The landscape of Cyber Security is quickly changing. More and more perils spring up everyday, that’s why is more important than ever to cultivate the practice of a Responsible Vulnerability Discosure.
Swascan is quickly becoming the European authority in this field, thanks to the recognition obtained with it’s collaborations in the Responsible Vulnerability Discosure field with Adobe, Microsoft, Lenovo, Huawei, SAP, Nokia and now GoToMeeting.
Thanks to its expertise, the team of cyber researchers of the Italian firm has brought to light some critical issues related to some Web applications of one of the leading online meeting, desktop sharing, and video conferencing softwares on the market today.
Taking Cyber Security risks head-on
Swascan is the Cyber Security company founded by Pierguido Iezzi and Raoul Chiesa; the first in Italy to offer a cloud-based Cyber Security Testing platform that allows to identify, analyze and solve the vulnerabilities of websites and information infrastructures alike, no doubt one of the most critical points of impact for any type of business.
The activity carried out by the Swascan team highlighted some potential issues that could have been exploited by Criminal hackers to impact GoToMeeting.
After the identification of these vulnerabilities, the experts shared their findings with the video conferencing tool software PSIRT through a Responsible Vulnerability Disclosure containing all the information necessary for the remdiation activity. GoToMeeting has since decommisioned the server that could have caused potential issues which completly eliminates this risk for GoToMeeting users.
As mentioned, the criticalities discovered could have impacted the business continuity, the security of data and information of users and the regular operation of services.
The key is transparency
The key to any Responsible Vulnerability Disclosure activity is precisely the collaboration between Cyber security providers and service providers.
A philosophy embraced by Swascan’s Co-Founder Pierguido Iezzi who underlined: “Finally, the world of Cyber security is experiencing a sort of ‘thaw’ in favour of the principle of collaboration between the various players, until a few years ago a real taboo. We are extremely pleased with the timely and professional collaboration between Swascan and LogMeIn, makers of GoToMeeting””.
“It’s a fact that the risks have increased with the interconnection of everything around us, including businesses. This has made it necessary to rethink how to deal with these threats, not only on a technical level, but also on the cultural point of view. This undoubtedly has fostered the cooperation between players”.
Commenting on the path taken alongside GoToMeeting, he added: “Our experience with GoToMeeting is a clear example of how effective this Paradigm Shift can be. A real backbone for every Cyber Security Framework”.
The criticalities discovered were going to impact aspects of:
In detail, the vulnerabilities belonged to the following CWE categories:
- CWE-20 (Improper Input Validation): The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. Basically, when the software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
- CWE-287 (Improper Authentication): When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
- CWE-476 (NULL Pointer Dereference): A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Synergy for safety
There is no doubt now, to face the new threats put in place by the Criminal hackers, a two pronged approach is needed: on the provider side, a secure IT infrastructure and a constantly trained and alert staff are necessary, on the other the skills and tools that only the experts of Cyber Security can provide cannot be excluded.
Pierguido Iezzi, Co-Founder Swascan, CyberSecurity Director
Raoul Chiesa, Swascan co-founder, InfoSec addicted