Web Application Security Newsletter -
January 2007
A MESSAGE FROM THE EDITOR - Among the abundant recaps and predictions published this time of year, it is clear that when it comes to information security, experts anticipate more of the same in 2007, only worse. Financial institutions, shopping centers, and (increasingly) small businesses will remain prime targets. Web applications will continue to be "low hanging fruit" for potential attack by mischievous miscreants and organized crime alike. This month we feature a startling, even shocking, expose about the lucrative underworld marketplace of hawking software vulnerability exploits. On the more positive side, one featured author predicts a 2007 upswing in security testing, even if driven by government and industry mandate. He predicts that a spark will ignite that security testing is a continual process and urges all to develop a testing schedule to help ensure systems are secure in the face of any number of threats.
1. Eight top information security events of 2006
The year 2006 proved to be action packed for the information security industry. A recap of the year's most noteworthy threats spanned emergency patches, data breaches potentially threatening millions, RFID security concerns and much more. Industry experts predict more of the same for 2007, only worse. With tightening budgets, IT professionals are likely to be required to do more with less. Attackers will continue to target financial institutions, and small businesses will increasingly become targets.
Read
More
2. MX Injection: Capturing and Exploiting Hidden Mail Servers
Author Vicente Aguilera Diaz presents information about a new attack technique targeting web applications that communicate with mail servers or webmail applications. The technique, coined MX Injection, injects commands from mail protocols. Details about the technique and its potential are provided along with counter measures. This document is a must read for web developers who build applications that communicate with mail servers and for security professionals who oversee these applications.
Read
More
3. Hackers Selling Vista Zero-Day Exploit
Zero-day exploits for Windows Vista operating system are being hawked for $50,000 each at one auction-style underground marketplace, according to security researchers at Trend Micro. How about exploits for unpatched code execution flaws? These information products can range from $20,000 to $30,000, depending on the popularity of the software program. Underground hackers who cut such deals highlight a lucrative underground market that exists for software vulnerability information.
Read
More
4. Security grabs attention, but not always dollars
A recent study surveying government IT executives reveals that security is the main concern and a top priority. The study also reveals a disconnect when it comes to IT investment. Network, data center, and other expenditures each captured a bigger slice of the IT budget. One expert suggests that executive leaders need to understand the potential impact of a security breach in order to quantify security spending.
Read
More
5. Hacking and spam ruled internet in 2006
When reflecting on the unprecedented increase in Internet-related attacks in 2006, security experts point to the flaws and vulnerabilities in software that power the Internet. Predictions for 2007 are no exception as attacks gain momentum against financial institutions and shopping centers. One expert estimates that organized online criminals will realize an income as high as $2 billion per year.
Read
More
6. Information security predictions for 2007
Consultant and author Kevin Beaver sees security testing as gaining pace for the coming year. Among his predictions, he predicts an increase in testing Web applications, although much of it will be at too high a level to deliver much value. He believes that much of the testing will continue to be driven by government or industry mandate and that there will be a continuing focus on technical solutions rather than on people and operational issues. On the brighter side, he sees source code analysis picking up some momentum and the spark of a realization that testing must be ongoing.
Read
More
|
