 |
||
Total Website Security |
||
|
||
|
|
|
|
|
In the News :: 2007 Archives ::
Security Researcher Promotes Concept of 'Safe' and 'Promiscuous' Web Browsers A quick tip for keeping yourself safe online--if you don’t mind extreme web browsing For the most part, the defense against Cross Site Request Forgery (CSRF)--considered one of the most insidious but least appreciated threats in application security--must come from websites themselves, not ordinary web users. To ensure that criminals can’t trick an unknowing user’s web browser into sending unauthorized requests to the websites where they do online banking or other sensitive activities, web developers must increase the number of times they authenticate customers and make other changes in how sites are programmed. But Jeremiah Grossman, CTO at Whitehat Security and one of the country’s most prominent application security researchers, has a workaround he uses to protect himself online. It involves having two browsers: One, which he calls the “promiscuous” browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser. The approach works because then, even if Grossman encounters the CSRF attack while online, the website where he does sensitive activities won’t execute any orders it receives from his browser. "The bad guys are just looking in the off chance someone is logged into that particular website," Grossman says. Read article online at CSO ››› Businesses must Realize that Full Disclosure is Dead Full Disclosure is dead. Let me explain why. The information security world has changed, even if some don't see it or are unwilling to accept it. Vulnerability disclosure discussions based upon ethics are morally antiquated and naïve at best considering today's cyber-security climate. “Responsible disclosure,” supported by industry power players (sage old men and large software vendors), demands that security researchers who discover new vulnerabilities first privately share them with the software vendor (to develop a patch), then publicly advertise the impact to persuade people to patch. Researchers must also navigate the entire and often time-consuming disclosure process without receiving or asking for monetary compensation...Read article online at SC Magazine››› Find your Web App Vulnerabilities...please The busy holiday shopping season is upon us. Every day, millions of people log in to Web applications to make purchases. As long as they see the "yellow lock" icon on the bottom of the screen, they figure their transaction is safe, but that's not always the case. As the use of Web applications becomes more prominent, so, too, does the number of security incidents involving Web apps. Web application vulnerabilities are a wide spread problem. According to WhiteHat Security, eight out of 10 Web sites have serious flaws. A January 2007 report published by WhiteHat estimated that about 71% of Web sites are vulnerable to cross-site scripting (XSS), followed by information leakage (30%), predictable resource location (28%), content spoofing (26%), insufficient authentication (21%) and SQL injection (20%)...Read article online at Network World ››› Researchers Thankful for New Paypal Policy It may be the protection and peace of mind that Web application security researchers have been waiting for: PayPal's new vulnerability disclosure policy states that the company won't take any legal action against a researcher who properly follows its procedure for reporting bugs in its software. (See Laws Threaten Security Researchers). "I would certainly hope it's the start of a trend," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who blogged on this development late yesterday. Grossman says there have been other signs of hope lately as well for freeing Web app security researchers to do their work without the worry of legal implications: a Microsoft panelist last week at the OWASP and Web Application Security AppSec 2007 Conference said the company wouldn't take action against anyone who finds bugs in its Websites. "But Microsoft has not gone so far as to document that publicly like PayPal," Grossman says...Read article online at Dark Reading ››› It’s one week until Nov. 26, traditionally the busiest day for online shoppers. Cyber Monday, the Monday after Thanksgiving, is expected to ring up more than $600 million in sales -- and attract cybercrooks. So what should skittish consumers do to protect themselves? Security experts, such as Jeremiah Grossman, chief technology officer of WhiteHat Security, offer a list of safety tips: 1. Switch your web browsers to Firefox, Safari or anything besides Microsoft’s Internet Explorer. The popular IE is often in the cross hairs of computer viruses, spyware and adware. 2. Enhance your web browser security. There are several options, including eBay Toolbar, Google Toolbar and NoScript, a Firefox extension. These add-ons help identify phishing websites. 3. Do not click on links in e-mail. E-mail attachments are a breeding ground for viruses and worms. 4. Use unguessable passwords on your web mail accounts. 5. Use a single credit card for online purchases. Limit the damage, in the event that someone steals your credit-card number. Also, refrain from using a debit card online since they do not carry the consumer legal protections of credit cards...Read article online at USA Today ››› WhiteHat Security Puts MSSP Feather in Cap WhiteHat Security's Web site vulnerability management service is being included in a managed security platform. WhiteHat Security's Web vulnerability assessment service has been woven into an independent managed security service platform for the first time, extending the company's ability to deliver security to different segments of the market. SecurView, an Edison, N.J., provider of risk assessment and managed security services, will integrate WhiteHat Sentinel into its managed services platform. The move offers SecurView customers security at all layers of their infrastructure, from the network to publicly facing Web applications, SecurView officials said...Read Article Online at eWeek ›››
Web security expert Jeremiah Grossman talks Web security meltdown, the dangers of surfing – big waves and the Web – and Brazilian jiu-jitsu Jeremiah Grossman worries that Web security is nearing the breaking point. "Right now we have a really good understanding of how broken the Web is, and I think the inflection point is coming," he says. It's just a matter of when the bad guys decide to set their sights more on Websites than client machines, he says: "When is Web app security going to experience its first 'Blaster?' " The Web security pioneer, who today is considered one of the top experts in the hot area of Web application security, says there's no way to rebuild the around 135 million Websites overnight. "The Web is already built, and any mistakes have already been made," says Grossman, who is founder and CTO of WhiteHat Security, a Web security services firm...Read Article Online at Dark Reading ››› Security Experts: Merchants Racing to the Bottom for PCI CertsBy Lisa Vaas Some security experts say merchants put getting PCI-certified above actually improving security. Security experts are starting to grumble about the Payment Card Industry Data Security Standard, saying that some merchants just want to get PCI-certified as cheaply and easily as possible—and that the PCI certification system is set up to help them do just that. "The entire system seems to be set up not to find vulnerabilities," Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, based in Santa Clara, Calif., and one of 135 security firms on the PCI Security Council's list of ASVs (Approved Scanning Vendors), said in an interview with eWEEK...Read Article Online at eWeek ››› Security experts, malware ninjas and hackers of all shades packed the hallways of the Palace Tower conference area at Caesar's Palace in Las Vegas Aug. 1 and 2 for the 11th Annual Black Hat Briefings USA conference. The event provides security pros with a venue for outlining the latest flaws, both technological and human, in today's digital defenses. While it's likely a portion of Black Hat's attendees make their living through -- or at the very least dabble in -- illegal activities like piracy and identity theft, the conference is not an underground gathering of criminals. It's sponsored by legitimate security vendors, and presenters expose flaws with the intention of showing the industry where its own weaknesses lie. The point is to get burned in a controlled environment. It beats getting burned in the wild...Read Article Online at TechNewsWorld ››› Automated Application Security Tools - Useful, but not a Replacement for Human Eyes and Brains ... Then today I read this post over at the GNUCITIZEN blog, which references Jeremiah Grossman's post about the same thing. Jeremiah shows his frustration with some companies that put out these products because they say they can check for certain problems, but in the real world, they fail to perform as promised by marketing. Now granted, Jeremiah's company has their own app security tool, so that has to be taken into consideration when looking at his post (not saying he is dishonest, but maybe biased a little). But Jeremiah's company also combines testing by real people with the tool, which makes for a much better result (I have never used Jeremiah's services - I just know the one-two punch is more effective)....Read Article Online at the ComputerWorld ›››
Experts claim that many companies are unknowingly leaving the door open for outsiders to infiltrate and attack their corporate intranets using new hacking techniques such as cross-site request forgery Companies looking to improve their overall security posture may want to look for vulnerabilities in a place where they never might have expected to be attacked -- their corporate intranets. According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites...Read Article Online at InfoWorld ›››
Your Web mail account is a treasure trove of private and potentially valuable information--and thieves know it. In an online interview, one phisher claimed to make thousands of dollars every day by breaking into people's E-mail accounts and searching for messages that contain financial details. Normally you can't tell whether you've been hacked in this way. Even if you cannily leave a juicy-sounding e-mail unread, a thief or snoop may read it and then return its status to unread. But with a little bit of know-how, you can create an electronic trip wire that will trigger whenever someone reads a rigged e-mail... Read Article Online at Washington Post ›››
Jeremiah Grossman, founder and CTO of WhiteHat Security, has agreed to be interviewed for the security lab, and we certainly thank him for his time. Thank you, it's my pleasure. What can you share about the web app security market segment, growing, shrinking, becoming more sophisticated? After about a decade, the Web application security market has finally come into its own as businesses have embraced its importance. Several distinct solutions have emerged to include vulnerability management providers (like WhiteHat), developer tools (scanners), Web application firewalls, and consultants to fill in the professional services gaps. Each segment solves a particular business problem and successful vendors are experiencing huge growth. Speaking for WhiteHat Security, we've been doubling or tripling our business each year for the last several years... Read Article online at SANS ›››
New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant Forensic investigations start at the end. Think of it: You wouldn’t start using science and technology to establish facts (that’s the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding. A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who’d planted it to establish a secure tunnel so he could work undetected and “get root”—administrator’s access to the aquarium network... Read Article online at CSO ››› What if a Web researcher found a bug on your Website today -- but was too afraid of the law to tell you? The Computer Security Institute (CSI) recently formed a working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents to explore the effects of laws that might hinder Web 2.0 vulnerability research. And the CSI group's first report -- which it will present on Monday at CSI's NetSec conference in Scottsdale, Ariz. -- has some chilling findings. In the report, some Web researchers say that even if they find a bug accidentally on a site, they are hesitant to disclose it to the Website's owner for fear of prosecution. "This opinion grew stronger the more they learned during dialogue with working group members from the Department of Justice," the report says... Read Article at Forbes ›››
Every year, InfoWorld honors senior IT executives who've demonstrated leadership within their companies and the IT community. This year, we're pleased to have a particularly strong group. As usual, the CTO 25 features a mix of vendor and customer CTOs, most of whom have been responsible for major initiatives that had substantial impact on their businesses. Hats off to the 25 individuals who are changing the face of IT! Read Article online at InfoWorld ››› An Introduction to the Murky Science of Web Application Security Where white hats and black boxes help CISOs assess just how sieve-like their web-based systems are. Jeremiah Grossman wants you to know that firewalls and SSL encryption won’t prevent a hacker from breaking into your e-commerce website, compromising your customers’ data and possibly stealing your money. That’s because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running. The Phisher King You see phishing attack attempts nearly every day, but what you don't see is the face behind the attack. In a rare glimpse into the mind of a phisher, hacker and security expert RSnake recently engaged an attacker who says he makes $3,000 to $4,000 dollars a day and was willing to share a bit about himself and how he operates. RSnake, a.k.a. Robert Hansen, CEO of SecTheory and Dark Reading blogger, asked the phisher, called "lithium," how he operates, what technology he uses, and just how much money he makes off these scams. Lithium, who says he's 18 and has been phishing since he was 14, said he has stolen over 20 million identities, mostly via social networking worms. "I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through," he wrote to RSnake, who today published the responses on the ha.ckers.org blog... Read article at Forbes ››› AX and HijacksComputer Security Alert Newsletter Web 2.0 is growing up. And we’re not ready.
MONTEREY, Calif. -- With the rise in attacks, from malware (define) and phishing (define) to assorted viruses and identity theft, it's no wonder the market for security software and services is booming. And with no one-size-fits-all security solution, there's plenty of opportunity for new entrants and established players to drive new revenue streams... Read article at internetnews.com ››› Silverlight Declared Secure Silverlight, Microsoft Corp.'s upcoming Web media software, may be several months from its official release, but experts have already reached a consensus -- albeit a weak one -- about how secure it will prove to be. That consensus favors Microsoft's argument that the software won't be easily exploitable by hackers. Microsoft says that Silverlight, a browser plug-in that works with Internet Explorer, Firefox and Safari, has key attributes that should prevent Silverlight from such exploits... Read article at Computerworld ››› Popular Web Sites Highly Vulnerable to Attack A report finds that banking, shopping, and other sites are likely to contain flaws that allow phishing or expose customer data. Eight out of ten Web sites contain common flaws that canallow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today. WhiteHat Security regularly scans hundreds of "very popular, very high-traffic sites" for its online business customers, says Jeremiah Grossman, the company's founder. "More than likely, you have shopped there, or bank there," he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says...Read article at PC World ›››
Two hackers on Sunday began their planned month of MySpace bugs project that is expected to reveal 30 vulnerabilities this month that affect the popular social networking site. The pair, known only as Mondo Armando and Mustachio, said on their LiveJournal site Saturday that they plan to notify MySpace of each bug prior to publication, but they were not hopeful security officials would respond... Read entire article at SC Magazine ›››
Many are complaining that the Payment Card Industry Data Security Standard (PCI-DSS), that industry's self-regulation for safeguarding cardholder information, lacks teeth. Critics claim that merchants who accept credit card transactions aren’t moving fast enough to secure their systems, arguing they suffer nominal penalties (fines, added fees or transaction suspensions) for failure to comply. This is further validated by Visa’s own December statement that only one-third of the largest merchants are PCI-DSS compliant, with smaller businesses even further behind. Several industry reports are already telling us that most websites are insecure, but what this also tells us is no one knows where the vulnerabilities are. Well, except the bad guys... Read entire article at SC Magazine ›››
Vulnerability to a little-known Web-based attack could allow an attacker to have access to any data indexed by Google Desktop
The Chilling Effect: How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal. They probably want to impress their prof, too, who's a fixture in the vulnerability discovery and disclosure world. Dr. Meunier has created software that interfaces with vulnerability databases. He created ReAssure, a kind of vulnerability playground, a safe computing space to test exploits and perform what Meunier calls "logically destructive experiments." He sits on the board of editors for the Common Vulnerabilities and Exposures (CVE) service, the definitive dictionary of all confirmed software bugs. And he has managed the Vulnerabilities Database and Incident Response Database projects at Purdue's Center for Education and Research in Information and Assurance, or Cerias, an acronym pronounced like the adjective that means "no joke." Read entire article at CSO Magazine ››› Google Vulnerability a Sign of Web 2.0 Weakness A recently found flaw in Web-based Google applications spotlights a growing concern: how to protect IT systems and data as workers access Web-based e-mail and collaborative applications. Read article online at SC Magazine ››› Adobe Flaw May Be 'Worst' Bug Of 2007 Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007... Read entire article at InformationWeek ››› Security Risk Greater than Originally Thought A recently discovered security weakness in the widely used Acrobat Reader software could put Net users at more risk than previously thought, experts warned Thursday. Initially, security professionals thought that the problem was restricted and exposed only Web-related data or could support phishing scams. Now it has been discovered that miscreants could exploit the problem to access all information on a victim's hard disk drive, said Web security specialists at WhiteHat Security and SPI Dynamics... Read entire article at USA Today ››› Firewall Fright Tops 2006 HacksJanuary 03, 2007 - 11:45 AM | Permalink As someone who used to spend a bit of time working with a very good firewall that is now owned by a major computer security company, the first hit on WhiteHat Security CTO Jeremiah Grossman's list of top 10 hacks last year made me glad my work now involves writing about these threats instead of fighting them... Read entire article at SecurityProNews ››› Google fixes Gmail cross-site request forgery flaw Haochi Chen, a 16-year-old who runs the Googlified blog, posted proof-of-concept code over the weekend that takes advantage of stored Gmail members' contact lists in JavaScript files. Jeremiah Grossman, founder and CTO of WhiteHat Security, told SCMagazine.com today that when somebody visits a malicious website exploiting the flaw, the browser makes a silent, behind-the-scenes request for that user's list of Gmail contacts. "It's a very big privacy breach," he said. "This is a very bad vulnerability that we're going to see a lot more of in 2007…Websites are not prepared to defend against. The premise is built on the way the web is designed to work (through linking pages)." Read entire article at SC Magazine ›››
|
2007 News Archives ::
2007 Highlights :: 2007 InfoWorld CTO 25 Awards
Security Researcher Promotes Concept of 'Safe' and 'Promiscuous' Web Browsers
Researchers Thankful for New Paypal Policy
|
|
||
|
||
|
||
|
||
By Kelly Jackson Higgins, Senior Editor
By Jon Swartz
By Brian Prince
By Paul Hartsock, TechNewsWorld
By Michael R. Farnum
By Matt Hines, InfoWorld
By Erik Larkin, PC World
By Stephen Northcutt
Kelly Jackson Higgins
Simson Garfinkel
January 05, 2007