Fatma Bazargan’s blog

web application security issues
December 30, 2008, 12:10 pm
Filed under: Security
web application security issues

web application security issues

Throughout this year most of us wouldn’t deny that web application security issues and vulnerabilities has been the biggest issue. SQL Injection, Cross-Site Request Forgery (CSRF), Cross Site Scripting (XSS), Websites with malicious codes and data/password stealing codes, are some to name. Its one of two either organizations are spending immensely on securing everything and leaving out securing the web-based apps or simply the majority of malicious activities are just becoming web-based.  


Some great preventative measures are released by the Internet Crime Complaint Center (IC3); in addition, the WhiteHat Security has great statistics in regards to the same.


CISCO also had a word in their 2008 Annual Report:

“Online security threats continued their growth in 2008. Online criminals combined spam, phishing, botnets, malware, and malicious or compromised websites to create highly effective blended threats that use multiple online vectors to defraud and com promise the security of Internet users.”


Not to forget: Acunetix, WebSense Threat Resource Center, Sophos, APWG, ScanSafe, and many others.


I’m sure we will see some interesting web app security issues in 2009!







عام هجري جديد موفق 1430
December 29, 2008, 7:40 am
Filed under: Blogging
كل عام والجميع بخير

كل عام والجميع بخير

 بسم الله الرحمن الرحيم

“وَقُل رَّبِّ أَدْخِلْنِي مُدْخَلَ صِدْقٍ وَأَخْرِجْنِي مُخْرَجَ صِدْقٍ وَاجْعَل لِّي مِن لَّدُنكَ سُلْطَانًا نَّصِيرًا”

سورة الاسراء 80

تمنياتي القلبية للجميع بعام مليء بالخير والسعادة والصحة والتوفيق بإذن العلي القدير

وكل عام والجميع بألف خير


فـاطمـة بـازاركـان 



December 25, 2008, 11:34 am
Filed under: Security


the credit of this post goes to BinGiba (thanks mate!)



I’m sure you all remember my previous post about the Autorun-Based Malware where I have mentioned how it works and what can some of the workarounds be. We all know that everyday more of these autorun based malware is in the rise and the most widely way it uses to propagate is through USB sticks.


Today thanks to BinGiba; I read about this small nifty freeware program called Ninja Pendisk: it is designed for guarding computers against viruses transmitted by USB pendisks and how it can uncover the commonly malicious or virulent files known as “autorun.inf” and “ctfmon.exe” amongst many others. It also immunizes the pendisk and creates a folder called autorun.inf with special protection permissions to protect your pendisk from being infected again when plugged on infected computers.


Side note: ==== I simply hate autorun based malware. ====


So called, Ninja Pendisk is fully portable, self-contained and requires no installation. The tool has the capability to update by itself from a known webserver for the updated list or a newer version but then you have to make an exception on your firewall to allow that.


Depending on your technicality level there is this file called ninja.txt that contains the database of dangerous files and action to be taken in order to immunize pendisks, so make sure to modify only if you have enough level of expertise to play with it. I will not talk much about the LAN Chat feature it has J a one-to-all like a broadcast. Oh and it works both on XP and Vista only.


A complete forum talking about it here. The blog here.



Happy Ninja(ing);

Fatma Bazargan


APWG/CMU Phishing Education Landing Page Program
December 23, 2008, 8:23 pm
Filed under: Security
APWG/CMU Phishing Education Landing Page Program

APWG/CMU Phishing Education Landing Page Program

 Straight from the APWG News Desk (continue reading)

” The APWG’s Internet Policy Committee (APWG-IPC) and Carnegie Mellon University’s Supporting Trust Decisions Project (STDP) have joined forces to educate consumers about phishing and established the AWPG/CMU Phishing Education Landing Page program.   The goal of this initiative is to instruct consumers on online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication.
Here’s how it will work:

·         The APWG-IPC and CMU’s STDP created a webpage to educate users about phishing.  The page (http://education.apwg.org/r/en/) explains that they have just fallen for a phishing communication (email or otherwise) and advises consumers and enterprise users ways they can help themselves to avoid being victimized in the future.

·         As part of the process for shutting down a phishing site, we are asking ISPs, registrars, and anyone else who has control of the phishing page to take the following steps

o        Determine if the brand being phished has approved having the phishing site URLs re-used to redirect their customers (who’ve been fooled) to this educational page

o        If the brand has approved the use of the redirect, instead of serving an error page when a customer arrives at the URL, redirect them to the APWG/CMU Phishing Education Landing Page

The APWG-IPC created a separate webpage that will help the manager of the company whose servers have been co-opted for use in phishing attack learn how to initialize redirects to the APWG/CMU education page:
The APWG and CMU’s STDP encourages all brand owners to approve this process, all takedown providers to request the use of this redirect scheme, and all ISPs, registrars, registries, etc. to redirect to this page instead of serving an error page   .”

Word to Spread: I found their Phishing Education Landing Page very informative because a normal cyber user can better visualize it that keep reading, so send the link across your colleagues and friends and help in educating others with Phishing.

spread it across,


Various Reads
December 23, 2008, 8:14 pm
Filed under: Security


Hong Kong (place to be)

Hong Kong (place to be)

I fail to remember the number of times my friends accused me of being paranoid about the whole security issue, but let’s face it isn’t security an integral part of everything in our life? (trying to get an excuse for the paranoia!)


Anyways, these were my best reads of the week:

  • I recall back at MEITSEC this year, I was involved among the rest in a Panel Discussion and the topic of discussion was about justifying security spending to higher management and interestingly I came across a great read for Jeremiah Grossman about the same; you will enjoy the five approaches he talks about in detail.   
  • I guess it is apparent that most of the security flaws breed on a web browser level not forgetting the recent security alert about the exploit found on Internet Explorer and Firefox. So I guess a good tip can be: to refrain from checking your emails using web browsers and use email clients instead. On a side note, I’m sure by now you are all patched with the latest IE Microsoft security update MS08-078. If not then do so. J  
  • I have no idea how many of you out there use encryption for their confidential files and drives, but a good-free-program can be; TrueCrypt (for Windows and Linux users) easy to use and yet efficient when it comes to security and QuickEncrypt (for MAC users). It’s time to encrypt stuff folks.  
  • Websense Blog had a great post about how Google is sponsoring links to websites that host malicious malware and redirects cyber users to Rogue Anti-Virus Software (read the part where they highlighted how did that malicious link reached at the top list of the search). The post ended with…

It seems that we live in a world where functionality comes first and security later. Online services typically have the attitude that it’s better to introduce functionality (and realize revenue) first, and then make the services more secure later. This time gap between functionality and security, however, leaves users exposed to all sorts of crimeware abuse, with the resulting losses of money, time, and peace of mind.”


My thought to this post was, I believe if each cyber user had a security mindset to start with and was completely aware to have a second thought and verify the facts before clicking on various links or entering their credentials anywhere and everywhere; then I would say we will have lesser infections or bots to worry about and clean.


That’s all for now,


Unpatched Internet Explorer Vulnerability
December 14, 2008, 2:25 pm
Filed under: Security


You can read more about it at Microsoft Security Advisory (961051) – Vulnerability in Internet Explorer Could Allow Remote Code Execution.


Learn more about the Explanation of the workarounds here


Read about the Exploit Sites at ShadowServer


You can read more about it at ISC SANS


Final Word: work on the workarounds folks; yes it’s serious! because it has been confirmed that the code has been released in the wild that might be misused to exploit an unpatched Internet Explorer 7 vulnerability.


Enjoy working on the workarounds,

Fatma Bazargan


Links of Interest
December 13, 2008, 8:39 pm
Filed under: Security


This post is dedicated to all of those who emailed me asking about my top ten links that I don’t miss visiting every single day. So there you go.

Note: if anyone of you has something interesting other than the ones I mentioned just list it in the comment box.

Dancho Danchev’s Blog, SANS Internet Storm Center, Securosis, Vulnerability Management and Pentesting Solutions, Websense Security Labs Blog, Arbor Networks Security Blog, Schneier on Security, Wired, Network Security Blog, Security Dark Reading, Network Security Podcast, and ofcourse Radajo



Fatma Bazargan