security Archive

HTTPS under Attack

by Boshi W
HTTPS might not be as secure as it claims to be according to a news article by informationweek early September. Apparently, attackers can abuse a exploit in SSL/TLS implentation and issued false credentials for many popular sites like Gmail and Windows update. Luckily, these exploits were built by security reseachers to illustrate the safety of the browsers. “Juliano Rizzo and Thai Duong have built a tool that’s capable of decrypting and obtaining the autehtication toekns and cookeies used in many websites HTTPS requests”, Schwarts informed, “and many sites relying on SSL/TLS for security can be easily infiltrated and bypassed.” Even the top secure Paypal authentication cookies can be decoded, leading to decrypted account infos and access privilege. read more...

ASP.NET Patched Websites Being Attacked

by Maral M
Recently there has been a rise in the number of attacks to websites running with Microsoft’s ASP.NET. The websites that are being mostly attacked belong educational, small business and association entities. Websites that have the patches are more susceptible to the mischievous coding which redirects users to different websites which are under the name James Northone. The coding that is being weaved into the websites is being directed by SQL injection. SQL injection is a coding technique that take advantage of faulty security coding at the database layer. read more...

Protecting Against Data Breaches

by Alexander V
Summary

The article is about Application Security, Inc.’s (AppSecInc) DbProtect Precision DAM (Database Activity Monitoring) software. AppSecInc is a leading provider of database security solutions who introduced their DbProtect Precision DAM software in response to the recent rise in breaches of database security. This software was designed to be low-maintenance and easy to use, addressing the main reason why many organizations do nothing to prevent security breaches—complexity. According to the article, a recent survey conducted at the 2011 Gartner Security &Risk Management Summit found that more than 90% of attendees had high profile breaches similar to Sony and only 23% took preventative measures. In addition to that, the article states that Verizon’s 2010 Data Breach Report showed that 96% of breaches could have been easily avoided. Josh Saul, the CTO of AppleSecInc states that thieves thrive off the inactivity of organizations in preventing data breaches. DbProtect Precision DAM provides efficient and effective monitoring based on user-defined policies such as “reduction in the scope of required database activity monitoring” and “reduced risk of data loss.” The software also “allows organizations to monitor for deviations from normal authorized activity”; examples include monitoring privileged user activities and new avenues of attack. read more...

All I Wanted was a Six Piece Chicken Nugget Meal, Instead I got Spam

by Daniel L
Believe it or not, McDonald’s had a database full of customer contact information that fell in the crosshairs of a couple of hackers back in December of last year.  The information that was compromised belonged to innocent individuals who wanted to fill their empty stomachs by signing up for promotional deals through McDonald’s websites.  These McDonald’s websites offer food deals and coupons, and whenever these promotions are available, customers are contacted electronically via e-mail.  McDonald’s had hired Arc Worldwide, a marketing company, as the ones responsible for these promotional e-mail messages.  However, Arc went ahead and appointed an unidentified e-mail company as the ones in charge of managing the database holding customer information which would be used to send out these promotions.  A few hackers, who were up to no good, penetrated the systems belonging to the unknown company, and in return were able to obtain customer data of those who were signed up for McDonald’s promotions.  These databases held limited customer information, along with names, phone numbers, and both electronic and physical addresses.  According to the McDonald’s spokeswoman, there is no approximate number of how many people were affected and there is no known date of when the database breach occurred. read more...

Cloud Computing and Security Short Comings

by Wendy O

Summary:

The article spoke about high profile companies which were recently scrutinized when they didn’t respond fast enough to data breaches earlier this year. However, what the public doesn’t realize is that if they had actually been storing their data with public cloud providers, it would have taken days just to establish where the data warehouses were located. It could have been significantly worse than what it was. read more...

Security for your Andriod Device

by Penny C

A lot of us have made the choice to upgrade our phones to “smart-phones” and most of those smart phones run Android OS.  As we all know Android is an open-source OS and is vulnerable to attacks, just like our computers are.  Attacks could be in the form of sending and receiving SMS/MMS, extract private information from the phones or make the phone unusable.  Now for those of us who have unlimited text messaging plan, the cost incurred from those SMS/MMS is not much of an issue but the phone has been compromised.   Per article, the attacks occur through cellular networks, Bluetooth, the Internet (WiFi, 3G), USB and other connections.   Smart-phones have not been around as long as computers but malware for smart phones took 2 years to get to the level that the computers took 20 years.   The astounding speed is due to the experience gained through writing malware for computers, according the authors.  So smart-phone security is becoming a fore-front battle. read more...

Kindle Fire’s Silk Browser Poses Privacy and Security Concerns

by Daniel L

Tablet computers have established themselves in the consumer device market and Amazon wants to get its feet wet by announcing their own tablet known as the Kindle Fire.  What makes Amazon’s tablet different from its competitors is the way it handles web browsing.  Amazon has developed their own web browser called “Amazon Silk”, which uses Amazon’s cloud to process and render web pages off the device, improving website performance on the device itself.  Websites with a plethora of content, including pictures and videos, can take a long time to load on the standard browsers most tablets are using, but with Silk, web browsing will be a breeze.  However, security and privacy issues arise when using this model of web browsing technology.  Every time a user visits a website, it will contact Amazon servers instead of the actual website directly, making Amazon the “middleman” that lies between any website, including secure ones, and you.  According to the terms and conditions of the Silk browser, Amazon will keep a record of IP and MAC addresses along with web history and logs for a period of 30 days.  This information can be obtained by the government in the event of an investigation.  Moreover, if Amazon servers are breached in any way, critical data can be compromised. read more...

Cybercrime

by James C
Summary:

Like a domino effect Cybercrime, also known as e-crime, can cripple a company, lower its market value, and prevent it from conducting further business in a secure manner. E-business, business done from business-to-consumer (B2C) and business-to-business (B2B), in the US alone is affected annually by over $100 billion. The effects of Cybercrime not only extend to theft of assets, but also to a damaged reputation and lose of future business due to consumer insecurity. In October 2004, ChoicePoint Inc.’s database was accessed by an unauthorized user. The perpetrator downloaded an excess of 145,000 files of credit card accounts. In June 2005, another incident of database intrusion was CardSystems Inc’s, a processor of credit card transactions. The hacker in this case altered the security of millions of cards that had been issued by Discover, Visa, MasterCard and American Express. In turn many banks were negatively affected by the breach. J.P. Morgan, for example, had conduct extensive investigations into the security of client accounts. Unlike J.P. Morgan, Washington Mutual Inc. had to close out roughly over 1,400 bank card accounts. read more...