Web Application Security Newsletter -
July 2007
A MESSAGE FROM THE EDITOR- In the past decade cyberinsurance has emerged and is now a rapidly growing market. This month we feature an article that weighs in on cyberpolicies and helps us to de-mystify these products. The current state of the market is that prices are high and policies are not for everyone. Certainly a cyberpolicy should not be in lieu of having a strong security program in place. The underground economy is thriving and continues to yield big bucks for today's new kind of hacker, a professional, in the game strictly for money and profit. According to one industry expert, users' stolen account information is currently priced at $1000 to $5000. We feature a Forbes.com interview this month with Johnny Long, an ethical hacker-by-day as well as best-selling author of "Google Hacking for Penetration Testers." Long weighs in on the industry debate around public disclosure of hacking tricks and techniques and demonstrates that website vulnerabilities are frighteningly low hanging fruit through simple search techniques.
1. Can 'cyberinsurance' protect you from data breach catastrophe?
Unraveling the mysterious world of cyberpolicies
Often little understood and plenty pricey, the cyberinsurance market is rapidly growing. The current state of the market is that smaller firms are often better served by cyberpolicies while larger firms are often better off self-insuring. Up to 10% of applicants are turned down and another 25% pay higher premiums or have restrictions. Even major healthcare and financial institutions have failed to pass the scrutiny of some insurers. What are some of the biggest reasons for denial? The buyer is likely lacking desirable policies and procedures in disaster recovery planning and lacks monitoring of system usage.
Read
More
2. Protect Data From Cross-Site Scripting (XSS) Attacks
Bringing the castle down with scripting code and stolen data
Both client-side scripting such as JavaScript and user submitted content can leave websites open to a cross-site scripting attack. Most commonly, an attacker configures a script to harvest cookies from an unsuspecting user's machine and attempts to access personal information in a cookie. Armed with user information, the attacker then performs all kinds of mischief, such as logging into the victim's website with full administrative access. Read about how XSS attacks happen and how they can be prevented.
Read
More
3. Understanding PCI DSS compensating controls
Strong security program is the best silver bullet
Although many security vendors position their products as silver bullets to make PCI go away, compliance with PCI DSS should be a result of having a strong security program with documented controls. PCI's version 1.0 made it easier to skirt regulations due to an escape clause known as "Compensating controls." The recently released standard partially closed that loophole. Now organizations must prove a "legitimate technological or documented business constraint" to apply a compensating control. Read about the security elements in PCI DSS that are likely to catch an auditor's attention and which elements present legitimate compensating controls.
Read
More
4. Hacking spree 'will last another six months'
Attack known as "The Italian Job" likely to continue for months
Eastern Europe-based hackers have authored a mass rollout of HTML malware to exploit a vulnerability in legitimate websites. The attack began recently in Italy, soon spreading to websites in the U.S. and other countries. Researchers believe the attack probably began as an automated attack from a Trojan-making kit. Kits offering similar software were available to download from Russian websites. Corporate IT teams have been advised to take precautionary measures, such as employing the use of vulnerability scanning software.
Read
More
5. The Multi-Billion Dollar Hacking Industry
Today's attackers are professionals driven by profits
Over the past ten years, there has been a remarkable change in the profile of a typical hacker. Yesterday's hacker was most likely aged 15 to 34, single, and living at home with parents. Today's hacker is a professional with lots of cash and motivation driven solely by profit. The underground economy can yield big money for these unscrupulous cyber criminals. With a dramatic shift toward web-based threats, in the last two years, there have been more than 300,000 new versions of malware.
Read
More
6. Google: A Hacker's Best Friend?
Google queries yield sensitive info
In a recent interview with Forbes.com, author and hacker-by-day Johnny Long describes the art of "no-tech hacking". He discusses Google hacking and using un-technological methods to break technology. "After 10 years of trying, I've discovered a whole pile of ways to do that... Just by doing a search on a Web site, we'd find a password or usernames that would grant us access". Long is the author of "Google Hacking for Penetration Testers," a best seller that shows how to perform Google searches to uncover sensitive information. Learn about the kinds of vulnerabilities in Web sites that Long has uncovered through Google hacking. What about the ethics of publicly discussing these hacking tricks? Long weighs in on this hotly debated topic.
Read
More
|
