Web Application Security Newsletter - March 2005

A MESSAGE FROM THE EDITOR - It should come as no surprise that the incidence of web application vulnerability attacks and their exploitation is on the rise. Unfortunately, awareness of this latest hacking frontier is astonishingly low. The aim of this publication is to raise awareness of web application security and to help educate the reader in an effort to reduce the possibility that your company’s application may fall under the web hacking siege. Welcome to this inaugural edition of the Web Application Security Newsletter, brought to you by Cenzic.

ChoicePoint should be regulated, FTC Chair says

Legislators fault ChoicePoint for data losses. Lawmakers push for regulation over data collection companies. ChoicePoint’s recent data leak incident, resulting from a web application vulnerability, will likely spur greater government regulation aimed at protecting people’s private information. In a recent hearing, FTC Chairman Majoras told the Senate Banking Committee that existing laws are not strong enough to ensure responsible handling of sensitive details by data brokers. ChoicePoint revealed last month that identity thieves had gained access to 145,000 consumer profiles. In a similar incident, ChoicePoint competitor LexisNexis experienced its own exploited web application vulnerability, placing 32,000 consumers at risk.

Read More

Payroll firm pulls Web services, citing data leak

PayMaxx discontinued some online services this month following a programmer’s discovery of security vulnerabilities. According to programmer Aaron Greenspan, President of Web services start-up Think Computer and a former PayMaxx customer, he unsuccessfully attempted to contact PayMaxx about the potential security threat. He then posted a report detailing the flaws. This prompted PayMaxx to close down its PayView and Instant W2 services. PayMaxx is accusing Greenspan of hacking. The company has contracted an outside security company to test its Web applications' security.

Read More

E-commerce giants hook up to sink phishers

Microsoft, eBay, PayPal, and Visa are backing the newly launched Phish Report Network, which aims to crack down on phishing attacks. Those subscribing to the network hope to improve consumer protection by blocking fraudulent sites in their company’s security applications. Participating companies are focused on preventing phishing emails from ever reaching consumers.

Read More

Study: Security fears daunt online shoppers

A new RSA Security study finds that one-fourth of online shoppers have reduced their purchases in the past year due to rising concerns over identity theft. The third annual study asked more than 1,000 U.S. consumers about how their attitudes to identity theft and similar security issues have changed over the past two years. Findings indicate that financial institutions hoping to move more customers to online banking continue to face resistance. The survey found that twenty-one percent of consumers refuse to use online banking.

Read More

Banks bearing the brunt of phishing scams

Financial services companies remain the most frequent targets for online phishing, according to the latest figures released by The Anti-Phishing Working Group (APWG). The group reported that 85 percent of all reported phishing attacks during the month of December directly focused on banks and similar financial services companies. New, unique phishing campaigns spiked in December with a 6 percent increase over November’s total. Executives at APWG said the predominance of financial service phishing scams in December was contrary to the widely held notion that retail sites would come under intense attack.

Read More

VISA, MasterCard, American Express Incorporate OWASP Top Ten in “Payment Card Industry Data Security Standard”

Unscrupulous individuals are increasingly exploiting security vulnerabilities to gain access to personal information. Many of these vulnerabilities can be fixed via vendor security patches to protect against identity theft and other criminal exploitation. For in-house applications, using standard system development processes and secure coding techniques can avoid vulnerabilities. The “Payment Card Industry (PCI) Data Security Standard” provides security guidelines that apply to all members, merchants, and service providers who store, process, or transmit cardholder data. These security requirements apply to any network component, server, or application included in, or connected to, the cardholder data environment.

Read More