of an account at the New York Federal Reserve in the US before a typo halted additional transfers. Details of the Vietnamese bank attack were not available.

SWIFT, the company that handles international banking transfers, patched last month some of the vulnerabilities associated with the Bangladesh attack. In a letter to its customers, SWIFT stated that the security update must be installed by Thursday, May 12, 2016, in order to continue to transfer funds through their system.

According to Reuters News Service, which first broke the story, investigators have determined that one team of hackers, dubbed Group Zero in the report, was responsible for the heist [at the Bangladesh central bank] and remained inside the network. Group Zero may be seeking to monitor the ongoing cyber investigations or cause other damage, but is unlikely to be able to order fraudulent fund transfers, the investigators wrote. Two other groups are also inside the bank’s network, which is linked to the SWIFT international transaction system, the report found. One of the two is a “nation-state actor” engaged in stealing information in attacks that are stealthy but “not known to be destructive”, it said, Reuters reported.

The BAE investigators also reported that the Bangladesh central bank hack had “the same unique characteristics” as software used in “Operation Blockbuster”, a series of similar attacks going back as far as at least 2009 and includes the Sony Pictures hack in 2014. BAE made that connection after analyzing tens of millions of files, but admits that alternative explanations could also be true.

There is a serious privilege escalation vulnerability in software that is included with every Lenovo laptop. Fortunately the company has now released a patch.

According to the company, the Lenovo Solution Center (LSC) is a software application created by Lenovo that allows users to perform diagnostic functions and quickly identify the status of PC system hardware and software health, network connections and the presence of security features such as firewalls or antivirus programs. However researcher Martin Rakhmanov of Trustwave’s SpiderLabs found that v 2.8 of LSC allowed anyone to open the Device Manager running as LocalSystem and run arbitrary code in various ways.

The vulnerability, known officially as CVE-2016-1876, was patched in last April by Lenovo.

“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” a Lenovo spokesperson told Threatpost

“This is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack,” Karl Sigler, a SpiderLabs researcher at Trustwave, said in an email interview with Threatpost. He said the attack can’t be exploited remotely. “For a malicious insider or for an attacker that already has a foothold in the network, this vulnerability could be used to make that foothold a full gateway to your network,” he said.

A vulnerability in a popular software suite used to resize and re-produce image files in a variety of file formats could also allow remote command execution on a compromised web site.

Security researchers last week discovered a heap overflow and an out-of-bounds read bug in ImageMagick, a software suite used to create, edit, compose, or convert bitmap images into a variety of file formats. Web sites use the suite to resize a user-defined avatar, for example. The researchers – more than one has been named — discovered that a remote attack on this suite could execute arbitrary code by hiding it inside image files that a user uploads.

Officially the vulnerability is known as CVE-2016-3714 and includes improper input validation (CWE 20). Informally the vulnerability is known as ImageTragick and has its own web page.

At the same time more vulnerabilities were disclosed on Wednesday by security researcher Hanno Böck, namely one heap buffer overflow in the PICT parser and one heap out of bounds read in the PSD parser.

A fix in the form a new release is available on the ImageMagick site. Alternatively a work around requires effected sites to update their configurations to implement these policies.