Thursday, April 10, 2014

Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

  • So, when was the last time you reviewed your security policy?
  • Does it take into account new security mitigation techniques?
  • Have you adjusted the skills in your business to manage changing attack methods?
  • Is security a once-a-year audit activity?

Monday, April 7, 2014

USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

Monday, March 24, 2014

Three of the Biggest Threats to Company’s Cyber Security

Phishing, Malicious Political Attacks & Monetary Fraud

Every business needs to address the ever-changing cyber threats that now make their way the Internet. It is not enough to merely install anti-virus software and believe that this will solve all of a business’ problems. Here are three of the biggest threats to company’s cyber security that you should know.


Phishing is a practice in which hackers gain access to private consumer data. Frequently, a hacker creates an email to look like it was issued by your company. A customer may then respond to the email and provide his or her personal information. The hacker then preys upon this disclosure and uses it to open credit cards, make unauthorized charges and take advantage of the consumer’s identity. The essence of a phishing crime is that the hacker gains the trust of the customer. They may use sophisticated tactics to learn information about your customers, such as the names of relatives. The hacker then may pretend to be one’s distant relative to ask for financial assistance from the consumer.

Businesses have a duty to protect their customers from phishing attacks. Businesses should realize that information even like consumer names can be private information. If a hacker gains access to consumer names, then he or she may use social networks like Facebook to learn more information about the customer. Businesses need to be aware of these practices and work with cyber security firms to prevent information disclosures.

Malicious Political Attacks

Businesses should also be aware that not every hacker is motivated by profits. Some hackers are residents of foreign nations and discontented with the notion of capitalism in general. These hackers are very sophisticated and using numerous methods to target specific businesses. One example of a recent attack included an attack on a satirical news company by the Syrian Electronic Army. The Syrian Electronic Army was able to hack into the servers for the news company and then make its own postings on the site. One mistake that businesses make is underestimating the abilities and sophistication of enemy nations or politically-motivated hackers.

The best way for businesses to handle attacks from politically-motivated data hackers is to be proactive in preventing attacks. Businesses should not use a reactive method of dealing with politically-motivated data hackers. A reactive method does not solve the actual issues that lead to the hacking of business accounts. A reactive method also does not provide security to a business, because a business may still be attacked by army hackers in the future.

Monetary Fraud Hackers

Unlike the Syrian Electronic Army, some hackers are only motivated by financial gain. These hackers only seek to gain access to checking accounts, savings accounts, trust funds, Social Security information and credit card information. These hackers attempt to gain access to the internal data systems of highly-profitable companies. They are very sophisticated in the tactics that they use to hack corporate accounts.

Businesses need to take preventative measures in protecting internal corporate data systems. Many businesses are realizing this and are now working with sophisticated firms to protect their internal data systems. A company can also be very selective in the access that it provides to internal information systems. If many employees have access to internal data systems, then a company may be jeopardizing the information of its customers.

More than ever, companies need to be proactive in addressing cyber security threats. Cyber threats can cause serious legal issues for companies in the event of a hack or leak. Taking time to improve a company’s data system security is an investment in the future of the company. Cyber threats are only likely to increase in the future years, and businesses must be ready to prevent these attacks.

Friday, March 7, 2014

Internet of Things is Creeping into the Average Lives of Consumers

Internet of Things Gone Wild

Thanks to rapid innovation, our lives are getting easier. But there is a price to be paid. The Internet of Things is creeping into the average lives of consumers in unexpected ways, creating new vulnerabilities even in what was once the safety of our own homes.

There’s the report late last week from California-based security firm Proofpoint uncovering the first proven Internet of Things-based attack that hijacked such smart household equipment as home routers, smart TVs, and even one unsuspecting and apparently innocent refrigerator to generate spam. The attack, which took place between December 23 and January 6, generated over 750,000 “malicious email communications” and involved over 100,000 “everyday consumer gadgets.”

Each of the below developments has been built to automatically collect data about users and send that data to others. The developers insist this data is being used to enhance the consumer experience in some way; but what they don't often reveal is all the ways that data is being used to help them make money or achieve some other objective.

Take a look at these examples and think twice before you volunteer your personal information by purchasing one of these "smart" products.

  • LG markets a fridge that sends a text when the milk runs out, and this article says experts have long warned such a gadget is an attractive "soft target" for hackers. In fact, in one recent attack on 100,000 smart gadgets, 750,000 spam emails were sent to their owners.
  • Google's smart contact lenses check in and report on your health, monitoring things like gluclose levels in your tears. One commenter's question was intended to be sarcastic, but in every joke there is a grain of truth. He asked: Will it send the wearer's glucose levels directly to the NSA or does that only happen after the contact lens syncs with Google's cloud? The fact is, if the lenses can report glucose levels, it is also technically possible to program them to report on many other types of activities, as well as more of your body contents and characteristics.
  • Wearables devices monitor physical activity and connect wirelessly to online services charged with collecting data on the wearer. If insurance companies were able to collect and use this data for their underwriting purposes (which now let employers charge employees different health insurance rates based on whether they exercise, eat right or make healthy choices), these devices could spell disaster for insurance costs... not to mention the potential impacts if employers, potential employers, family members, etc. obtain the data.    
  • Video baby monitors send signals far and wide. To test the vulnerability of these smart gadgets, a Miami TV reporter attached one of these baby-monitor receivers to the dashboard of his car. In just a few minutes, he was able to pick up images of babies and bedrooms. Traditional audio montiors are vulnerable, as well. During the summer of 2013, ABC News reported on a Houston couple who heard cursing and lewd remarks coming from their 2-year-old's baby monitor. It had been hacked.
  • A clip-on camera takes a still image every 30 seconds in an effort to "record your life." How often have you come across a photo of yourself that if taken out of context could cause others to jump to the wrong conclusion (college days, anyone)? Worse, what happens when someone with a clip-on camera enters a public restroom or locker room and takes pictures of people (or children) in various stages of undress?

Sunday, February 16, 2014

How secure is "Dropbox"?

Basic Overview and Awareness to Secure Your DropBox Account!

What's Dropbox?

Dropbox is a free and extremely easy-to-use tool for sharing files, photos, and videos, and syncing them among your devices. You can also use Dropbox to back up files and access them from other computers and devices (including smartphones and tablets), with dedicated apps for each device you own running Android, Mac Linux, Blackberry or iOS platform.

Dropbox is especially good for backing up your files online, although the biggest barriers to this are the size of your backups. You get 2GB free with Dropbox, or you can choose 100GB, 200GB, or 500GB with a monthly fee. There are also business plans that start at 1TB for five users. You’ll just have to make sure that the files you want backed up live in the Dropbox folder.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is Dropbox "Safe" to use?

The move on hosted services like Dropbox storage site raises questions about what cloud users can and should do to keep their information and data secure and compliant.

Cloud security drew attention in 2012 with Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts.

A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data. When that password was stolen elsewhere, the attacker discovered that it could be used against Dropbox.

This was a powerful reminder that users should rely on different passwords for each secure site and service.

Also, VentureBeat reported that the Dropbox iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.

What Encryption does Dropbox use?

Dropbox claims:
At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files. You can also take advantage of two-step verification, a login authentication feature which you can enable to add another layer of security to your account.
When it comes to encryption methods Dropbox use, they state that:

  • Dropbox uses modern encryption methods to both transfer and store your data.
  • Secure Sockets Layer (SSL) and AES-256 bit encryption.
  • Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
  • Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps, such as those listed here.
  • Public files are only viewable by people who have a link to the file(s).
Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

How to Secure your Dropbox account?

Popular cloud storage service Dropbox, had a history of security problems, ranging from compromised accounts to allowing access to every Dropbox account without requiring password.

When and if you decide to use cloud services like Dropbox, the following three basic steps can help you protect your data:

  • Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
  • Use application controls to block or allow particular applications, either for the entire company or for specific group.
  • Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronised, you have full control of the safety of your data.You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else . Should your web key go missing for some reason—maybe the user simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.
How to secure your Dropbox account?
  • Enable Two-Step Verification - With two-step verification enabled, you’ll have to enter both your password and a security code from your mobile phone whenever you sign into the Dropbox website or add a new device to your account. Even if someone else knows your Dropbox password, they won’t be able to log In without the time-sensitive code from your phone.
  • Unlink devices you don’t use and view web sessions.
  • Get email notifications - Ensure email notifications are enabled so you’ll receive emails when new devices and apps connect to your account.
  • Manage linked Applications – Third-party apps often require full access to your Dropbox account, and the app retains access even if you stop using it. If the app itself is compromised or starts behaving maliciously in the future, it will be able to do damage.
  • Don’t reuse your passwords – You should use a unique password for your Dropbox account, one that you haven’t used for any other services.
  • Encrypt your Dropbox files – To protect yourself and ensure your sensitive files remain secure, you can encrypt the files you store in your Dropbox account. To access the encrypted files, you’ll need to know the encryption password – anyone without the encryption key will only see random, jumbled nonsense data.

Saturday, February 15, 2014

Four "Basic" Ways To Protect Company Data

Breach at Target appears to have started with a malware-infected email!

Target Corp. and other large retailers have made the news due to data breaches, but businesses of all sizes need to make sure they have up-to-date policies and procedures to protect private data.

The breaches at Target highlight how important it is for organizations to know how secure their networks are?

Here are four measures businesses should take to ensure their data stays private.
  • One obvious way is to make sure your business' security software is up to date and working "to make sure you don't leave holes in your technology.
  • Do you have policies and procedures in place for how employees interact with the business' server and network? Such measures include making sure employees have strong passwords for their computers and other devices, keeping their machines updated with the latest anti-virus protection and providing them with general awareness on things to watch out for, such as phishing messages (scams that ask people to give out personal information or prompt a person to click on a link that will infect their computer with malware).
  • Make sure that employees have safeguards on the personal devices they use to connect to the company's network.
  • Don't forget security measures for paper records.

Saturday, February 8, 2014

The Internet of Things

"The Internet of Things" is now finding its way into mainstream conversation!

Once a term used mostly by MIT professors and those steeped in the privacy and security field, "The Internet of Things" is now finding its way into mainstream conversation. Loosely defined as the practice of equipping all objects and people in the world with wirelessly connected, identifying, computing devices, the term represents what could be a hugely transformational way of life.  

At one time, "The Internet of Things" probably sounded like science fiction; but today, it's becoming very real. Here are a few examples of where you can literally see, hear and almost feel this phenomenon occurring in some very ordinary places:
  • TRENDnet marketed its SecurView video cameras as "secure." In fact, the cameras had faulty software that allowed anyone with the cameras' Internet addresses to hear and see what the cameras were capturing. In fact, more than 700 were hacked, creating live-streams of private locations and private moments online for the world to hear and see.      
  • Google possesses possibly more data about consumers' online activities than any other organization (Facebook, Microsoft, IBM would probably be close behind.). Now it seems, the Internet giant is on track to know as much about your offline behavior. The company recently purchased Nest, which makes "smart" thermostats and smoke/fire alarms that track indoor-activity data. They have stated they plan to create many more of these types of smart gadgets. How much personal information will Nest share with Google, and how will that information be used?
  • A range of smart-home and smart-car technology allows consumers the ability to control access and features of their houses and vehicles. But who else might gain the same level of control? And what will happen when "smart" cars and appliances can function on their own without human intervention? As this Guardian article contends, they will certainly be tempting to hackers.

Sunday, February 2, 2014

Cybersecurity in the age of "Surveillance"

How to assure that your network and its data are being guarded by a trusted partner?

The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.”

The fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens. For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to multiple U.S. companies may have cooperated in the surveillance activities.

The possibility that trusted businesses could be leaving digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors. This issue is not for us to speculate here; however, given the interest it has attracted, it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner.

A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy

It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. 

Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. 

Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information.

Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand "confidentiality & integrity" commitment from every partner you trust with your information.

Wednesday, January 22, 2014

Did you get an email from Target?

Are you one of the roughly 70 million people who got an email from Target last week about the store's mega security breach? If so, be careful.

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.

Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.

The Target emails went to customers whose personal information was in the Target database. Cyber thieves penetrated the records during the holiday shopping season breach discovered last month and stole info like names, phone numbers and email addresses. The full extent of the hacking is still under investigation.

In the meantime, here's what to do if you see an email from Target pop up in your inbox.

If you've already opened the email: Target has posted a copy of the email it sent out online. So go here to make sure the email you opened, the address it came from, and the link you clicked all matches up.

If it doesn't match, and especially if you clicked a link to an external website and entered personal information, you need to take action quickly.

First, get a copy of your credit report, check your bank and credit card activity on a daily basis and call the credit reporting agencies to tell them what happened. You can ask to have a fraud alert placed on your account, meaning it will be flagged to lenders if someone attempts to open credit in your name.

If you're really worried, you can request a credit freeze, which prohibits any credit from being extended under your name. But that's a big step because you will have to go through the process of undoing this whenever you need credit again.

If you entered a credit card or debit card number, reach out to those institutions to warn them of potential fraud as well.

If you haven't opened the email: To avoid any chance of a virus or of falling prey to a potential scam, it is  recommended to go directly to Target's website to view the letter you believe has landed in your inbox -- since even opening a fraudulent email could lead malware to be installed on your computer. And if you do open the email, don't click on any links.

All other correspondence from Target can be found here. The retailer emphasizes that it will never email a consumer and ask for personal information like a Social Security number or credit card information.

But it's not just emails claiming to be from Target that customers need to worry about.

If your personal information was compromised in the breach, that means scammers could contact you pretending to be anyone -- like another retailer.

Monday, January 13, 2014

What You May Need to Know about Your Smart TVs & Phones

Smart appliances may be too smart for our own good!

Take smart TVs, for instance. As this article illustrates, some of these new appliances are particularly vulnerable to hackers. Once compromised, the TVs allow access to account information, including login credentials (which owners may use for access to more than just their smart-TV account). Even scarier, hackers could gain access to front-facing cameras to see everything happening in the room where the TV is connected. Instead of you watching your favorite program, criminals may be watching you!   

As many people get new smartphones for holiday gifts, they will be tempted to sell their old devices. If you're one of them, keep this story, reported by a Virginia ABC affiliate, in mind.
McAfee online security expert Robert Siciliano did a little experiment; he purchased 30 different devices from craigslist, including laptops, notebooks, iPads and smartphones. "I asked every single person if they re-installed the operating system or reformatted the drive, and they all said yes," Siciliano said. "On more than half of the devices, I found enough information to steal identities or, in some cases, even get people into trouble." 
The takeaway? Be mindful that erasing your personal data from your devices requires more than a delete button.

Here's a good resource  for learning how to sufficiently wipe your smartphones, tablets, computers and more before handing them off to a stranger. 

Saturday, January 11, 2014

Reminder: To Whom are You Really Emailing?

Confirm the email address before you hit send!

Nowadays, it's not uncommon for people to have multiple email addresses. Some people even belong to group email accounts in which an email sent to one address is actually received and potentially read by multiple people.

Before you hit send, be sure you know exactly where your email message is headed. Even when you're replying or forwarding, take the extra moment to hover your mouse over the address in the "To" field to be sure it's going to the intended address.

If you find yourself making this mistake often, consider changing email clients. Gmail, for instance, is notorious for allowing this recipient confusion. Gmail users should also be aware that Google has copies of and access to all email sent using its system. Mr. Snowden provided some proof of that.

Businesses especially should always use a proprietary domain for their email (not Gmail, Yahoo, etc., and certainly not a social email address, like those from Facebook). Business owners should always ensure their email provider follows good security practices (e.g., not storing any email on their servers after it is delivered to the client destination).

Monday, December 30, 2013

XSS For Managers

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of vulnerability which is very widespread and allows an attacker to insert malicious code (JavaScript) into your web browser via the use of a vulnerable web application. The attacker can deliver their malicious code in a number of different ways.

They can trick you into clicking on a link (Reflected XSS), or wait for you to visit a page which already has the malicious code embedded into it (Stored or Persistent XSS).

That annoying pop-up box with the number 1 in it? That's just a way that some people visually prove that their JavaScript (XSS) has been run. But don't let that lousy pop-up box fool you, there is a lot more to XSS than that!

What can hackers do with XSS?

  • A hacker may be able to steal your 'cookies' and login to the application as if they were you!
  • They may be able to redirect you to a malicious web site without you knowing in an attempt to trick you into giving away sensitive information such as your bank details.
  • They could add fake login pages to the vulnerable application to trick you into giving them your username and password.
  • They could even use XSS to bypass other security measures which are built into the application and your web browser to protect you.
  • The possibilities are almost limitless. Take over your webcam? Yep! Listen in on your computer's microphone?

For advanced attacks see the The Browser Exploitation Framework (BeEF) tool.

Who's been hacked using XSS?

  • The Apache Foundation, the creators and maintainers of one of the most popular web server software on the Internet had their servers compromised by an initial XSS attack.
  • An XSS attack on the official forum of the popular Linux Operating System, Ubuntu, allowed the attackers to download the usernames, email addresses and passwords for 1.82 million of their users.
  • XSS attacks typically target the application's users and their local networks; however, as seen in the examples above, when those users are administrative users the application's web servers are also at risk.
  • XSS vulnerabilities are discovered within Facebook, Yahoo, Google, Twitter and other high profile websites on a daily basis by independent security researchers participating in bug bounties.
Here is a list of other hacks using XSS -

What can I do to protect myself against XSS?

  • Make sure that your web browser is kept up to date and that it has all of its security features enabled, such as Cross-Site Scripting (XSS) filtering. If your particular browser does not have an XSS filter, like Firefox, then you can download an XSS filter add-on called NoScript.
  • Be careful about what links you click on. A link may look harmless enough, but may contain malicious XSS payloads.
  • Log out of web sites when you are finished with them, this makes it harder for hackers to steal your 'cookies'.

The technical bit! What can I do to protect my web application against XSS?

  • Cross-Site Scripting occurs when untrusted input is output to a page without first being sanitised and/or properly encoded. For example, if a user supplies their username to login and then you display that username without sanitising and/or encoding it, what happens if the username contains HTML characters?

    The web browser will not be able to tell the difference between the user's username and what is the page's valid HTML. Data (the username) is being mixed with code (the HTML)! This could allow a user to login with a username that contains malicious JavaScript and have it execute in the browser within the context of your web application.
  • Make sure that you sanitise the username before using it, for example, if users should only have alpha numeric characters in their usernames then enforce this with input sanitisation. Use a whitelist! Compare the username against known goods instead of known bads.
  • Use the right encoding! If the username is going to be used within HTML, then HTML encode all of the username's characters.

    This way the browser will know what is meant to be rendered as HTML and what is not. It's not all about HTML encoding though! You must encode for the right output 'context'. See the links below for further information.
  • Scan your applications for XSS issues. There are many automated web application security scanners which can detect XSS issues in web applications. You could try giving the Open Source OWASP ZAP a go.
  • Set your session cookies with the HttpOnly flag. This tells the browser that the cookie should not be accessed by JavaScript, helping protect your users from having their sessions stolen.
  • A HTTP header called Content Security Policy (CSP) can be set by the web server to tell the web browser what and where JavaScript is allowed to be executed from. It uses a whitelist!
  • Finally, why not install a Web Application Firewall (WAF) such as the Open Source mod_security! A WAF will give your application that extra layer of defence to defend against those attackers but should be used in a defense in depth scenario and not as the only solution as bypasses are found often.

Where can I find further information?

The two types of XSS mentioned on this page (Reflected and Stored) are not the only two! We have only touched upon the subject here. Want to find out more?

The Open Web Application Security Project (OWASP) is a great resource for all things related to the security of web applications. Check out their wiki article on XSS or their XSS Prevention Cheat Sheet. For information on other types of web application vulnerabilities take a look at the OWASP Top 10.

Friday, December 13, 2013

PhishMe: Popular holiday-themed phishing attacks

Most common Holiday-Themed Phishing Attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns. However, which tactics should you train your employees look out for?

Below, PhishMe has pulled together a list of the most common holiday-themed phishing attacks:

Holiday e-card: Who doesn’t love to receive a nice holiday greeting? But is that link to an e-card actually from your co-worker, manager, HR department, etc. or is it something sinister? Emails that appear to be holiday e-cards are a simple and effective phishing tactic every holiday season.

Holiday party info/registration: The company holiday party is always a much anticipated event, and The Wall Street Journal estimates 9 out of 10 companies will throw some kind of holiday party this year. That means lots of organizations will send out email invitations, so spoofed invitations present another great holiday-themed opportunity for attackers crafting phishing emails.

Travel notifications: AAA estimated that 93.3 million people traveled more than 50 miles from home during the end of December last year, and that means airlines will be sending out plenty of flight change/confirmation emails. We have seen some pretty realistic phishing emails that spoof the types of emails airlines commonly send to passengers, and an email warning of major itinerary changes will certainly grab the attention of an employee eager to get home for the holidays.

The view the full post and the rest of the holiday phishing scams please click here.

Tuesday, December 10, 2013

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately."