Filed under: Security
web application security issues
Throughout this year most of us wouldn’t deny that web application security issues and vulnerabilities has been the biggest issue. SQL Injection, Cross-Site Request Forgery (CSRF), Cross Site Scripting (XSS), Websites with malicious codes and data/password stealing codes, are some to name. Its one of two either organizations are spending immensely on securing everything and leaving out securing the web-based apps or simply the majority of malicious activities are just becoming web-based.
Some great preventative measures are released by the Internet Crime Complaint Center (IC3); in addition, the WhiteHat Security has great statistics in regards to the same.
CISCO also had a word in their 2008 Annual Report:
“Online security threats continued their growth in 2008. Online criminals combined spam, phishing, botnets, malware, and malicious or compromised websites to create highly effective blended threats that use multiple online vectors to defraud and com promise the security of Internet users.”
Not to forget: Acunetix, WebSense Threat Resource Center, Sophos, APWG, ScanSafe, and many others.
I’m sure we will see some interesting web app security issues in 2009!
Rgds;
Fatma
Filed under: Blogging
كل عام والجميع بخير
بسم الله الرحمن الرحيم
“وَقُل رَّبِّ أَدْخِلْنِي مُدْخَلَ صِدْقٍ وَأَخْرِجْنِي مُخْرَجَ صِدْقٍ وَاجْعَل لِّي مِن لَّدُنكَ سُلْطَانًا نَّصِيرًا”
سورة الاسراء 80
تمنياتي القلبية للجميع بعام مليء بالخير والسعادة والصحة والتوفيق بإذن العلي القدير
وكل عام والجميع بألف خير
تحياتي..
فـاطمـة بـازاركـان
Filed under: Security
Ninja(ing)
the credit of this post goes to BinGiba (thanks mate!)
I’m sure you all remember my previous post about the Autorun-Based Malware where I have mentioned how it works and what can some of the workarounds be. We all know that everyday more of these autorun based malware is in the rise and the most widely way it uses to propagate is through USB sticks.
Today thanks to BinGiba; I read about this small nifty freeware program called Ninja Pendisk: it is designed for guarding computers against viruses transmitted by USB pendisks and how it can uncover the commonly malicious or virulent files known as “autorun.inf” and “ctfmon.exe” amongst many others. It also immunizes the pendisk and creates a folder called autorun.inf with special protection permissions to protect your pendisk from being infected again when plugged on infected computers.
Side note: ==== I simply hate autorun based malware. ====
So called, Ninja Pendisk is fully portable, self-contained and requires no installation. The tool has the capability to update by itself from a known webserver for the updated list or a newer version but then you have to make an exception on your firewall to allow that.
Depending on your technicality level there is this file called ninja.txt that contains the database of dangerous files and action to be taken in order to immunize pendisks, so make sure to modify only if you have enough level of expertise to play with it. I will not talk much about the LAN Chat feature it has J a one-to-all like a broadcast. Oh and it works both on XP and Vista only.
A complete forum talking about it here. The blog here.
Happy Ninja(ing);
Fatma Bazargan
Filed under: Security
APWG/CMU Phishing Education Landing Page Program
Straight from the APWG News Desk (continue reading)
” The APWG’s Internet Policy Committee (APWG-IPC) and Carnegie Mellon University’s Supporting Trust Decisions Project (STDP) have joined forces to educate consumers about phishing and established the AWPG/CMU Phishing Education Landing Page program. The goal of this initiative is to instruct consumers on online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication.
Here’s how it will work:
· The APWG-IPC and CMU’s STDP created a webpage to educate users about phishing. The page (http://education.apwg.org/r/en/) explains that they have just fallen for a phishing communication (email or otherwise) and advises consumers and enterprise users ways they can help themselves to avoid being victimized in the future.
· As part of the process for shutting down a phishing site, we are asking ISPs, registrars, and anyone else who has control of the phishing page to take the following steps
o Determine if the brand being phished has approved having the phishing site URLs re-used to redirect their customers (who’ve been fooled) to this educational page
o If the brand has approved the use of the redirect, instead of serving an error page when a customer arrives at the URL, redirect them to the APWG/CMU Phishing Education Landing Page
The APWG-IPC created a separate webpage that will help the manager of the company whose servers have been co-opted for use in phishing attack learn how to initialize redirects to the APWG/CMU education page:
http://education.apwg.org/r/how_to.html
The APWG and CMU’s STDP encourages all brand owners to approve this process, all takedown providers to request the use of this redirect scheme, and all ISPs, registrars, registries, etc. to redirect to this page instead of serving an error page .”
Word to Spread: I found their Phishing Education Landing Page very informative because a normal cyber user can better visualize it that keep reading, so send the link across your colleagues and friends and help in educating others with Phishing.
spread it across,
FBazargan
Filed under: Security
Hong Kong (place to be)
I fail to remember the number of times my friends accused me of being paranoid about the whole security issue, but let’s face it isn’t security an integral part of everything in our life? (trying to get an excuse for the paranoia!)
Anyways, these were my best reads of the week:
- I recall back at MEITSEC this year, I was involved among the rest in a Panel Discussion and the topic of discussion was about justifying security spending to higher management and interestingly I came across a great read for Jeremiah Grossman about the same; you will enjoy the five approaches he talks about in detail.
- I guess it is apparent that most of the security flaws breed on a web browser level not forgetting the recent security alert about the exploit found on Internet Explorer and Firefox. So I guess a good tip can be: to refrain from checking your emails using web browsers and use email clients instead. On a side note, I’m sure by now you are all patched with the latest IE Microsoft security update MS08-078. If not then do so. J
- I have no idea how many of you out there use encryption for their confidential files and drives, but a good-free-program can be; TrueCrypt (for Windows and Linux users) easy to use and yet efficient when it comes to security and QuickEncrypt (for MAC users). It’s time to encrypt stuff folks.
- Websense Blog had a great post about how Google is sponsoring links to websites that host malicious malware and redirects cyber users to Rogue Anti-Virus Software (read the part where they highlighted how did that malicious link reached at the top list of the search). The post ended with…
“It seems that we live in a world where functionality comes first and security later. Online services typically have the attitude that it’s better to introduce functionality (and realize revenue) first, and then make the services more secure later. This time gap between functionality and security, however, leaves users exposed to all sorts of crimeware abuse, with the resulting losses of money, time, and peace of mind.”
My thought to this post was, I believe if each cyber user had a security mindset to start with and was completely aware to have a second thought and verify the facts before clicking on various links or entering their credentials anywhere and everywhere; then I would say we will have lesser infections or bots to worry about and clean.
That’s all for now,
Fatma.
Filed under: Security
You can read more about it at Microsoft Security Advisory (961051) – Vulnerability in Internet Explorer Could Allow Remote Code Execution.
Learn more about the Explanation of the workarounds here
Read about the Exploit Sites at ShadowServer
You can read more about it at ISC SANS
Final Word: work on the workarounds folks; yes it’s serious! because it has been confirmed that the code has been released in the wild that might be misused to exploit an unpatched Internet Explorer 7 vulnerability.
Enjoy working on the workarounds,
Fatma Bazargan
Filed under: Security
This post is dedicated to all of those who emailed me asking about my top ten links that I don’t miss visiting every single day. So there you go.
Note: if anyone of you has something interesting other than the ones I mentioned just list it in the comment box.
Dancho Danchev’s Blog, SANS Internet Storm Center, Securosis, Vulnerability Management and Pentesting Solutions, Websense Security Labs Blog, Arbor Networks Security Blog, Schneier on Security, Wired, Network Security Blog, Security Dark Reading, Network Security Podcast, and ofcourse Radajo
Cheerz,
Fatma Bazargan
Filed under: Security
Certainly we know that free e-mail services such as (Gmail, Hotmail, Yahoo, etc.) are convenient to not only send and receive personal messages between family and friends but also suitable to use them for joining forums, online shopping and so on. Just another way to refrain from using work e-mail IDs for unnecessary communication.
However, I have noticed this common behavior among some really high country officials around the globe using these free e-mail services for official communication; by official I also mean classified and confidential information sharing!! Folks, since when we use Hotmail and Yahoo for official communications?!
Yes, I’m aware that you receive an 8GB space with Gmail and certain GBs with Hotmail; I do understand that it is available and accessible from wherever workstation on this planet if you want to login to it, and that you are getting way too much of features that you may never use all of them. But it remains free e-mail services which means they aren’t liable if you loose any of your e-mails, they aren’t liable if it is unavailable or inaccessible, they are certainly not accountable if your account is compromised or hacked, and definitely they aren’t liable for the PRIVACY of your e-mail so no matter what features you get with them as long as you are uncertain with preserving and safeguarding the confidentiality and privacy of your so called “official communication e-mails” and your account well simply don’t use it. I believe that it is completely an unhealthy trade off to compromise on confidentiality and privacy for ease of use for official communication.
Interestingly you may want to read this piece of news from itexaminer.com where an official from Prime Minister’s office in India (yes, you heard me right!) says “Do not use G-mail for official communications!” Well as I mentioned in my previous post: “Closing the barn door and shutting the stall doors after the horse has left is not “due diligence”. “
Word to Spread: Don’t use Free E-mail Services for official communications?!!
Regards;
Fatma Bazargan
Filed under: Security
تحت رعاية الفريق سمو الشيخ سيف بن زايد آل نهيان وزير الداخلية، ينظم معهد التدريب والدراسات القضائية والقيادة العامة لشرطة أبوظبي بالاشتراك مع هيئة تنظيم الاتصالات وشركة مايكروسوفت، المؤتمر الدولي الثاني لمكافحة جرائم تقنية المعلومات يوم 15 ديسمبر الحالي بفندق شاطئ روتانا في أبوظبي.
يأتي تنظيم المؤتمر في ظل الاهتمام المتنامي للدولة بمكافحة هذا النوع من الجرائم حيث أن دولة الإمارات العربية المتحدة هي أول دولة عربية تسن قانونا خاصا بهذا النوع من الجرائم وهو القانون الاتحادي رقم 2 لسنة 2006 في شأن مكافحة جرائم تقنية المعلومات.
أهداف المؤتمر:
1- اكساب المشاركين المعرفة بالجرائم الناشئة عن استخدام التقنيات الحديثة: الجلسة الأولى
2- كيفية مواجهة هذه الجرائم والحد منها: الجسة الأولى
3- الاطلاع على تجارب الدول الاخرى في هذا المجال: الجلسة الثانية
4- الإجراءات الواجب إتباعها وموقف المجتمع الدولي منها: الجلسة الثالثة
سأطرح ورقتي في الجلسة الثالثة وستكون عن دور مركز طوارئ الحاسب الآلي في مكافحة جرائم تقنية المعلومات.
تحياتـي
فاطمة بازاركان
Filed under: Blogging
للجميع عيدكم مبارك وكل عام وانتم بخير
لك الشكر الجزيل أخ باسل المشعل على التصميم الرائع
