Web Application Security Newsletter -
September 2007
Editor's Comments- In this month's issue we feature an article about five must-close vulnerabilities and a "heads up" about malicious JavaScript. Read about how the innocent, albeit uninformed, can fall prey to malicious hacking. The Payment Card Industry Standards Council will host its first community meeting in September, open to all participating organizations, qualified security assessors, and approved scanning vendors. PCI's requirements for protecting web applications will be up for discussion. For our readers who are using or considering virtualization tools, you will want to read about the security complexities involved and precautions to consider. A recent British House of Lords inquiry investigated the state of online security. Their findings paint a picture of e-criminals who are highly skilled and profit driven. Although accurate data is hard to come by, the cost of e-crime is huge, and business is flourishing. They report a risk to public confidence with an analogy to the days of the lawless Wild West. Beyond people, process, and technology, Internet security comes down to each individual becoming educated, staying informed, and taking appropriate precautions to avoid the pitfalls of what can otherwise become a lawless Wild West.
1. PCI Security Standards Council to address application security requirements
Council to host first community meeting
The Payment Card Industry Security Standards Council will host its first community meeting in September. The agenda will include discussion of community feedback and clarification of best practices specific to application security. Current standards call for the use of a code review or an application-layer firewall. According to the Council's General Manager, the group is closely reviewing the Open Web Application Security Project (OWASP).
Read
More
2. More browser bugs, but less risk?
Study finds that faster patching is very effective
A recent study by the Honeynet Project found that more software vulnerabilities do not necessarily lead to an increased number of compromises. Although researchers disclosed twice the number of vulnerabilities for Firefox 1.5 as for Internet Explorer 6 SP2, the study found that there were no actual attacks against the Firefox browser. Microsoft's software, however, was compromised approximately 200 times. Researchers looked at Mozilla's faster patching practices as one explanation for the discrepancy.
Read
More
3. Organised crime big business on web
Internet's e-crime industry is flourishing
A British House of Lords inquiry into online security reports that bad guys are highly skilled, specialized, and focused on profit. Although the cost of e-crime is huge, accurate data is difficult to come by. The report says that the underground economy is flourishing and sharing information openly online. A U.S.-based think tank's research has shown that entire internet relay chat (IRC) networks are devoted to the underground economy, with 35 to 40 active servers. The report discusses the risk to public confidence and a perception of the Internet as a lawless wild west.
Read
More
4. How to patch five must-close vulnerabilities, now
Fix these five to help stay safe online
There is a thriving black market for Web attack kits, such as MPack, Icepack, and others. Crooks are easily buying these kits at an affordable price from a thriving online black market to target specific vulnerabilities. Thousands of poisoned Web sites are poised to attack, taking advantage of five common vulnerabilities. Keeping up with Windows' Automatic Updates is only part of the solution. A couple of the attacks target QuickTime and WinZip, taking advantage of users who don't worry about updating these programs.
Read
More
5. Virtualization Increases IT Security Pressures
Servers running virtual machines pose increased security risks
Virtualization technology, which allows multiple operating systems to run different applications on a single computer, is catching on with IT managers. Interest is gaining momentum in recent months as virtualization products emerge from major research labs. Before turning to these tools, IT managers best understand the potential risks involved. One expert points out that if a host is vulnerable, all associated virtual machines and business applications are equally vulnerable. The risks associated with patching and upgrading applications increase as new virtual machines are added to a server. Be advised of some precautions to consider when using this technology.
Read
More
6. JavaScript Hacking
Avoiding the "gotcha" of malicious JavaScript
This popular scripting language can be used to place code on a web page that directs the browser to a URL under the malware author's control. The attacker will scan bookmarks and cookies, identifying those associated with a user's online bank account. This is but one way JavaScript can be a threat to you or your company. Since the use of JavaScript is widespread, it is not a simple matter of disabling all JavaScript. Protection from attack requires vigilance and education.
Read
More
|
