Most websites have at least one vulnerability

WhiteHat Sentinel latest research report indicates that 86% of all websites had at least one serious vulnerability that cannot be easily fixed.  These have been defined as one in which the hacker can control at least some of the website, access sensitive information or compromise user account information.  A significant finding was that for 61% of these vulnerabilities, it took an average of 193 days to resolve.

Other findings include:

• 57% of organizations said they provide some amount of instructor-led or distance cyber security training for their programmers.
• When companies institute mandatory cyber security training for their programmers, there is a 40% decline in vulnerabilities.   These companies also resolve them 59% faster than companies that do not have these trainings in place.
• 23% of organizations website(s) had a data or system breach as a result of an application layer vulnerability. These organizations experienced 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.

 

The full report is available here.

Related articles

• Application Vulnerability Is the Top Concern for Information Security Professionals (quatrashield.com)
• Threats, Vulnerabilities, and News…where do you get your infomation? (skeeterspray.blogspot.com)

Alert: SMB’s Vulnerable to the Risks of Default Passwords on the Internet

US CERT (Cyber Emergency Response Team) has issued an alert that hackers can easily identify and access default manufacturer passwords, thereby gaining access to networks and critical systems.   In many cases, the default passwords are provided in publicly available documentation or in compiled lists that are available online and can be identification for all systems from a particular vendor or within product lines.    Vendors typically recommend changing the password before the deployment of a system in a production environment.

CERT highlights the risk that hackers can identify exposed systems using search engines like Shodan.   The danger is that the attacker with access of the password and network access to system can log in, usually with root or administrative privlige.  Here are some examples of damage that has been caused by attacks involving unchanged default passwords:

• Internet Census 2012 Carna Botnet distributed scanning
• Fake Emergency Alert System (EAS) warnings about  zombies
• Stuxnet and Siemens SIMATIC WinCC software
• Kaiten malware and older versions of Microsoft SQL  Server
• SSH access to jailbroken Apple iPhones
• Cisco router default Telnet and enable passwords
• SNMP community strings

CERT offers the following prescriptive guidance:

• Change Default Passwords and Use Unique Default Passwords
• Use Alternative Authentication Mechanisms
• Force Default Password Changes
• Restrict Network Access
• Identify Affected Products

Finally, there are both free and commercially-available application vulnerability scanners that can identify systems using default passwords.

The full bulletin is available here.

Related articles

• physorg: ‘Password fatigue’ haunts Internet masses (phys.org)

Detecting Application Vulnerabilities Is Important to Your Business

There is some interesting data in the 2013 Global Information Security Workforce Study that requires further examination. When asked about organizational priorities with respect to to-be-avoided categories, the top five category responses were damage to the organization’s reputation (83%), breach of laws and regulations (75%), service downtime (74%), customer privacy violations (71%) and customer identify theft or fraud (61%).

Looking beyond the raw numbers, it is clear that the organizational priorities are aligned to the priorities of IT security professionals whose job it is to counter cyber-attack.

Here is a link to the study.

Related articles

• Application vulnerabilities still a top security concern (net-security.org)
• Application Vulnerability Is the Top Concern for Information Security Professionals (quatrashield.com)

How vulnerable is your WordPress site to attack?

A company called Checkmarx has released a report on the vulnerability of WordPress to attack. Some of the data should be of concern to those companies that rely on wordpress to host their website or blogs. Here is a summary of the findings:
• 40% of the top most popular plugins are vulnerable to common web attack such as SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
• 70% of the most common e-commerce plugins are vulnerable.

The report authors provide the following prescriptive guidance for web administrators:

1. Download plugins only from reputable sources. For WordPress, this means WordPress.org

2. Verify the security posture of the plugin by scanning it for security issues

3. Ensure all your plugins are up to date

4. Remove any unused plugins

Please following this link to access the full report: http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf

Microsoft’s new bounty program to find vulnerabilities and exploiting techniques

Microsoft has just announced that it will make cash payments in exchange for reporting certain vulnerabilities and exploitation techniques. The company will pay up to $100,000 USD for what it defines as “truly novel” exploitation techniques against protections built in its latest operation system (Mitigation Bypass Bounty).

In addition, Microsoft will pay up to $50,000 USD for defensive ideas that accompany the Mitigation Bypass Bounty.

Finally, Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

Pay-per-performance bounty programs have been around for a while, but it’s refreshing to see that Microsoft is putting some serious resources behind this initiative. This is definitely a smart move by Microsoft, especially when you consider the cost of just one engineer living in Redmond!

For more information please visit: http://www.microsoft.com/security/msrc/report/bountyprograms.aspx#

New OWASP Releases 2013 Top 10 Risks: Mostly Unchanged from Last Year

The Open Web Application Security Project has just released its annual Top 10 risks for developers for 2013. OWASP is an open community that provides the industry standard for improving application security and has been releasing its Top 10 list since 2003.

Because of the widespread use of OWASP as an industry benchmark, cyber-security analysts offer some cautionary advice when evaluating OWASP.

Fellow blogger, Vincent Liu, stresses the need to prioritize risk that an organization is facing and just “because a threat is new doesn’t mean it’s always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn’t mean it’s the most important problem facing your organization.”

Rohit Sethi, writing in the SD Times, reminds us that The Top list is not meant to be a prescriptive guide for software development, but that many treat it that way. Rohit states that OWASP is “simply too broad to be used for specific requirements” and uses the example of the sensitive data exposure category which “is much more open-ended and could mean several things.”

Below is the complete list:
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration A6-Sensitive Data Exposure
6. Sensitive Data Exposure
7. Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

More details are available on the OWASP site:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Application Vulnerability Is the Top Concern for Information Security Professionals

The 2013 Global Information Security Workforce Study highlights the concern on the part of security professionals that relate to application vulnerabilities. Out of a choice of 12 vulnerabilities and threats, the top three selected by security professionals were application vulnerabilities (69% of respondents), malware (67% of respondents) and mobile devices (66% of respondents).
Here is a summary of other interesting findings from the report:
•    There has been a jump in concern relating to cloud-based services. In the 2011 survey, 43% of respondents had high concern related to cloud based services. This number rose to 49% of respondents in 2013 reflecting increased adoption of cloud-based services.
•    C-Level executives tend to be more concerned about vulnerability categories than respondents who have other job titles. 72% of C-Level executives who were interviewed picked application vulnerabilities and 70% selected mobile devices. This is a somewhat higher number than other job categories.
•    Respondents in developing countries are more concerned than developed countries. Reflecting relative less sophisticated cyber security defense mechanisms in developing countries, there is much higher concern.
•    Smaller companies tend to underestimate the different threat and vulnerability categories relative to larger companies. The authors of the report hypothesize that larger companies have more resources in place to examine threats (penetration testing, web application vulnerability scanners) and may therefore be more aware of potential risks.
•    Response data varied by industry. Companies in the financial industry and also government entities surpass those of other industries. This is largely attributed to the fact that these are higher targets for hackers and organized criminals.

Here is a link to the study: https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Study%20Feb%202013.pdf

How companies get hacked: the human factor

As we’ve stated before, hacking is about exploiting vulnerabilities -whether they are system, technical or people related. A lot of the publicly available research points to human error as a major contributor of data breaches. According to the Symantec/Ponemon study, at least a third of serious data breaches were connected to human error or negligence.

In some cases, disgruntled employees with access to confidential information directly cooperate with hackers. Although there have been some high profile cases of this occurring, in most cases negligence and social engineering are more significant factors.

What can be done to reduce the hacking resulting from human error?
In order to change behavior you will need to train your employees about how to handle information in the age cyber-crime. Training can be both formal and informal and should vary by role. Frontline employees who handle credit cards need very different training than back office accounting and finance staff.

Here are some of the areas that need to be covered:

•  The dangers of posting personal information on social media. E.g. hacker can use your place of birth in password reset questions to hack into an account. (E.g. Sarah Palin’s email got hacked this way).

•  How to handle sensitive company information such as passwords and customer data. Your employees need to understand the dangers of malware, viruses etc. One that should be reinforced is never to give out passwords or confidential information over the phone or via email.

•  Other areas that can reduce the level of cyber-crime due to human error include:

• Put in place security protocols that relate to access to data, encryption of files and confidentiality of information.
• Limit access to confidential information and put mechanisms in place

New Quatrashield Whitepaper: 12 steps to protect yourself from hackers

It’s no surprise how easy it is for hackers to gain access to password information when one considers the research on this subject. According to a report by Infosecurity Europe,65% of workers use identical passwords for different purposes including personalbanking, websites and access to corporate applications. Many people make it easy forhackers by using easy-to-guess passwords: the top 5 passwords are password, 123456,12345678, abc123 and qwerty.

Please review to our whitepaer: 12 steps to protect yourself from hackers

What to do about ransomware (part 2)

This is the second part in our series on ransomware. The first blog article is here.

As a general rule on this blog, we provide solutions that are executable for most of our audience. In the case of ransomware, our guidance is simple.

1) Under no circumstances should you pay the “fine” – no matter how small. Your computer is being held ransom by criminals and there is no reason to believe that if you pay the ransom, they will release it to you. If anything, you have now provided your credit card information to criminals. Even if you have paid the “fee” and your computer appears to be operating normally, the likelihood is that the criminals are planning further attack or have infected your PC for some other nefarious purpose.

2) Ransomware is a relatively sophisticated form of malware and we strongly suggest that you take your PC to a data recovery professional who has experience with ransomware.