If you don't know what the heartbleed bug is, you need to start now!

The Internet’s Most Widespread Vulnerability

Remember when you were a little kid and you and your friends had your own secret code words and no one was able to tell what you were saying???  Now, imagine that someone had a secret decoder ring and was able to understand everything you were saying.  But this is the best part, you didn’t even know that a decoder ring existed for your imaginary language!  Oh, and this decoder ring has been available in every box of cereal on store shelves!

Now lets change some of the details of the story….

• Store Shelves = Internet
• Cereal Boxes = Websites/Webservices
• Secret Code = encryption
• Friend = Server
• Decoder = Heartbleed bug

How many boxes of cereal were on store shelves that came with a prize?  Imagine if 66% of them did.  That is a lot of decoder rings.

xkcd comics

From the Heartbleed homepage:

[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.  

So, when you are accessing a website and sending your information out and getting information back, all this 'computer talking' should be encrypted, and no one should have the key except for you and the server you are talking with.  And in some cases, this is probably true and hasn't changed.

But if the website you are using protects information using any version of OpenSSL released in the past 2 years (May 2012), than you probably should change your password...NOW!  

OpenSSL is used by the web servers Apache and nginx, it is used to protect "email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software."  This pretty much includes more than half the internet.  

Well, at least it was discovered by a researcher for Google and the security engineers at Codenomicon instead of a hacker, right???  At least everyone assumes, but there really is no way to tell for sure because Heartbleed is undetectable, untraceable. 

The only way to be safe now is to change your passwords.  If you have entered a password on any account that has been using the OpenSSL Versions issued in the past 2+ years, change it!  But not until you know that the site has installed a patch and issued new certificates.  If they haven’t, don’t try to access that account!  Any information passed between you and the server is still susceptible.   

For more information on the Heartbleed Bug, or to see if a site you use could be affected, check out these sources:

• Heartbleed.com

• Heartbleed Test: http://filippo.io/Heartbleed/

• Top 10000 Heartbleed List 

• Mashable's Heartbleed Hit List 

• Another Heartbleed Test site:  https://lastpass.com/heartbleed/

• Cnet's Top 100 

Resources:

www.heartbleed.com

http://mashable.com/2014/04/09/heartbleed-nightmare/

https://lastpass.com/heartbleed/

http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/

Top Web Application Security Issues

Web application security is important to have as technology continues to constantly change, and expand. This type of security specifically protects web applications, web sites, and web services. With the increasing amount of information sharing through business transactions, social networks, corporate work, and even personal business, hackers are more likely to make a direct attack. Regardless of how web applications may be used, it is important to have the right protection.

Validation of input and output data must be safe while using web browsers, email systems, and other software. Input handling is defined as how the server or application handles input from the user, or network, while output handling is how the server or application handles the output from the user such as using the printer. To be considered as "safe", data type, length, and syntax must be validated. 

Phishing usually consists of scanning emails and websites, along with stealing identities and data. It is important to beware of the fraudulent emails containing spam, viruses and malware. Phishing can be reduced by paying close attention when opening unrecognizable emails, and websites.

Malicious file execution is an issue that many encounter. Uploading and downloading certain files can sometimes contain malicious viruses, trojans, and spyware. Malicious file execution will allow attackers to execute remote root kit installations, remote code executions, and even a complete system compromise! It is important to have a software that will scan all files before uploading and downloading.

Once you have a compromised browser, that is the beginning of an attack. This type of attack includes: automatic installation of spyware, mouse control, automatic computer shut off, changing of time stamps, and so much more. To prevent a browser from possibly being compromised, keeping browsers and plug-ins updated will help.

Failure to update third party add ons is another common issue, especially for household computers. Keeping plug-ins and anti-virus software updated at all times will prevent security issues. Frequently, after a bug is located within the system, developers will fix the issue, and release a newer version of the software. It is vital to make sure all softwares are 100%.

Data poisoning, also known as Cookie Poisoning, modifies content that is stored in a user’s computer. This attack gives hackers the chance to gather information about the user and use it for personal gain. Data poisoning also includes fake links and disguised malware. Attackers may also pose as a malware protection service to convince users to make a purchase, but the “protection” is usually a scam. To reduce data/cookie poisoning, ensure that firewalls are enabled on all computers. 

These security issues listed only represent a portion of the total amount of web application security issues that exist. To learn more about web application security issues, visit The Open Web Application Security Project (OWASP) to learn more. Remember, it is important to stay updated and educated on ways to stay safe while using computers and web applications.

References:

http://www.pcworld.com/article/144490/article.html
https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf
http://www.gfi.com/blog/top-5-web-security-issues/ http://en.wikipedia.org/wiki/Web_application_security
https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution

Defining Web Application Security

As web applications are becoming increasingly more complex and dynamic, so are the

malicious actions taken on them. The security of a web application or service is vital to maintain

proper function of the application, protect the users of the application, and protect the data

transferred through or stored by the web application. Every application has vulnerabilities, and

being able to detect them and protect against threats is the first step in protecting information

through web application security.


In an effort to raise awareness of threats to software, and to enhance the security of

applications, the Open Web Application Security Project (OWASP) started the OWASP Top Ten 

Project that “represents a broad consensus about what the most critical web application security

flaws are”. This project details the most common risks to applications, educating others on how

to identify security vulnerabilities and steps to prevent, or mitigate, threats to web applications

and software. As of 2013, OWASP has identified the following as the top 10 web application

security risks:

     1. Injection

     2. Broken Authentication and Session Management

     3. Cross-Site Scripting (XSS)

     4. Insecure Direct Object References

     5. Security Misconfiguration

     6. Sensitive Data Exposure

     7. Missing Function Level Access Control

     8. Cross-Site Request Forgery (CSRF)

     9. Using Components with Known Vulnerabilities

     10. Unvalidated Redirects and Forwards


This list does not include all of the risks to web applications, and not all of these risks pertain to

individual applications.


The purpose of this blog is to provide knowledge and understanding of the web application

security standards today. Follow us as we answer the questions relevant to securing

information on the world wide web:

     • What is a threat?

     • How do you detect breaks in the security of a web application/service?

     • What steps can be take to protect information?


Knowing the web application, and knowing the users, will help identify relevant risks. The most

powerful tool in securing an application is to continuously improve the security.