Web Application Security Newsletter -
March 2008

Editors Note- As mentioned in our Q4 2007 Annual Trends report, there were over 4,000 Web application vulnerabilities last year. The scary part is that of all the published application vulnerabilities, roughly 70 percent were easily exploitable. As pointed out then, these vulnerabilities will continue to be exploited in 2008. Some of the key newsworthy items this month certainly prove the trend - A mass Web attack with script injection affected thousands of sites, reinforcing the need for better Web application security measures. Many states have even passed data breach laws to protect customers and PCI continues to be a driving factor as the deadline for compliance is looming. However, what's most disconcerting is the fact that a lot of companies are still not doing anything about securing their web applications and even when they start the process for PCI, it's just a checkbox to get compliant. This is where the change needs to happen- Organizations need to realize the looming dangers and focus on securing their Web applications to protect their brand and retain their customers. Compliance will fall in place once the security posture is strengthened. Happy reading!

-Mandeep Khera, VP of Marketing, Cenzic

1. Adobe, Cisco advisories warn of "critical" vulnerabilities

With security experts warning organizations about increasing ActiveX vulnerabilities and client system attacks, Adobe and Cisco released security advisories for several products. Adobe's bulletins covered vulnerabilities in its Adobe Reader 8.1.2, ColdFusion MX 7, ColdFusion 8, Adobe Form Designer 5.0, Adobe Form Client 5.0 Components, and LiveCycle Workflow 6.2. Cisco addressed flaws in its Secure Access Control Server for Windows User-Changeable Password (UCP) program. As servers become more secure, attackers are focusing on Internet-connected client systems. One analyst recommends that ActiveX remains disabled by default and then allowing ActiveX controls on a site-by-site basis.

Read More

2. The Clock Is Ticking For Retailer Web Application Security

As the numbers of online retail security breaches caused by hackers, shoddy code, and lost hardware keep piling up, the Payment Card Industry Data Security Standard is mandating tougher web application security measures. Section 6.6 of the PCI DSS, which becomes mandatory at the end of June 2008, gives retailers two options for securing their Web-facing applications: they either get their code reviewed by an outside organization or they can slap an application layer firewall on top of those applications. But as this article argues, section 6.6 isn't tough enough: in its current form, retailers can essentially meet the standard by throwing a firewall over their bad code.

Read More

3. Chinese hackers: No site is safe

CNN reports that a group of young Chinese hackers claim to be carrying out Web attacks across the world, including a successful intrusion into the Pentagon's network. Even worse, these 20-somethings say the Chinese government sometimes pays them for their work, which China strongly denies. A Chinese hacker-how-to site featuring articles and even flash tutorials may have more than 10,000 active members. In a recent congressional hearing, top brass in the U.S. Department of Homeland Security testified that the government needs to beef-up security on federal agency networks.

Read More

4. PCI releases updated Self Assessment Questionnaires

PCI has released a new Self-Assessment Questionnaire allowing all merchants to verify their compliance with PCI security standards. Questionnaires designed for five different types of merchants are available for download as Word documents from PCI's website. Merchants must also complete the Attestation of Compliance, certifying that they performed the appropriate assessment.

Read More

5. Data Breach Notification Laws, State By State

No company ever wants to write that dreaded letter informing customers that their personal data has been hacked. But now that 38 states have enacted data breach notification laws, it's imperative that companies comply with those legal requirements to limit civil, and possibly criminal, liability. CSO Online has created a clickable map that provides the legal details on a state by state basis, and they examine case studies on how to best explain the situation to your customers as well.

Read More

6. McAfee Warns of Mass Web Attack

McAfee has discovered a script injection attack on more than 10,000 web pages designed to steal passwords from online gamers. The attack is similar to the one that affected the Miami Dolphins and Dolphins Stadium before the Super Bowl, where a malicious website loads a password-stealing Trojan onto the user's machine.

Read More

7. Google Hacking Database Tool Updated

Several online tools are now available for penetration testers to search for files and data associated with finding Web site vulnerabilities. GnuCitizen just updated its Google Hacking Database Tool (GHDT), which automates vulnerability search queries. It's important for security testers to become familiar with tools like GHDT, Goolag Scanner, and SiteDigger, as hackers use similar search tools to find and exploit website vulnerabilities.

Read More