Web Application Security Newsletter -
October 2007
Editorial Comments:- Two themes are in the spotlight this month throughout several featured articles. One has to do with the level of sabotage and sophistication amongst the bad guys who find increasing ways to place malicious code, even in web sites we know and trust. Another has to do with user behavior and how it impacts the security risks inherent in a Web 2.0 world. At a recent cyber crime event, an IDC analyst warns that user behavior threatens corporate security through the simple act of intermingling personal and corporate online activity. Online safety advocates StopBadware.org remind us in their recent report that attack code can be downloaded from almost anywhere. The bad guys are increasingly brazen. Case in point is an interview with a convicted hacker who brags about the ease in which he was able to break into computers, "so easy even a caveman could do it." Roger Johnston who heads up the Vulnerability Assessment Team at Los Alamos National Laboratory offers his unique insider's perspective of 28 attributes of a flawed security system. Find out how your program rates and what recommendations he offers for improvement.
1. Warning on web 'super worm' XSS database could cause major problems
Database identifies vulnerable sites for cross-site scripting exploits
Security experts are warning Internet users of a potential major worm outbreak. "Creative Hacker" group GNU Citizen has published details about an online archive that names the names of websites with cross-site scripting vulnerabilities. Malware writers can use the information to identify sites that can be used to inject malware via web browsers. A malware spamming program could spread viruses by setting up a continuous link to vulnerable sites. One expert notes that a super worm of this magnitude can prove potentially devastating in the near future.
Read
More
2. Strategies for success -- PCI DSS Requirement 11: Regularly test security systems and processes
Regular testing can prevent costly breaches
According to the National Vulnerability Database, an average of 19 new vulnerabilities is posted to the Internet everyday. The recently publicized TJX data breach illustrates just how costly outdated security technology can be. Attacks are frequently carried out on systems that are not patched with the latest updates. Besides patching, the consistent use of vulnerability scanners is a must against network and application security threats. Minimally, organizations are advised to perform annual penetration testing to measure how well its systems can endure an attack.
Read
More
3. Web 2.0, social networking can endanger corporate security, analyst says
Internal security is a growing threat
Cyber criminals are increasingly targeting Web 2.0 and social networking sites. As lines between corporate and personal lives become more blurred through online interactions, the corporate security perimeter is weakened. Often employees don't follow security policies, if only due to a lack of knowledge about the rules or perhaps due to the lack of rules. As one example, some of the latest threats center on Web 2.0 environments and involve clicking on links that lead to malware. Managing internal security comes back to user behavior.
Read
More
4. Web's 'dark corners' are everywhere, group says
Bad guys are targeting web sites we trust
Online safety advocates StopBadware.org warn that when it comes to web sites, it's getting harder to know who to trust. According to the group's recently released "2007 Trends in Badware" report, the bad guys are finding new ways to place their malicious code. The group maintains a list of 200,000 sites that are associated with malicious downloads. A disturbing trend over the past year involves the move to deliver malicious software on legitimate sites. In fact, attack code can be downloaded from almost anywhere.
Read
More
5. Interview with a Convicted Hacker: Robert Moore Tells How He Broke Into Routers and Stole VoIP Services
"So easy a caveman could do it."
A 23-year-old convicted hacker who is on his way to federal prison says that simple IT mistakes made his work incredibly easy. Convicted for conspiracy to commit computer fraud, a laughing Robert Moore told Information Week, "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."Read about how the hacker and his mastermind co-conspirator targeted a "silly flaw" and turned it into a business
Read
More
6. How Flawed Is Your Security Program?
Find out how your program rates
Los Alamos National Laboratory's Roger Johnston heads up the Vulnerability Assessment Team and is brought in to find security problems at his agency and others as well as for private companies. By way of this self-assessment tool, Johnston shares an insider's perspective on the most common weaknesses he sees in organizations' security programs. Find out how you rate on 28 attributes of a flawed security system and what Johnston's recommendations are for improvement.
Read
More
|
