We have plenty of industry-provided reports that tell us what happened in the past. The annual Verizon Databreach Investigations Report is due out any day, providing data on breaches investigated by that company’s incident response professionals, as well as information from law enforcement agencies around the world. And, with the first quarter gone, its safe to assume that similar reports will follow from Symantec and others. But what about the threats for 2013? That’s where Veracode’s State of Software Security (SoSS) report comes in. Released to the public today, SoSS documents the kinds of software vulnerabilities that company found during 2012. And, where there are vulnerabilities, there will be attacks, Veracode CTO Chris Wysopal says. So what’s on tap for 2013? SQL injection attacks are likely to be one of the main attack types against web-based applications this year, as they were last year, Veracode says. That’s because SQL […]
Tag: Web
That Facebook Account Hijack Vulnerability Is Still Dangerous. Here’s Why.
Did you hear about that really dangerous security hole that allows attackers to manipulate third party Facebook applications to hack into your Facebook account? Skype and Dropbox both said they fixed a web site redirection vulnerability that both companies fixed before the vulnerability was disclosed? Great news, right? Right. Except for the fact that the same vulnerability may exist in hundreds, or even thousands of other Facebook applications and still provides a ready pathway into Facebook accounts, according to Nir Goldshlager, the Israeli security researcher who discovered the vulnerability. Goldshlager described the vulnerability, which he named the “UnFix Bug” on his web site in a post on Wednesday, after discussing details of the hole with the online publication TechCrunch. It is just the latest in a string of security holes he has discovered in OAuth, an open authentication standard used by social networking sites like Facebook and Twitter. The vulnerability allows a […]
One Reason Security Is So Hard? Really Bad Reports.
Security is hard. Everyone knows that. The question is: why? After all, our understanding of cyber threats improves with each day. The tools we use to secure our systems have also improved over time – antivirus software, firewalls, application firewalls, intrusion detection, data leak prevention, and so on. And yet, when we look at the data, there’s not much evidence that better understanding and better tools are leading to better security. According to Jonathan Grier, an independent security consultant, the answer to the question ‘Why aren’t we getting better at stopping attacks and protecting data?’ is that we’re not doing a good job of learning from the data we have. In a conversation with The Security Ledger, Grier, the founder of Grier Forensics, said that, despite a wealth of security data, the security industry’s approach to analyzing it is immature. Grier likes working on the cutting edge of computer forensics and application security. […]
What’s In Your Bucket? Data For The Taking In Amazon S3 Containers
Security is one of the main obstacles to greater cloud adoption. When it gets right down to it: companies that own sensitive data are reluctant to release control of it to a third party without ample reassurance that it won’t be lost or stolen. Given that’s the case, the results from an analysis of Amazon’s cloud-based Simple Storage Service (S3) by the security firm Rapid7 won’t ease privacy and security fears surrounding cloud-based storage and applications. In that study, Rapid7 researchers surveyed 12,328 Amazon S3 “buckets” – virtual containers for stored data. The results: 1,951 of those buckets were publicly accessible – around 1 of every 6. Within those 2,000-odd public buckets were 126 billion (with a “B”) files. That’s right – 126 billion. The sheer amount of data was too large for Rapid7 to audit each file individually, so the company sampled 40,000 publicly visible files and found that […]
Spammers Using Yahoo, Google To Whitewash Links
If the gigantic distributed denial of service (DDoS) attacks against the spam blacklisting operation Spamhaus wasn’t proof enough: spammers have trouble steering around blacklists and other reputation-based filters. Even if the language in their message is generic enough to avoid detection, dropping a link to a known, malicious- or compromised domain is plenty to get an entire message dropped. Spammers without a legion of 100,000 bots at their fingertips have to get creative about getting their message into the target’s inbox. Lately, a method that’s drawing attention is to leverage low-security redirection services to whitewash a link to a ‘known-malicious’ or merely suspicious sites. Barracuda Networks said that it has captured spam attacks that are combining a Yahoo based URL shortening service with Google’s free Translate service to whitewash links in spam e-mail messages and evade automated detection. The message, which was sent to a Barracuda “honeypot” system includes a […]
