Forecasting Vulnerabilities for 2009
January 4, 2009
As we start 2009 it is prudent to think about what we may need to plan for in the year ahead. Many organisations will pursue existing projects and (hopefully) continue to mature their security capabilities. It is also necessary to be mindful of the current business environment and technology trends.
DarkReading has a somewhat fearsome contribution of Four Threats and vnunet.com five more likely threats in their look at The Year Ahead. Emerging security threats such as virtual malware will be the focus of high end attackers and expect many new variations of already known methods of exploitation.
The 3 Dimensions of eCommerce Security
December 3, 2008
Industry standards help to define common operational practices for information security management. As a part of a competent information security program penetration testing is often relied upon to identify technical weaknesses in applications. However information security must take this approach into the third dimension by engaging the business, thoroughly understanding the application, and preventing non-technical weaknesses that abuse allowable parameters; fraud. This article will describe a few ways to protect an eCommerce system including a list of controls that may help reduce fraud.
Moving Past CAPTCHAs
December 2, 2008
CAPTCHAs, like a lot of security controls, are a race between attackers and defenders. Updates are made by defenders to block attacks that become increasingly competent and sometimes successful. Whilst security through obscurity is not ideal, unique tailoring of controls like CAPTCHAs has been used by many websites to buy time…
- Test Form fields — e.g. don’t fill in this field, don’t check this checkbox
- Image based — e.g. is this a picture of a dog or a cat?
- Question Only — e.g. what colour is the sky with no clouds?
- Audio — e.g. a scrambled voice clip alternative to CAPTCHA text
- Keystroke — e.g. everything at once (paste) versus typing at a realistic speed
- reCAPTCHA – making something annoying twice as useful is still annoying
Those using CAPTCHAs should at least implement a visual and audio alternative. Though because CAPTCHAs are not user friendly (for those with or without an impairment) and work arounds like those above will only buy a short amount of time, websites should be looking towards a future past CAPTCHAs. An alternative is to verify identity with authentication but where this is not appropriate a non-invasive mechanism worth considering is content and/or reputational based filtering. If you have any other ideas, please leave a comment.
Terrorism in India and Information Security
December 1, 2008
In a recent article in The Australian senior lecturer Mervyn Bendle of James Cook University writes about terrorism and the shift from hard military targets, the “near enemy”, to softer targets, private citizens known as the “far enemy”. In the case of Mumbai, the country was host to the far enemy of a far militant organisation. Worth noting, the primary US and UK targets — people — were not under the protection of their home country. These types of events demand continued, and elevated, co-operation of governments and intelligence agencies world-wide.
Parallels can also be drawn to cyber-security and the protection of information assets within the corporate environment. Information is more likely to be exposed when it is outside the direct control of the organisation, i.e. when it is being stored, processed or transmitted by a third party. This underpins the importance of industry standards such as SAS 70 and ISO 27001, in demonstrating control, and in fostering trust between business partners.
Read the full article in The Australian on the recent events in India.
Fixing the next flaw in DNS with DNSSEC
August 29, 2008
Governments have been getting hit by their fair share of flak in recent times (particularly in the UK) due to their negligence in the unauthorised disclosure of sensitive information under their stewardship. Whilst this is well deserved and needs addressing, it is worth giving governments credit when they use their influence to encourage the adoption of more secure technology and practices; in this case DNSSEC.
Various small deployments of DNSSEC, including those within defence organisations around the world, are growing and the adoption of DNSSEC is fast becoming a target for e-Government bodies. SecurityFocus has published an article describing a mandate for DNSSEC to be used by major US agencies by December 2009. I am hopeful this well help drive adoption of DNSSEC in the commercial world.
Trust is essential for good government and for encouraging commerce — confidence — and when it is undermined by vulnerabilities in already inherently insecure protocols like DNS we all loose. In response to incidents we may deploy quick fixes, like source port randomization for the recent DNS flaw, we also need to address the root cause and design security in to systems if we want to exploit the many benefits new technology may bring.
Click on the links for more information.
Web 2.0 is big on Feeds
July 30, 2008
This blog is an example of Web 2.0, along with social networking sites, wikis and mashups. While the underlying concepts surrounding the Internet remain the same, Web 1.0 was about sites with virtually static content and Web 2.0 is all about collaborating and sharing information.
AJAX has arisen as a technology of choice for designing Web 2.0 applications and XML in the form of RSS/ATOM feeds to facilitate sharing of information. Lets take a look at some very simple exploits for RSS feeds and how to mitigate them as developers, system/network admins and users. Read the rest of this entry »
