security

How Cloud Computing Affects Security {Comments Off on How Cloud Computing Affects Security}

By Miranda O.

With big data becoming much larger, cloud computing has become the more favorable form to handle it. The fact that cloud computing is becoming far more mainstream these days also means that security risks are also increasing. Traditional forms of security such as firewalls will soon be obsolete with anti-malware and encryption taking over. Even load balancers will no longer be needed now that these features are already implemented in cloud infrastructure. The growth of cloud computing will see the fall of traditional security measures but the rise of new ones as it becomes much bigger.

read more...

vulnerabilities, which one we should prioritize ? {1}

The journal I read this week is called “Measuring and ranking attacks based on vulnerability analysis” by Ju An and Guo, Minzhe. This journal talks about that since software vulnerabilities increases, and two or more vulnerabilities may have in same software, the journal helps to which vulnerability prioritize first, so the software have better defense. The paper measures, categorize, and provide metrics based on vulnerability analysis so let developers to perform better security on their software.

read more...

Web Security {7}

I read an article this week by Sarah Perez called, “ArmorHub’s Web Security Service Scans For Vulernabilities and Malware, Works Great For Startups As Well As Your Dad.” The article talks about ArmorHub launched a web security service November 15th, mainly for small to mid size businesses and most importantly what she calls the “layperson” which she says is somebody who knows security is important but doesn’t know how to protect or monitor their site. The company was started by the founder of eTacts which sold to salesforce.com and Kendall Dabaghi and their inspiration came from their years of building applications but always wondering in the back of their mind if they have security issues. They decided that they wanted to create a service that everyone can use to check their website for security issues that could be cause by malware, SQL injections and cross-site scripting. Their service is free to use and uses the proactive instead of reactive approach in that they can scan your site and databases as well and tell you if there are an security vulnerabilities in them. If there are you can then fix them yourself if you know how or they can fix them for you at a fee determined between you and the company.

read more...

Dozens of College Servers Breached by SQL Injection {2}

Not only is the design and performance of databases an important aspect in the way databases work, but also the security of a database. There are many types of attacks that can be done to a database and the most common is a SQL injection. In a news article from CNET, hackers were able to collect thousands of personal data of students from college databases worldwide through the use of SQL injections. More than fifty universities were affected, and some of the top name colleges include Harvard, Princeton, and Stanford. To make matters worse, some 140,000 records were posted online for all to download. The information includes usernames and passwords, addresses, phone numbers, and some payroll information regarding both students and faculty. The mastermind behind this data dump is apparently by a group called GhostShell, whose intent was not to reveal personal data, but was to “focus on higher education.” However, the group not only found personal data, but also discovered that malware were already injected in the first place, showing the security risks many of these database servers have.

read more...

Database Security: Oracle or SQL? {Comments Off on Database Security: Oracle or SQL?}

In her 2010 article titled, “SQL Server Most Secure Database; Oracle Least Secure Database Since 2002″, Laura DiDio explores the security and vulnerability of the two leading database systems out: Oracle and SQL. Quite from the beginning, meaning the title, Laura explains how the SQL database is more secure than Oracle – and not just by a tiny margin. During an eight and a half year period, from 2002 to 2010, the NIST CVE (National Vulnerability Database) statistics recorded 321 security related issues for Oracle, the highest of any vendor. This was six times more than that reported of SQL server. DiDio explains that SQL’s unmatched security is not a fluke or luck of draw, it is rather a direct result of Microsoft’s investment in the Trustworthy Computing Initiative, an initiative launched by Microsoft in 2002 where they stopped code development across all product like the scrub the code base and make their products more reliable and secure.

read more...

Removing Vulnerabilities in SQL Code {3}

The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program.

read more...

Auditing SQL {3}

This week I will be blogging about the journal entry “Auditing a Batch of SQL Queries” by Rajeev Motwani, Shubha U. Nabar, and Dilys Thomas of Stanford University. This Journal entry talked about ways SQL Queries are audited and how to determine suspicious SQL queries. The Journal makes mention of a command AUDIT, which I had never seen before. They use it an example:

read more...

Use Same Account Name and Password on Every Service? {8}

The article I read this week is “One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.” by MG Siegler. Title of this article caught my attention immediately. The author has raised up issue that people using same ID and Password on most of the service they signed up for. On December 2009, RockYou’s (the social network app maker) database got attacked. Hackers got around 32 million accounts’ full list of unprotected plain text passwords on their hand. Hackers used SQL injection method to attack RockYou database, it is one of the popular methods to attack databases. Hackers even posted sample of what they found.

read more...

More Than 50,000 Accounts Have Been Hacked from ITWallStreet.com {3}

The article I read this week is “Hacker claims breach of 50,000 accounts from Wall Street IT recruiting firm” by Jaikumar Vijayan. On July 18 2012, a hacker named Masakaki who’s a member of a group called TeamGhostShell hacked into ITWallStreet.com. ITWallStreet.com is a website for who are seeking IT jobs in Wall Street firms. The hacker breached into resume database and snipped out more then 50,000 accouts with highly detailed data including person’s userID, name, phone number, address, and email.The list contains most of the major Wall Street firms including Morgan Stanley, Goldman Sachs, Nasdaq, Dow Jones, and etc. Interest fact I found from article was that candidates have ranged from 40,000 to 400,000 for their salary. And everyone from entry-level junior developer to senior technology executives.

read more...

There is a Good Chance That Your Bank Hit By Cyber Attackers {3}

The article I read this week is “Major Banks hit with biggest cyber attack in history” by David Goldman. The author is saying that major banks such as Bank of America, Wells Fargo, JPMorgan Chase, U.S. Bank and PNC bank had experienced biggest cyber attack ever in the history over weeks since September 19, 2012. The volume of the attack was 10 to 20 time larger than normal attacks, and 2 times larger than previous record. These banks all suffered day-long unusual volume of traffic that cyber attackers created. The unusual traffics caused slowdowns, and some bank’s website was temporally unreachable to many customers. Fortunately, there was not actual hacking involved. None of personal data or transactional data was stolen. The attackers were simply tried to knocking down the bank’s public facing website this time.

read more...