| InfoWorld: Top News
|
|
Financial institutions spending on security, governanceFri, 05 Oct 2007 15:43:01 PDT
(InfoWorld) - The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98 percent of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance. 
Security spending is up as much as 15 percent over last year at 11 percent of the 169 corporations surveyed, which include banks and investment and insurance companies from 32 countries. According to the 2007 Global Security Survey, the biggest spending hikes were made in audit or certification costs, logical-access control products, infrastructure protection devices, and compliance and risk management.
While 38 percent of the organizations surveyed did not measure their security budget on a per capita basis, of those that did, 7 percent said they spend more than $1,000 per person, 7 percent between $501 an $1,000 per person, 14 percent between $251 and $500, 23 percent between $100 and $250, and 11 percent under $100.
In a related trend, 81 percent of the financial institutions surveyed said they've adopted a formal Information Security Governance framework, up from about 70 percent last year. The vast majority of the remaining respondents said they are in the process of establishing one.
Deloitte & Touche said the higher adoption rate in formal Information Technology Governance frameworks -- which detail lines of authority and reporting requirements, business processes, technology, and security measures -- appears due to the increased pressure of government regulation.
The technology executives who participated in the annual Deloitte security survey -- 22 percent from Japan and the larger Asia-Pacific region, 12 percent from the United States, 23 percent from Latin America, 7 percent from Canada, 31 percent from Europe, the Middle East and Africa, and 5 percent from the former Soviet Republics -- indicated that getting through internal and external audits can be tough wherever you are.
They report that the main audit obstacles are networks that still allow excessive access rights, lack of adequate audit trails/logging, and failure to assure access control complies with formal business procedures.
The 2007 Global Security Survey also asked the respondents questions about technology use.
One question pertained to whether organizations prohibit use of wireless technologies, including wireless LANs, infrared networking, or mobile devices, due to security reasons.
Forty five percent of the respondents said their organizations prohibit use of wireless LANs, 75 percent prohibited infrared networking; and 13 percent prohibited mobile devices, including PDAs and BlackBerries.
Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.
Network World is an InfoWorld affiliate
Global computer usage, cell phone ownership jumpFri, 05 Oct 2007 14:39:35 PDT
(InfoWorld) - Increased computer usage and better e-mail and Web access may narrow the digital divide, although globalization critics may perceive such changes as a threat to local cultures and economies, a new Pew Research Center study suggests. 
The globalization survey released Thursday by Pew Research Center said that while technology inequality between countries has lessened, an ongoing backlash threatens globalization.
Technology plays a key role in the larger concept of globalization, said Richard Wike, senior researcher with the Pew Global Attitudes Project, part of the Pew Research Center, based in Washington, D.C. Computers and cell phones bring help people to connect people across borders and nurture better economic integration, Wike said.
People believe free trade and free markets are good for their countries, the survey said, but it also noted that globalization has its economic, environmental, and cultural downsides. For example, people in the U.S. and Western Europe are growing less supportive of global trade, while those in China and India approved it more as their economies grew, the survey said.
Technology plays a role in the economic integration that comes with globalization, Wike said. "Usage of technology seems to be part of globalization. It's part of a bigger picture," Wike said.
In 2007, computer usage increased in 26 of the 35 countries surveyed, compared to 2002, with better access to e-mail and the Internet, according to the survey. Sweden topped the list with 82 percent of its population using computers, followed by South Korea and the U.S., at 81 percent and 80 percent, respectively. Pakistan, Tanzania, and Bangladesh had the least computer usage, at 9 percent, 6 percent and 5 percent, respectively.
The data includes computer usage at work, school, home, and other places.
Compared to Western Europe, the U.S. and Canada, computer usage in the poor parts of Asia and Africa grew slowly. Usage jumped in Latin America, especially Brazil, where 44 percent of the population used computers, compared to 22 percent in 2002, Wike said.
Increased computer usage has led to better Internet and e-mail access globally, the survey said. About 80 percent of South Koreans, 79 percent of Swedes, and 78 percent of the U.S. population go online occasionally. Newspapers continue to lose readers as online news sources gain more readers globally, the survey said.
Computer ownership is growing too with 93 percent of South Koreans, 84 percent of Kuwaitis, and 81 percent of Swedes owning a computer. The survey said 76 percent of the U.S. population owned a computer, compared to 70 percent in 2002. Overall, computer ownership grew in 32 of 34 countries surveyed in 2007 compared to 2002.
Cell phone ownership showed a dramatic increase globally, Wike said. In 2007, 81 percent of the U.S. population owned a cell phone, a 20 percent increase compared to 2002. Russia and Nigeria saw dramatic 57 percent and 56 percent increases, respectively, in cell phone ownership in 2007 compared to 2002.
The survey looked at the global spread of technology and feelings about the multiple interpretations of globalization, including perceived threats to cultures, along with other issues, Wike said. While technology fills global communications gaps and helps integrate economies, some people worry about losing their cultures, and although they embrace free markets, they don't want economic growth at the expense of the environment, Wike said.
How much technology contributes to the backlash against globalization "is a good question to ask," Wike said.
Despite lawsuits, P-to-P use still growingFri, 05 Oct 2007 14:36:29 PDT
(InfoWorld) - If 20,000-plus lawsuits by the Recording Industry Association of America (RIAA) aren't enough to show U.S. residents that the unauthorized sharing of music files will cause legal problems, now there's a $222,000 jury verdict against a Minnesota woman. 
And still, the beat goes on.
In 2006, 15 million U.S. households downloaded an unauthorized file using P-to-P (peer-to-peer) software, an 8 percent increase from 2005, according to The NPD Group, a market research firm that tracks digital downloads.
A jury in the U.S. District Court for the District of Minnesota in Duluth ordered Jammie Thomas to pay $222,000 for sharing 24 songs using the Kazaa P-to-P software. In the first jury trial for one of the RIAA lawsuits, Thomas was found guilty of sharing songs owned by such companies as Capitol Records, Sony BMG Music Entertainment, and Warner Bros. Records.
Advocates of strong copyright law praised the jury's decision.
"It's unclear why this woman would compound one mistake, offering thousands of songs to strangers, with another one, turning down a settlement in favor of a trial in which she had no evidence to give," said Patrick Ross, executive director of the Copyright Alliance, an advocacy group representing the music industry and other copyright holders. "Hopefully, this will help more people to understand that these are illegal actions with real harms for songwriters and performing artists."
Many U.S. residents don't seem to be getting the message.
The number of U.S. households using paid music download services is increasing, but there are still 2 million fewer than the households that used P-to-P software to download music in 2006, NPD said. And while the rate of growth in P-to-P users slowed in 2006, the number of files downloaded through P-to-P services increased 47 percent between 2005 and 2006, from 3.4 billion to 5 billion, the company said.
In contrast, the number of legally purchased music downloads in 2006 was about 500 million, a 56 percent increase from 2005, NDP said. Still, the number of legal downloads is "swamped by the sheer volume" of files traded illegally over P-to-P networks, NDP entertainment industry analyst Russ Crupnick said in a news release.
The RIAA pledged, in a statement, to "continue to bring legal actions against those individuals who have broken the law."
The RIAA's series of lawsuits against alleged file traders, begun in September 2003, is important for "securing a level playing field for legal online music services" and for helping record companies invest in new artists, the RIAA added.
"The law here is clear, as are the consequences for breaking it," the trade group said.
Several critics called the court judgment a hollow victory for the recording industry.
"Despite today's verdict, tens of millions of Americans will continue sharing billions of songs, just as they have since Napster let the P2P genie out of the bottle nearly 8 years ago," Hugh D'Andrade, an activist with the Electronic Frontier Foundation, wrote on the organization's Web site. "Every lawsuit makes the recording industry look more and more like King Canute, vainly trying to hold back the tide."
Canute, a Viking king in the 11th century, sat his throne on the beach and attempted to hold back the tide, according to legend.
Instead of lawsuits, the recording industry should embrace collective licensing of music file sharing, D'Andrade wrote.
While the evidence against Thomas may have been sketchy before trial, the music industry proved its case in court, Ed Felton, a professor of computer science and public affairs at Princeton University, noted in his blog.
While she argued that someone else must have downloaded the music, the RIAA lawyers showed that the Kazaa user had a user name that Thomas has used on other services and downloaded songs by her favorite artists, Felton said.
But Felton was struck by the size of the verdict, with damages of $9,250 per song. "That's more than nine hundred times what the songs would have cost at retail," he wrote. "There is no way that Jammie Thomas caused $222,000 of harm to the record industry, so the jury's purpose in awarding the damages has to be seen as punishment rather than compensation.
"All of this over songs that would have cost $23.76 from iTunes."
T-shirt shows off Wi-Fi muscleFri, 05 Oct 2007 12:56:56 PDT
(InfoWorld) - With at least one municipal Wi-Fi project being proposed or abandoned seemingly every day and big carriers like BT Group turning to their subscribers' Wi-Fi routers to make Wi-Fi available, it's hard to know exactly where you can get online these days. But a T-shirt going on sale late this month could solve that problem for you and everyone around you. 
The Wi-Fi Detector Shirt, which the online store ThinkGeek will sell for $29.99, has glowing bars on the front that light up in waves when there's an IEEE 802.11b or 802.11g network in range. As with a network strength indicator on a cell phone or PC, more bars light up as the signal gets stronger. A cartoon of a classic radio tower and the simple expression "802.11" say it all for people who are looking for this kind of thing. ThinkGeek employee Ty Liotta developed the shirt, which is only available in black.
Until Power Over Ethernet (IEEE 802.3af, but you knew that) goes wireless, a glowing, network-detecting T-shirt still needs batteries. The three AAA cells for this one are concealed in a pocket sewn inside the shirt, according to ThinkGeek. When it's time to wash the shirt, you can take them out and then peel off the glowing decal, which is attached to the shirt with hook-and-loop fasteners. A ribbon cable concealed inside the shirt links the batteries to the decal, and it can go through the wash -- as long as you hang dry the shirt.
One thing the shirt can't tell is whether the network in range is open or encrypted. It also can't detect the very latest certified Wi-Fi technology, 802.11n Draft 2.0, which is several times faster than 802.11b and 802.11g networks. There aren't enough of 802.11n networks yet, explained Jennifer Kuropkat, a spokeswoman for ThinkGeek, in Fairfax, Virginia.
BT on Thursday became the latest service provider to let ordinary home broadband users share a portion of their Internet connections with the public using software from Fon Technology SL and a Wi-Fi router. The carrier hopes users of the free service will flood suburban streets all over the U.K. with wireless Internet signals. However, Wi-Fi is invisible to the naked eye.
Asked whether the Wi-Fi Detector Shirt will solve a critical problem for users, Gartner analyst Ken Dulaney said, "Probably for a very few people in the world, yes."
Update: Hackers at Microsoft?! Now wait a minute....Fri, 05 Oct 2007 12:35:22 PDT
(InfoWorld) - For the record, there are hackers at Microsoft. Just don't call them hackers. 
In August, a blogger using the handle "Techjunkie" started a Microsoft Developer Network blog called Hackers @ Microsoft that, he claimed, would introduce the world to some of the ethical "white hat" hackers working there.
White hat hackers are security professionals who use many of the same techniques as the bad guys but who learn how to break into systems for research purposes only. "The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com," Techjunkie wrote.
Then he went silent for a month and a half.
Late Thursday, however, Techjunkie resurfaced, saying that he was dropping the Hackers @ Microsoft name. "There was some concerns raised that the average blog reading audience may not be able to discern the difference, and we may inadvertently associate Microsoft with the negative connotations of the word 'hacker' that is out there," he wrote.
Techjunkie didn't say whether the decision to drop the name came from Microsoft's marketing department, but if it did, he's found a way to get even. "To alleviate that concern, I've changed the name of the blog to '%41%43%45%20%54%65%61%6d'," he wrote.
"%41%43%45%20%54%65%61%6d" may not be as memorable as Hackers @ Microsoft, but it does mean something. It is code for "ACE Team," apparently a reference to Microsoft's Application Consulting & Engineering Team, which does performance, security, and privacy development work at Microsoft. They have a blog too.
Microsoft's PR agency said Friday that Techjunkie is, in fact, Ahmad Mahdi, a manager with the ACE Team. The %41%43%45%20%54%65%61%6d name was chosen to "better reflect the intent of the blog, its posts and content, as well as the work conducted by security researchers at Microsoft," a spokeswoman saidl.
Microsoft has talked frequently about its growing use of ethical hackers to test its products for bugs. The software vendor even invites them onsite twice a year for its Blue Hat security conference.
Techjunkie followed up his Thursday evening post explaining the name change with a generic blog item on the need for security processes when developing software.
The debate over the term "hacker" is long running and bitter. Originally used to denote someone creative who enjoyed building new things with computers the term has also come to mean computer attacker in the popular culture, much to the dismay of the white hats.
One security professional who also maintains a hacking blog said he understood why Microsoft may have wanted to drop the name. "Unfortunately, I think there's a bit of a stigma associated with the word hacker," said Robert Hansen, CEO of security consultancy SecTheory and also the man behind the ha.ckers.org Web site.
Though Hansen considers himself a hacker, he says that he sometimes downplays this fact in business situations. "There are definitely times at which I use the ha.ckers.org persona more than I use the SecTheory persona," he said. "Some people aren't comfortable with the concept."
This story was updated on October 5, 2007
Microsoft offers IE7 to all, pirates includedFri, 05 Oct 2007 11:54:05 PDT
(InfoWorld) - Users running pirated or counterfeit copies of Windows XP or Windows Server 2003 can now download Internet Explorer 7, Microsoft announced Thursday. 
From the moment it released IE7 almost a year ago, Microsoft has restricted the browser to users who can prove they own a legitimate copy of the operating system. Before Microsoft allows the browser to download, it runs the user's PC through a WGA (Windows Genuine Advantage) validation test, a prime part of XP's antipiracy software.
When it instituted the requirement in 2006, Microsoft said rights to IE7 was one of the rewards for being legal. It changed its mind Thursday, saying the move is in users' best interest." Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we're updating the IE7 installation experience to make it available as broadly as possible to all Windows users," said Steve Reynolds, an IE program manager in a posting to a Microsoft company blog. "With today's 'Installation and Availability Update,' Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users."
Microsoft has consistently touted IE7 as a more secure browser, and post-launch patch counts back that up. In the past 11 months, IE6 for Windows XP SP2 has been patched for 22 vulnerabilities, 20 of them rated critical. IE7 for XP SP2, however, has been patched only 13 times; 10 of those fixes were ranked critical. In fact, when Microsoft announced that IE7 would not be offered to users running illegal copies of XP, some analysts questioned the company's commitment to security.
This is the first time that Microsoft has removed a WGA check for a major product. Among those that still require validation are Windows Defender, the company's antispyware software, and Windows Media Player 11.
Several people who left comments on Reynold's post wondered if there's more to the decision than meets the eye. "I am guessing that this is in reaction to Firefox's growing market share," said someone identified as Dileepa. "I am not surprised at this at all."
Mozilla's Firefox has gained some ground on Internet Explorer since IE7's launch. According to Net Applications, a Web metrics company, Firefox's share is up by about two percentage points since October 2006, while IE's total -- IE6 and IE7 combined -- slipped by more than three points.
IE7's uptake was dramatic late last year, when it went from about a 3 percent share in October to 18 percent in December, but growth has slowed. Since April, for instance, it has increased its share by four percentage points, almost all of it at the expense of the older IE6.
The IE7 update also sports a few tweaks: The menu bar is now visible by default, for example, and a new administration kit that includes a revamped MSI installer is available to smooth corporate deployment.
Users can download IE7 from Microsoft's site immediately or wait for it to appear in Windows Update as a high-priority item. It will take several months for Windows Update to roll out IE7 to all XP customers, and anyone dissatisfied with the new browser can downgrade to IE6 by using the Add/Remove Programs control panel applet.
A blocking tool kit is still available for companies and organizations that don't use Windows Server Update Services and want to permanently prevent IE7 from automatically installing on PCs equipped with IE6.
Computerworld is an InfoWorld affiliate
Microsoft spins off Bungie StudiosFri, 05 Oct 2007 11:42:19 PDT
(InfoWorld) - Microsoft confirmed that it will spin off Bungie Studios, developer of the Halo 3 video game that recently set records for opening day sales. 
Microsoft will retain an undisclosed equity interest in Bungie. The announcement, made Friday, follows a post on the 8BitJoystick blog from earlier this week that leaked the news.
Practically speaking, not much will change, said Frank O'Connor, writing lead at Bungie. While he said that the move is "fiscally prudent" for Bungie because it will get a better share of profits, the company will continue to work closely with Microsoft on developing games for the Xbox console.
He left open the answer to a burning question from fans of other gaming platforms: Will Bungie write games for non-Xbox consoles? "In theory, yes," he said. But for a while the relatively small staff of 120 will continue to work on Xbox 360 games, he said. Projects for the midterm are already lined up, and they're all based on the Microsoft console, he said.
"Honestly, we're really happy working on the 360," he said. "It's our platform of choice."
Bungie was once an independent company. Not quite 10 years ago, it was acquired by Take 2 Interactive Software. Later, Microsoft took a share in Bungie and then bought it outright.
Microsoft owns the intellectual property for Halo, a series that just released its third and final game. Halo 3 brought in sales of $170 million in the U.S. the first day it became available. Microsoft says that's the best video game and entertainment launch in history. "Halo 3" sales reached $300 million globally on the first weekend.
Retail group takes a swipe at PCIFri, 05 Oct 2007 10:23:06 PDT
(InfoWorld) - Simmering discontent within the retail industry over the payment card industry (PCI) data security standards erupted into the open Thursday with the National Retail Federation (NRF) asking credit card companies to stop forcing retailers to store payment card data. 
In a tersely worded letter to the PCI Security Standards Council, which oversees implementation of the standard, NRF CIO David Hogan asked credit card companies to stop making retailers "jump through hoops to create an impenetrable fortress" to protect card data. Instead, "retailers want to eliminate the incentive for hackers to break into their systems in the first place."
"With this letter, we are officially putting the credit card industry on notice," Hogan said in a statement. The NRF, a trade association whose membership includes most of the major retailers in the U.S., is the national voice for about 1.4 million U.S retail establishments.
In an interview with Computerworld Thursday, Hogan said the letter was provoked by a "lot of frustration" in the industry about PCI guidelines and the deadlines associated with implementing them. If the goal of PCI is to protect credit card data, the easiest and most common sense approach is to stop requiring merchants to store the data in the first place, he said.
PCI is a data security standard mandated by Visa International, MasterCard Worldwide, American Express, Discover, and the Japan Credit Bureau (JCB). It requires companies to implement a set of prescribed security controls for protecting card holder data. Though it went into effect more than two years ago, a large number of big retailers are still non-compliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.
According to Hogan, credit card companies require retailers and others accepting payment card transactions to store certain card data sometimes for up to 18 months so that it can be retrieved in the event of charge backs and other disputes.
But rather than have thousands of retailers store the data, credit card companies and their banks should do so, Hogan said. Retailers only need an authorization code provided at the time of a sale to validate a charge and a receipt with truncated credit card information to handle returns and refunds. If that were done, he said, most retailers probably wouldn't store any card holder data.
According to Hogan, under the current process, credit card companies and their banks already have the information needed for retrieval purposes, and it should be their responsibility to store and protect the data. "It is a very fundamental shift. But if you think about it, it is a very common-sense approach."
PCI mandates are challenging retailers to build fortresses around credit card data, he said. "We build these higher walls and the hackers bring in taller ladders and this kind of keeps scaling up all the time."
NRF: Credit card companies should store customer data
Jon Hurst, president of the Retailers Association of Massachusetts, backed the NRF's position. With all of the attention paid to PCI, what's gone unnoticed is the fact that card companies themselves require certain amounts of data to be stored because of disputed transactions, he said. If not for that requirement, many retailers -- especially the large ones -- would probably not keep data and therefore wouldn't be pressed to secure it, he said.
Prat Moghe, CEO of security vendor Tizor Systems, a Maynard, Mass.-based security firm, called the NRF's demand political posturing and said it would do little to improve retail security anytime soon.
"I think a lot of this is about moving culpability back to the credit card companies and saying don't make this my problem alone," Moghe said. "They seem to have realized that going on the defense as an industry doesn't help. There is just more and more they have to do." By speaking out aggressively at a time when retail industry information security practices are under scrutiny by consumers and lawmakers, the NRF is hoping to spread the liability for card data protection, he said.
Even if the NRF's demands were immediately met, it would take several years before retailers could purge their systems and applications of credit card data, he said. Over the years, retailers have collected and stored credit card data in myriad systems and places -- including relatively old legacy environments -- and they are just now realizing the data can be a challenge, he said. Purging it can be a bigger headache because the data is often inextricably linked to and used by a variety of customer and marketing applications; simply removing it could cause huge disruptions.
"We are not talking about one isolated system that stores all this data," he said
Until retailers can get rid of the data, they will need to continue to implement PCI controls whether they like it or not, Moghe said.
Under PCI, credit card companies have also already been pushing retailers to purge their systems of some customer data, including the card verification codes and PIN block data that is stored on magnetic stripes on the back of payment cards.
According to Gartner, Visa levied more than $4.5 million in PCI non-compliance-related fines last year. At least some of that was aimed at companies that were storing prohibited card data on their systems.
The NRF letter comes just days after the passage of a major Sept. 30 PCI deadline after which merchants face fines ranging from $5,000 to $25,000 for non-compliance. Up to now, most of the fines levied have been on breached entities or on companies that kept prohibited card data.
Computerworld is an InfoWorld affiliate
The top 10 reasons Web sites get hackedFri, 05 Oct 2007 10:19:27 PDT
(InfoWorld) - Web security is at the top of customers' minds after many well-publicized personal data breaches, but the people who actually build Web applications aren't paying much attention to security, experts say. 
"They're totally ignoring it," says IT consultant Joel Snyder. "When you go to your Web site design team, what you're looking for is people who are creative and able to build these interesting Web sites... That's No. 1, and No. 9 on the list would be that it's a secure Web site."
The biggest problem is designers aren't building walls within Web applications to partition and validate data moving between parts of the system, he says.
Security is usually something that's considered after a site is built rather than before it is designed, agrees Khalid Kark, senior analyst at Forrester.
"I'd say the majority of Web sites are hackable," Kark says. "The crux of the problem is security isn't thought of at the time of creating the application."
That's a big problem, and it's one the nonprofit Open Web Application Security Project (OWASP) is trying to solve. An OWASP report called "The Ten Most Critical Web Application Security Vulnerabilities" was issued this year to raise awareness about the biggest security challenges facing Web developers.
The first version of the list was released in 2004, but OWASP Chairman Jeff Williams says Web security has barely improved. New technologies such as AJAX and Rich Internet Applications that make Web sites look better also create more attack surfaces, he says. Convincing businesses their Web sites are insecure is no easy task, though.
"It's frustrating to me, because these flaws are so easy to find and so easy to exploit," says Williams, who is also CEO and co-founder of Aspect Security. "It's like missing a wall on a house."
Here is a summary of OWASP's top 10 Web vulnerabilities, including a description of each problem, real-world examples and how to fix the flaws.
1. Cross site scripting (XSS)
The problem: The "most prevalent and pernicious" Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.
Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank's Web site, according to Snyder.
Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.
How to protect users: Use a whitelist to validate all incoming data, which rejects any data that's not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad.
Additionally, use appropriate encoding of all output data. "Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser," OWASP says.
2. Injection flaws
The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter -- which interprets text-based commands -- into executing unintended commands. "Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application," OWASP writes. "In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments."
Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.
How to protect users: Avoid using interpreters if possible. "If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries," OWASP writes.
3. Malicious file execution
The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.
Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.
How to protect users: Don't use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.
4. Insecure direct object reference
The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.
Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.
"References to database keys are frequently exposed," OWASP writes. "An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature."
Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.
How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can't avoid direct references, authorize Web site visitors before using them.
5. Cross site request forgery
The problem: "Simple and devastating," this attack takes control of victim's browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or "remember me" functionality. Banks are potential targets.
"Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery," Williams says. "Has there been an actual exploit where someone's lost money? Probably the banks don't even know. To the bank, all it looks like is a legitimate transaction from a logged-in user."
Real-world example: A hacker known as Samy gained more than a million "friends" on MySpace.com with a worm in late 2005, automatically including the message "Samy is my hero" in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user's language preferences.
How to protect users: Don't rely on credentials or tokens automatically submitted by browsers. "The only solution is to use a custom token that the browser will not 'remember,'" OWASP writes.
6. Information leakage and improper error handling
The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program's configuration and internal workings.
"Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks," OWASP says.
Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company's database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.
How to protect users: Use a testing tool such as OWASP'S WebScarab Project to see what errors your application generates. "Applications that have not been tested in this way will almost certainly generate unexpected error output," OWASP writes.
Another tip: disable or limit detailed error handling, and don't display debug information to users.
7. Broken authentication and session management
The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.
"Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeouts, remember me, secret question and account update," OWASP writes.
Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.
How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.
Another tip: get rid of custom cookies used for authentication or session management.
8. Insecure cryptographic storage
The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it's often poorly designed, using inappropriate ciphers.
"These flaws can lead to disclosure of sensitive data and compliance violations," OWASP writes.
Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.
Furthermore, generate keys offline, and never transmit private keys over insecure channels.
It's pretty common to store credit card numbers these days, but with a Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/ compliance deadline coming next year, OWASP says it's easier to stop storing the numbers altogether.
9. Insecure communications
The problem: Similar to No. 8, this is a failure to encrypt network traffic when it's necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.
Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.
"The $17.4-billion retailer's wireless network had less security than many people have on their home networks," the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.
How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.
10. Failure to restrict URL access
The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there's no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as "123456." A hacker might say 'I wonder what's in 123457?' Williams says.
The attacks targeting this vulnerability are called forced browsing, "which encompasses guessing links and brute force techniques to find unprotected pages," OWASP says.
Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get "Platinum" passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.
How to protect users: Don't assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user's role and privileges. "Make sure this is done ... every step of the way, not just once towards the beginning of any multistep process,' OWASP advises.
Security analysts closer to improved antivirus software testFri, 05 Oct 2007 09:13:32 PDT
(InfoWorld) - Antivirus vendors are closer to agreeing on a new way to test their software after widespread agreement that older antivirus tests can be misleading. 
AV-Test.org, a German antivirus testing organization, is meshing suggestions from vendors such as Symantec, Panda Software, and Trend Micro as well as its own for a new testing regime, said Maik Morgenstern, who conducts product tests at AV-Test.org.
The new testing proposal -- also supported by vendors Kaspersky Lab and F-Secure, as well as other testers such as Virus Bulletin -- will be presented next month at the Association of AntiVirus Asia Researchers 2007 conference in Seoul.
Companies supporting AV-Test.org's paper will try to marshal support from other security vendors, said Mark Kennedy, an antivirus engineer with Symantec.
"We believe this is the way tests should be conducted," Kennedy said. "The hope is that other companies will join us."
Still, the proposals will be optional guidelines for antivirus testers, which ultimately can choose to adopt or ignore them.
Antivirus testing groups have typically tested antivirus products by running the detection engine against hundreds of malicious software samples. If the product doesn't detect a sample, it gets a lower ranking. The style of evaluation tests whether an antivirus product has the right "signatures," or indicators that can identify a specific piece of malware.
The test is relatively quick and easy to perform. But over the last three years or so, many security companies have added technology that can flag malware based on how it acts. That's because signatures have become a less reliable way to defend a computer due to the high number of malware variations that now appear on the Internet.
A signature test does not take into account behavioral detection technology, so vendors have argued that a failed signature test doesn't mean their product wouldn't have protected a PC.
Software vendors have proposed testing antivirus products under the same conditions a consumer would encounter on the Internet. In essence, antivirus testers would use real, active malicious software samples from the Internet and present them to computers in the same way people encounter them, such as through e-mail attachments or Web pages rigged to exploit browser vulnerabilites.
Before a test, antivirus suites would be "frozen" a few weeks prior and not allowed to update their signatures in order to really test the proactive or behavioral technology. Debate is still ongoing whether testers should use malware that is actually doing bad things on the Internet, which poses questions of whether the test machines could potentially do harm.
An alternative is setting up a simulated Internet environment in the lab, but that may not allow malware to run in the way it would if it could access the Internet. "There's always a trade-off," Morgenstern said.
Security analysts are still working on how the products will be scored. It's tricky, since there are many different levels at which a product may detect and neutralize a threat. The scoring has to be clear and comprehensible to people who read technology magazines that write about the tests.
"If the magazines are not able to communicate that in a simple manner to the consumer, then it's not worth much," said Pedro Bustamante, senior research advisor for Panda.
The new parameters mean it will likely take a lot longer to conduct the tests, but Morgenstern said he believed AV-Test.org could do it with their existing staff and without any significant fee increases to publishers who commission work from them.
Copyright (C) 2007 InfoWorld Media Group, Inc.
|
|
|
Michael's Picks
|
|
|
|
I've just recently changed providers and have some small scripting details
to attend to. No new feeds have been downloaded since Oct 7.
|
|
|
