SE·CU·RI·TY: procedures followed or measures taken to ensure the safety of a state or organization.

Internet Storm Center Infocon Status
Showing posts with label web application security. Show all posts
Showing posts with label web application security. Show all posts

Tuesday, April 15, 2014

Is Dropbox safe for users?



I’m sure everyone has used Dropbox to upload important documents, and priceless photos that they would like to have access to anywhere, forever, right? Dropbox is a free, cloud based storage service that allows users to upload documents, photos, and videos using a computer, and share them using a tablet or mobile device. This file hosting service is used by over 175,000 people around the world including in some businesses. But what if I told you that your private files can be hacked?

About a year ago, Dropbox was hacked, which prompted the company to add extra security protection such as encryption and “two factor authentication” which were put in place as enhancements. Well, it seems as if that extra security protection that was added, wasn't as great as Dropbox thought it was.

Two security researchers named Przemyslaw Wegrzyn and Dhiru Kholia were able to zoom past Dropbox’s security features, access users files, then published a paper on how it was possible! Crazy right? First thing first, the researchers disabled the two protections that were put in place, then tried “reverse engineering” which allowed them to look at the programming code that Dropbox uses. Although the researchers shouldn't have been able to view the programming code, they were successful. The whole idea was to protect Dropbox and share with the company on how to be more secure.

Since the published paper, in April of 2014, Dropbox has tightened security and added multiple updates to “Dropbox for Business”, which will target businesses and IT professionals who will administer the service. But is it enough?

 This case is just another way to remind you that internet safety and security is very important. Be careful when using sensitive information on the web, and on different web applications. You will never know when your information may become compromised.

 Dropbox is still the leader in cloud based storage service. 

To read the published article "Looking inside the (Drop) box", click here.


References:

Posted by at 10 comments:
Labels: , , , , , ,

Sunday, April 13, 2014

If you don't know what the heartbleed bug is, you need to start now!



The Internet’s Most Widespread Vulnerability

heartbleed

Remember when you were a little kid and you and your friends had your own secret code words and no one was able to tell what you were saying???  Now, imagine that someone had a secret decoder ring and was able to understand everything you were saying.  But this is the best part, you didn’t even know that a decoder ring existed for your imaginary language!  Oh, and this decoder ring has been available in every box of cereal on store shelves!

Now lets change some of the details of the story….
    Ovaltine Decoder Ring
  • Store Shelves = Internet
  • Cereal Boxes = Websites/Webservices
  • Secret Code = encryption
  • Friend = Server
  • Decoder = Heartbleed bug

How many boxes of cereal were on store shelves that came with a prize?  Imagine if 66% of them did.  That is a lot of decoder rings.

xkcd comics
From the Heartbleed homepage:
[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.  
So, when you are accessing a website and sending your information out and getting information back, all this 'computer talking' should be encrypted, and no one should have the key except for you and the server you are talking with.  And in some cases, this is probably true and hasn't changed.

 But if the website you are using protects information using any version of OpenSSL released in the past 2 years (May 2012), than you probably should change your password...NOW!  

 OpenSSL is used by the web servers Apache and nginx, it is used to protect "email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software."  This pretty much includes more than half the internet.  

 Well, at least it was discovered by a researcher for Google and the security engineers at Codenomicon instead of a hacker, right???  At least everyone assumes, but there really is no way to tell for sure because Heartbleed is undetectable, untraceable. 

 The only way to be safe now is to change your passwords.  If you have entered a password on any account that has been using the OpenSSL Versions issued in the past 2+ years, change it!  But not until you know that the site has installed a patch and issued new certificates.  If they haven’t, don’t try to access that account!  Any information passed between you and the server is still susceptible.   

 For more information on the Heartbleed Bug, or to see if a site you use could be affected, check out these sources:




Resources:
www.heartbleed.com
http://mashable.com/2014/04/09/heartbleed-nightmare/
https://lastpass.com/heartbleed/
http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/




Posted by at 8 comments:
Labels: , , , , , , , , , ,

Wednesday, March 19, 2014

Where do you go for information security?

If you are interested in more information on Web Application Security, be sure to check out our Resources page for direct links to some of the top informational sources.

There you will find links to the SANS Institute, as well as pertinent information and affiliated sources by them, the National Cybersecurity & Communications Integration Center, and the US Computer Emergency Readiness Team.

These sources provide valuable information on what threats exist, emerging threats, and how to protect your Web Application.
Posted by at No comments:
Labels: , , , , , , , , ,

Tuesday, March 18, 2014

Top Web Application Security Issues

Web application security is important to have as technology continues to constantly change, and expand. This type of security specifically protects web applications, web sites, and web services. With the increasing amount of information sharing through business transactions, social networks, corporate work, and even personal business, hackers are more likely to make a direct attack. Regardless of how web applications may be used, it is important to have the right protection.

 Validation of input and output data must be safe while using web browsers, email systems, and other software. Input handling is defined as how the server or application handles input from the user, or network, while output handling is how the server or application handles the output from the user such as using the printer. To be considered as "safe", data type, length, and syntax must be validated. 

 Phishing usually consists of scanning emails and websites, along with stealing identities and data. It is important to beware of the fraudulent emails containing spam, viruses and malware. Phishing can be reduced by paying close attention when opening unrecognizable emails, and websites.

 Malicious file execution is an issue that many encounter. Uploading and downloading certain files can sometimes contain malicious viruses, trojans, and spyware. Malicious file execution will allow attackers to execute remote root kit installations, remote code executions, and even a complete system compromise! It is important to have a software that will scan all files before uploading and downloading.

 Once you have a compromised browser, that is the beginning of an attack. This type of attack includes: automatic installation of spyware, mouse control, automatic computer shut off, changing of time stamps, and so much more. To prevent a browser from possibly being compromised, keeping browsers and plug-ins updated will help.

 Failure to update third party add ons is another common issue, especially for household computers. Keeping plug-ins and anti-virus software updated at all times will prevent security issues. Frequently, after a bug is located within the system, developers will fix the issue, and release a newer version of the software. It is vital to make sure all softwares are 100%.

 Data poisoning, also known as Cookie Poisoning, modifies content that is stored in a user’s computer. This attack gives hackers the chance to gather information about the user and use it for personal gain. Data poisoning also includes fake links and disguised malware. Attackers may also pose as a malware protection service to convince users to make a purchase, but the “protection” is usually a scam. To reduce data/cookie poisoning, ensure that firewalls are enabled on all computers. 

 These security issues listed only represent a portion of the total amount of web application security issues that exist. To learn more about web application security issues, visit The Open Web Application Security Project (OWASP) to learn more. Remember, it is important to stay updated and educated on ways to stay safe while using computers and web applications.
References:

http://www.pcworld.com/article/144490/article.html
https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf
http://www.gfi.com/blog/top-5-web-security-issues/ http://en.wikipedia.org/wiki/Web_application_security
https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
Posted by at 5 comments:
Labels: , , , , , , , ,

Monday, February 24, 2014

So you thought you were safe on a Mac? LOL




Apple SSL Vulnerability Affects OSX Too  - ThreatPost


Being an avid Apple user, I have had to crush the dreams of several other Apple fans when it comes to the security of their beloved operating system.  I switched from using a Windows based PC to an Apple  full-time shortly after being subjected to Vista.  Though I had never owned an Apple of my own until that point, my husband and several friends have always preferred their computers over mine, boasting about how secure they were and how vulnerable I was.  No matter who would make the comment, I would let them know that they were never any more secure than I was, and in fact could be more vulnerable.

Mac's operating system was not built more secure than Window's OS, there is no magic code that Apple has implemented that has made their OS insusceptible or invisible to hackers.  Less people used Macs.  More importantly to hackers, less BIG business money makers used Macs.  If a hacker was looking to threaten a massive audience, or to steal valuable information, then the amount of time they spent searching for a vulnerability and then implementing a strategy had better be a sure bet.  And with most of the world running on the Window's OS, this is their market!  At least it was...

And it was this lack of a customer base using Apple's OS that gave users the facade that they were "safer" than their PC counterparts.

Now, the story of the century!  Oh my goodness, the impenetrable Apple OS has a security vulnerability!  I can't believe Apple would do this to US, it's beloved users!

How shocked would we be if Windows announced a security vulnerability was discovered?
Don't even get me started on the updates and patches to Windows that go almost unnoticed...almost.

Oh, COME ON!  Give me a BREAK!  Just one day before, Google released an update for Chrome to fix several high-level vulnerabilities:

Google Fixes 28 Security Flaws In Chrome 33 - ThreatPost

So a high-level security vulnerability has been discovered in Apple's OS, and we know this NOT because of any malicious attack or attempt, but because Apple has released an update to iOS to fix this issue and is creating a fix for OSX.  And to that affect, I say thanks to Apple for releasing an update before  a hacker discovered the vulnerability!


Posted by at 5 comments:
Labels: , , , , , , , ,

Thursday, February 20, 2014

Steps to Protect!

Web Application threats are becoming more and more of an issue for businesses and individuals. Luckily, there are many steps to stay protected and to prevent threats in the future.

Steps to protect/prevent threats within a business

Employee Training
Having the most secure networks and technology can be useless if employees do not understand their responsibilities in protecting the company’s resources. Not all employees will be tech savy, or up- to- date on the latest online safety procedures. It is the employers’ job to train employees on understanding the policies and practices that must be followed regarding online safety. Keeping files backed up, carefully scanning emails, and following rules on downloading and installing programs, can reduce the amount of vulnerabilities in your network, but only if employees are frequently trained on how to do so.

Protecting the Network
The primary tool for communication for a company is through email, which is also a primary way for a threat. Daily, many employee email accounts are flooded with fraudulent emails containing spam, and viruses, which may sometimes end up in the inbox instead of the spam folder. Compromising a company’s web address, and re-directing consumers to a different website is a way to hijack consumer information. These type of attacks are known as phishing. To reduce phishing, monitor returned emails, and consumer complaints pertaining to logins, passwords, and changes. Frequently search for websites that may have similar spelling to yours, also, search for the usage of your company’s logo.   

Steps to protect/prevent threats at home

Strong Passwords
I’m sure you’re thinking, “My password is strong enough, no one knows my birthday!”, but actually you may be wrong. Cracking passwords is a common security threat among attackers. A strong password does not only consist of numbers, but also symbols and a combination of upper and lowercase letters. Having a variety of passwords may be beneficial just in case one of your passwords becomes compromised.

Anti-Virus, Firewalls, and Anti-Malware
Viruses and malware can spread in many ways including through downloads, pop-ups, email attachments, links, and even over networks. It is very important to keep an anti-virus and anti-malware running on your computer to ensure protection. There are many times where you may accidentally click on a pop-up while trying to close it, and if that protection isn’t running on your computer to fight off the attack, it could cause major damages. If you are not sure what type of anti-virus/anti-malware to use, there are many free trials available on cnet.com.  Popular anti-virus software such as McAfee, Norton, and Avast are a few that you can “try before you buy”. Firewalls on the other hand are already installed on your desktop or laptop computers. Enabling your firewall protects your computer from network attacks and threats. If you are a mobile browser such as myself, these software are available for installation, simply by visiting your mobile’s application market.

Updates
Using updated software, plugins, and web browsers are critical to stay protected. By changing user settings to “automatically update”, that will ensure your software is always up-to-date. Often after an update, the software may prompt you to reboot the computer so that changes may be applied. Without properly updating software, plugins, and browsers, that may open up a window for an attack.

Tips
From a business and individual standpoint, it is important to stay educated. Always pay attention to the news regarding internet safety and changes. Don’t be afraid to share tips with family and friends. Browse and download safely from the websites and applications that you trust. Having control over your online safety is the way to keep YOUR privacy private.


References:
http://www.staysafeonline.org/business-safe-online/monitor-threats/
http://www.staysafeonline.org/business-safe-online/protect-your-customers/
http://www.forbes.com/sites/jameslyne/2013/10/22/computer-virus-spreading-that-means-you-never-get-to-see-your-files-again/
http://download.cnet.com/windows/antivirus-software/
Posted by at 6 comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)

Wikipedia

Search results