Archive for the ‘Application Security’ Category
November 26, 2011
Rober Lemos / Dark Reading
Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…
…..
In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.
Posted in Application Security, Information Security, Social Engineering / Phishing, Training / Awareness | Leave a Comment »
July 8, 2011
CWSS:
- provides a common framework for prioritizing security errors (“weaknesses”) that are discovered in software applications
- provides a quantitative measurement of the unfixed weaknesses that are present within a software application
- can be used by developers to prioritize unfixed weaknesses within their own software
- in conjunction with the Common Weakness Risk Analysis Framework (CWRAF), can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.
Posted in Application Security, DDoS, Secure Coding, Vulnerability Analysis | Leave a Comment »
June 26, 2011
How does a hacker group get dissolved?
But in this shadowy world of claims, boasts and posturing, nothing is quite what it seems. It may have been other members of the hacker “community” – disgruntled with the antics of LulzSec – who forced the group into retreat. A document posted online in the last 24 hours purports to be a history of LulzSec, complete with full details on its leaders.
……
But even if LulzSec has gone offline, its members and other hackers trying to make a name for themselves may soon pop up elsewhere. And the other question is whether we should take any publicity-hungry group like this too seriously. The real damage is more likely being done by criminal groups who wouldn’t dream of boasting of their exploits on Twitter or anywhere else.
Posted in Application Security, Consumer Information Protection, DDoS, Threat Management | Leave a Comment »
June 19, 2011
Ellen Messmer / InfoWorld
Researchers at North Carolina State University claim they’ve achieved a breakthrough in how encryption can be used in technology called non-volatile main memory, which is seen as an eventual replacement for conventional dynamic random-access memory.
—-
In work conducted with graduate students, Solihin says N.C. State researchers completed building a hardware-based method to self- encrypt NVMM data. The idea is it might eventually become integrated into chipsets.
Posted in Application Security, Cryptography, Threat Management | Leave a Comment »
April 30, 2011
More and more companies are coming with formal Coordinated Vulnerability Disclosure Processes/Standards
After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem. By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.
Posted in Application Security, Communication, Policy and Governance, Secure Coding | Leave a Comment »
February 15, 2011
As Mobile devices starting to store more and more personal data of its owner (location, search, shopping data), it’s becoming real threat to the users.
To provide Users better tools to protect their personal data, ACLU of Northern California, the ACLU of Washington, and the Tor Project has organized 2011 Privacy Developer Challenge to develop apps for mobile devices that can educate users about mobile privacy and give them the ability to demand control of their own personal information, without loss of functionality. The winning apps will be released under an open source license.
Goal: ….demonstrate the possibility that apps for mobile devices can actually enhance the privacy of users. By doing so, we hope not only to generate technology that is useful today, but also to encourage developers and companies to adopt the “privacy by design” mindset so that future devices and technologies will be designed with privacy in mind from the start.
Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | Leave a Comment »
February 2, 2011
In his recent “Building Security In” article Gunnar Peterson talks about the driving forces and challenges of moving critical systems to the cloud.
The main trends that will drive security architecture are visibility and verification, which we can pithily sum up as “Don’t trust. And verify.”
Enterprises are often told, even by security luminaries, that they must trust the cloud, but that’s bunk. Sure, they must rely on some access control and other security services that are beyond their control. However, this can be partly mitigated by visibility services offered by gateways (chokepoints) and monitoring (audit event logging). In other words, a nickel’s worth of visibility trumps a dollar of access control.
…………
Many enterprise systems have two security modes: untrusted and fully trusted. Cloud security requires a partial-trust model.
Posted in Application Security, Infrastructure Security, Security Strategy, Threat Management | Leave a Comment »
January 31, 2011
Last week ComputerWorld reported that Intel was developing a technology (most probably, a Chip) that will stop ALL zero-day attacks. Wow…that’s like, finding solution for global recession, religious conflicts, or terrorism problems. I am not being sarcastic; I intentioanlly took these examples because they fall into the same bucket as zero-day threats – i.e., we can’t predict when these events will occur and how deep the impact will be.
I respect Mr. Rattner, who was named one of top 200 individuals having the greatest impact on the U.S. computer industry back in 90s, and I am sure he is up to something big but if what he said comes true it’ll be HUGE!
We’re going to see a quantum jump in the ability of future devices, be them PCs or phones or tablets or smart TVs, to defend themselves against attacks.
….the technology won’t be signature-based, like so much security is today. Signature-based malware detection is based on searching for known patterns within malicious code. The problem, though, is that zero-day, or brand-new, malware attacks are often successful because they have no known signatures to guard against.
We’ve found a new approach that stops the most virulent attacks. It will stop zero-day scenarios. Even if we’ve never seen it, we can stop it dead in its tracks.
Still, I’d have preferred the article heading more like how Paul Ducklin put it, <quote> It’s a pity that Intel’s work has been touted in such hyperbolic fashion. Headlines like “Intel to add new low-level layer of computer security” would, surely, have been much more meaningful. <unquote>
Posted in Anti Virus, Application Security, DDoS, Infrastructure Security, Threat Management | 1 Comment »
January 30, 2011
I agree with Apple turning the iPhone into a universal debit card and Google’s Android supporting Near Field Communication (NFC) but not everything discussed in the article will happen that fast!
Why? Because I strongly believe that before Apple and Google implement a workable biometric ID solutions for cell phones or replace current authentication infrastructure with biometric infrastructure, the authentication will pass through other stages…like, two (or multi)-factor authentication (Yubi-key style touch key, some sort of machine tagging for cell phones) or one-time passwords (sent via out-of-bound channel like SMS or email).
The obvious password replacement is biometric identification — the use of a system capable of recognizing unique physical attributes, such as fingerprints, iris patterns or voices.
Far too many people don’t trust biometrics because it feels like Big Brother technology. But I believe that if the biometric system resides on the user’s cell phone, and is under the user’s control, such technology would be far more acceptable to the public.
Fingerprinting is not very reliable, voice recognition tehnology, in general, is suffering from false-positive and false-negative issues, and iris scanners/sensors are costly.
Posted in Application Security, Authentication, Communication, PCI | 1 Comment »
January 25, 2011
Four researchers took a fairly large sample (1400) of iPhone apps and tested them in a testbed environment. Their test results are quite interesting.
First, the good news:
Only a small number blatantly compromised privacy: 36 accessed the device’s location without first informing the user; another five mined data from the user’s address book without permission.
Which is just 3% of the total population. Now the bad new:
…more than half of the iPhone applications studied collected the device ID—a 40-digit hexadecimal number identifying a particular phone. More than 750 of the apps studied used some sort of tracking technology. In about 200 cases, the developer created a way to track a device’s identifier code; the other apps used this functionality from advertising or tracking software library.
I agree that these are likely not malicious apps but as the article says, <quote> identifier code…..would give you a lot of information on the user, including—most of the time—their real name <unquote>, the device ID tracking will be an interesting debate in coming months as FTC’s Privacy Report gets finalized and published.
Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | 1 Comment »
January 20, 2011
At first glance it felt as if some author is trying to get attention by using controversial heading but as I read the post, I realized author <quote> drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification <unquote>. Yes, it’s David Lacey (Director of Research, ISSA-UK) expressing his views on the current state of security.
Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.
…..
The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers.
But he also suggested solutions (i.e., what has worked or might work) -
The Global Security Challenge encourages and rewards innovative security technologies……Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective…….Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption…….One thing is certain: We need much greater vision and investment in new security technologies.
Posted in Application Security, Cybersecurity, Policy and Governance, Standard / Framework | Leave a Comment »
January 15, 2011
This Book is a result of research study published by the National Research Council (NRC).
Biometric recognition systems are inherently probabilistic, and their performance needs to be assessed within the context of this fundamental and critical characteristic. Biometric recognition involves matching, within a tolerance of approximation, of observed biometric traits against previously collected data for a subject. Approximate matching is required due to the variations in biological attributes and behaviors both within and between persons. Consequently, in contrast to the largely binary results associated with most information technology systems, biometric systems provide probabilistic results.
Posted in Application Security, Authentication, Privacy | Leave a Comment »
January 12, 2011
Today Bruce Schneier blogged about the same threat that I discussed earlier this week.
It’s hard to know how real this threat is. Certainly micro-traders pay attention to latency, and sometimes even place their computers physically close to exchanges so they can reduce latency. And while it would be illegal to deliberately manipulate someone else’s trades, it is probably okay to place a gazillion trades at the same time which — as a side effect — increases latency for everyone else. My guess is that this isn’t a movie-plot threat, and that traders are trying lots of things along this line to give them a small advantage over everyone else.
It seems to be one of the most talked about topic…Wired.com ran a story on Robo-clients that aren’t there just to crunch numbers but making the decisions to buy or sell a stock, which in turn increasing the speed per transaction.
many prop-trading algorithms look at the market as a vast weather system, with trends and movements that can be predicted and capitalized upon. These patterns may not be visible to humans, but computers, with their ability to analyze massive amounts of data at lightning speed, can sense them.
Wissner-Gross and Freer of MIT recently published a paper (pdf) titled “Relativistic statistical arbitrage” to calculate a representative map of locations from which to coordinate relativistic statistical arbitrage among the world’s major securities exchanges.
Will making the systems faster increase the likelihood of latency threats?
Posted in Application Security, DDoS, Infrastructure Security | Leave a Comment »
January 9, 2011
The increase in processing and tranmission speeds have given birth to new attacks. Bill Synder discusses how time-sensitive global interactions are vulnerable to side-channel attacks, latency threats, and flash crashes.
Traditionally, applications that have latency requirements include: VoIP and interactive video conferencing, network gaming, high-performance computing, cloud computing, and automatic algorithmic trading. For example, one-way latency for VoIP telephony should generally not exceed 150 milliseconds (0.15 seconds) to enable good conversation quality, while interactive games typically require latencies between 100 and 1,000 milliseconds. However, the requirements for automated algorithmic trading are much more strict. A few extra milliseconds, or even a few extra microseconds, can enable trades to execute ahead of the competition, thereby increasing profits.
Posted in Application Security, DDoS, Threat Management | 1 Comment »
January 9, 2011
Following its tradition, MITRE’s Common Weakness Enumeration (CWE) [jointly with SANS Institute] created a list of 2010′s Top 25 Most Dangerous Software Errors.
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.
……
The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses.
Posted in Application Security, Consumer Information Protection, Secure Coding | Leave a Comment »
October 30, 2010
An interesting analysis of an old article on Geo Location based DDOS attack targeting Mobile Operators and why it isn’t as simple as it looks -
In order for a DDoS attack to succeed, you need a high volume of attack (‘zombie’) devices.
In a Geo Location DDoS you attack something which is at one geographic location, so zombie phones need to be at or around the target location.
This means that you need to persuade a lot of people to install the attacking app needs on their phones.
Posted in Anti Virus, Application Security, Threat Management | Leave a Comment »
October 9, 2010
“a” solution to stop bots from multiplying but
The idea is not new. Many security experts have talked about quarantining infected computers. Research has shown that quarantining compromised computers on the top-50 networks showing signs of infection could eliminate half of all bots. Companies that run network access control (NAC) systems can restrict computers from connecting to their network if they don’t have up-to-date security software or do not meet other requirements.
Posted in Application Security, Threat Management, Vulnerability Analysis | Leave a Comment »
September 28, 2010
A quite old (Sep 2009), long (300+ pages), detailed IS manual.
The Australian Government Information Security Manual provides a framework that enables you to address both new and existing security risks to your systems while allowing you to conduct your business effectively. While this manual sets down minimum requirements for information security, it provides the flexibility to adapt the requirements to suit your own business needs by using a rigorous risk management process.
Posted in Application Security, Consumer Information Protection, Cybersecurity, Information Security, Report / Paper | Leave a Comment »
September 26, 2010
We all know how Adobe has beaten Microsoft in number of security vlunerabilities and joined Microsoft’s Patch-reporting program to share details on its latest patches. This is posing new challenges for security admins. Symantec recently published a report to discuss the current PDF threat landscape
PDF attacks are on the rise worldwide and show no indication of slowing down. Modern exploit packs have made it relatively simple to create an effective PDF attack. The popularity of these exploit packs along with the success that attackers have been enjoying using PDFs has lead to an explosion in the use of malicious PDFs as an attack vector.
Posted in Anti Virus, Application Security, Report / Paper | Leave a Comment »
