Archive for Web Security
Author: Dave Lewis
March 25, 2008 at 7:26 am · Filed under Privacy, Web Security
Due to a case of ‘whoops’ the popular social networking site, Facebook, punted on privacy Monday.
From the Associated Press:
The Associated Press verified the loophole Monday after receiving a tip from a Byron Ng, a Vancouver, Canada computer technician. Ng began looking for security weaknesses last week after Facebook unveiled more ways for 67 million members to restrict access to their personal profiles.
But the added protections weren’t enough to prevent Ng from pulling up the most recent pictures posted by Facebook members and their friends, even if the privacy settings were set to restrict the audience to a select few.
After being alerted Monday afternoon, Facebook spokeswoman Brandee Barker said the Palo Alto-based company fixed the bug within an hour.
“We take privacy very seriously and continue to make enhancements to the site,” she said.
The latest lapse serves as another reminder of the perils of sharing sensitive photos and personal information online, even when Web sites pledge to shield the information from prying eyes.
It’s good to see that Facebook fixed the problem quickly. But more importantly people have to realize that they’re always taking a chance when putting private information onto a website over which they have no control. There is no real guarantee that your information will be safe. Have a long pause before you post things on a site such as Facebook (not beating on them). Never know who could be looking.
Article Link
Author: Dave Lewis
March 25, 2008 at 7:12 am · Filed under Vendor News, Web Security
From ZDNet UK:
Mozilla chief executive John Lilly has hit out at Apple, accusing the company of doing a disservice to Windows users everywhere by including its Safari browser as a default add-on installation in the latest iTunes update, likening the practice to the way malware is distributed.
In a recent blog post, the head of the foundation behind the Firefox browser and Thunderbird email client attacked Apple for including the option to install the browser as a pre-selected default, saying it compromises the security of all users and the entire web.
“Apple has made it incredibly easy — the default, even — for users to install ride-along software that they didn’t ask for and maybe didn’t want. This is wrong, and borders on malware distribution practices,” said Lilly in the post.
“It undermines the trust relationship great companies have with their customers, and that’s bad not just for Apple but for the security of the whole web.”
Yesterday’s Safari Vulnaerabilities.
Article Link
Author: Dave Lewis
March 19, 2008 at 10:11 am · Filed under Politics, Privacy, Web Security
From Network World:
With voting in Pennsylvania’s presidential primary just a month away, the state was forced to pull the plug on a voter registration Web site Tuesday after it was found to be exposing sensitive data about voters in the state.
The problem lay in an online voter registration application form that was designed to simplify the task of registering to vote. State residents used it to enter their information on the Web site, which then generated a printable form that could be mailed to state election officials. Pennsylvania’s Department of State disabled the registration form late Tuesday after being informed of the vulnerability by IDG News Service.
Because of a Web programming error, the Web site was allowing anyone on the Internet to view the forms, which contained data such as the voter’s name, date of birth, driver’s license number and political party affiliation. On some forms, the last four digits of social security numbers could also be seen.
“Upon learning of this situation, the Department of State acted immediately to disable the specific page,” said Department of State Spokeswoman Leslie Amoros in an e-mail message.
Ouch. So much for commissioning testing before roll out. After checking the site I was presented with an invalid cert. Hmm.
Article Link
Author: Dave Lewis
March 17, 2008 at 5:54 am · Filed under Vendor News, Web Security
Cenzic, the web application testing firm who brought us such hits as patenting fault injection (despite years of previous art) is getting more funding. The VC top heavy operation has reached 60% of their current funding goals apparently.
From Mashable:
The market in which Cenzic operates is a large one. More and more Web applications are being produced every week, and a good portion are targeted at enterprise customers. Yet Web security is a still a sensitive, porous area. Cenzic claims that some 90% of such applications are vulnerable to infiltration and the compromise of data. Therefore its field of play, as it were, is an expansive one, and will only increase in size and activity. Because businesses will continue to take advantage of the convenience and efficiency for internal and external communications in using Web-based software, the prospects for Cenzic are far reaching.
Hopefully they will spend more time on their product development and less in court.
Article Link
Author: Dave Lewis
March 5, 2008 at 10:16 am · Filed under Security Mgmt, Web Security
Juan Carlos Perez has an interesting piece about service level agreements with web apps. A lot of people tend not to think of this aspect until after the fact. I’ve seen cases where a company purchased the “shiny machine that goes ping” only to find out that it would be down 28% of the time. Not a good number to run on when your business is web facing.
From Infoworld:
As SaaS (software as a service) adoption rises in the workplace, business managers mustn’t overlook a key issue when selecting a Web-hosted applications suite: a service-level agreement.
Such contractual agreements, known as SLAs, bind the SaaS provider to meet specified levels of service. An SLA can address various aspects of the service, such as application uptime and performance, as well as data security, backup, recovery, and integrity. The SLA outlines penalties — often in the form of credits — if certain standards aren’t met.
An SLA is of particular importance for a hosted application, since in that case, the customer is giving up control over the software and, thus, has little or no power to fix problems that arise on the SaaS vendor’s end.
In other words, a business manager must make sure that a selected SaaS vendor can provide the level of reliable service the company needs. “IT [and business] managers need to understand the consequences for their operations if there’s a problem. [They should] determine what downtime they can tolerate and compare that with what the vendor is offering,” says Eric Maiwald, a Burton Group analyst.
Once a contract is signed and the hosted applications are implemented and woven into a company’s workflow, migrating away to another provider will be costly and time-consuming.
I’ve been fortunate to have not encountered this particular problem first hand. However, I have seen it in other companies. The SaaS web app with the pretty graphics could be a dud. Get your SLA squared away before your sign on the dotted line.
Article Link
Tags: SLA, Web App Uptime, SAAS, Service Level Agreement
Author: Dave Lewis
February 21, 2008 at 9:23 am · Filed under Crypto, Data Security, Privacy, Web Security
This article was written by Rob Rachwald (note: he’s the Director of Product Marketing for Fortify).
From IT Wales:
Banking online has become increasingly pervasive and is becoming more and more common. But has it reached a point where its actually safer than going to your local branch?
The risks of banking online are numerous
* Hackers have global reach - if you’re doing offline banking in Birmingham, you only need to be worried about bad guys in Birmingham, for instance the customers and employees present in your local branch. If you’re banking online, anyone in the world could attack you and your assets.
* Automation - in the physical world attackers are limited by their ability to manipulate physical items like making an extra copy of your account number. In the online world attackers are essentially unlimited in the resources they can bring to bear.
* Online security is opaque to the end user. People who aren’t particularly tech savvy have a tough time differentiating between good online security practices and bad online security practices. Security in the physical world is much more intuitive for most people - keep your chequebook in a safe place or don’t let someone peek when you are entering your PIN.
For the full piece read on.
Article Link
Tags: Online Banking, Internet Banking, Online Banking Safety
Author: Dave Lewis
February 21, 2008 at 6:39 am · Filed under Privacy, Web Security
Google announced this past summer that they are moving into health care.
From CNN:
Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that’s likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader.
The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.
Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.
Good thing there is no way to compromise a Gmail account. Phew (in case you might have missed it, that was sarcasm). These problems may or may not still exist. Those links are more for demonstrating that there is a track record established. That notwithstanding, I am a Google fan. So, I’m hopeful that they can do this securely but, on the same token I’d rather that they didn’t have my health records. Not entirely comfortable with that idea to be honest. Third party services do not currently fall under HIPAA.
Article Link
Tags: Google Health Records, Google Health, Google Data Security
Author: Dave Lewis
December 10, 2007 at 7:38 am · Filed under Tools, Web Security
Short story on this application…Download this tool now! This is an excellent web application testing tool that I use rather extensively these days. If you liked Paros Proxy then you’ll love this.
From PortSwigger:
I’m pleased to announce that the release version of Burp Suite v1.1 is now available. You can download the software and read about what is new here.
Thanks to everyone who downloaded the beta version and gave me their feedback - this was much appreciated. Burp should hopefully work properly in many kinds of usage scenarios and platforms that I’m unable to test myself.
Article Link
Tags: Burp Suite, Burp, Web Testing, Web Hacking, Web Application Security
Author: Dave Lewis
December 4, 2007 at 7:59 am · Filed under Privacy, Web Security
Holy oops! Passport Canada’s website was breached last week due to a flaw in the site.
From Globe & Mail:
A security flaw in Passport Canada’s website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver’s licence numbers - of people applying for new passports.
The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
“I was expecting the site to tell me that I couldn’t do that,” said Jamie Laning of Huntsville. “I’m just curious about these things so I tried it, and boom, there was somebody else’s name and somebody else’s data.”
That data included social insurance numbers, driver’s licence numbers and addresses.
And to think…I was going to update mine this weekend. Yipes.
Canadian law does not require organizations to disclose when they’ve suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time.
I would say that time is up. Time for some disclosure discussions.
Read on.
Article Link
Tags: Passport Canada Breach, Passport Website Breached, Privacy Breach
Author: Dave Lewis
November 27, 2007 at 12:01 pm · Filed under Tools, Web Security
At the recent Sector.ca conference in Toronto there was a talk given by Nish Bhalla and Rohit Sethi. I didn’t have a chance to see it myself. The talk, entitled “Exploit-Me Series – Free Firefox Application Penetration Testing Suite Launch” surrounded a couple of plugins for the Firefox browser for testing cross site scripting (XSS) ans SQL injection.
Here are the links for the downloads:
- XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities.
- SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.
I should also add that I have not had a chance to review these yet myself. Caveat emptor.
Article Link
Tags: ExploitMe, Firefox Hacking Plugins, Firefox Add-ons, XSS, SQL Injection
Next entries »
Explore
Security Bloggers Network
