Category Archives: Web
A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.
The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.
Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.
However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.
The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.
In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.
Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.
The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?
- Vulnerabilities in open source WAF ModSecurity (net-security.org)
- Protocol-Level Evasion of Web Application Firewalls (community.qualys.com)
- Web Application Firewalls and the False Sense of Security They can Create (acunetix.com)
In the world of search engine optimization …
Well, that “level playing ground” is here with the April 24th release of the Penguin algorithm update, which has affected an estimated 3% of all search queries. If you saw your blog traffic dip unexpectedly on this date, it’s possible you’ve been “pecked” by the Google Penguin—an indication that your blog is considered to be over-optimized in the eyes of the search giant.
Of course, knowing that you’ve been affected and taking remedial actions to recover from a Penguin penalty are two different things. Because of Google’s natural reticence when it comes to revealing the exact parameters that cause a site to be flagged for over-optimization, it’s impossible to know exactly which factors led to your site’s penalty.
The key to determining how to move forward following a Penguin attack lies in identifying potential over-optimization flags that can be quantified and measured by the search engines. Remember, the Googlebot can’t manually assess the quality of every website online. Instead, it must rely on measurable signals that can be used to infer objective value.
- How the Winners Do Mobile SEO [Guest Post] (distilled.net)
- Present on Some Common Search Engine Optimization Myths……… (kellymcloughlin.com)
- Important On-Page SEO Factors For Better Search Ranking (ppc.org)
- Recovering from Google Penguin (lettersfromdan.com)
An exploit for an unpatched vulnerability in the MSXML (Microsoft XML Core Services) has been incorporated into Blackhole, one of the most widely used Web attack toolkits, according to security researchers from antivirus firm Sophos.
The security flaw is identified as CVE-2012-1889 and is what security researchers call a zero-day vulnerability — an actively exploited vulnerability for which an official patch doesn’t yet exist.
Be sure to keep that anti-virus up-to-date and also utilize the Fix-It tool Microsoft has made available.
- Hackers exploit Windows XML Core Services flaw (infoworld.com)
- Danger! Unpatched Microsoft security vulnerability being actively exploited (nakedsecurity.sophos.com)
- CVE2012-1889: MSXML use-after-free vulnerability (eset.com)
Thanks to “Man in the Browser”, even up-to-date anti-virus software combined with the latest generation of online banking security doesn’t protect those using online banking.
A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.
There is no specific risk to any one individual bank.
In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.
The threat does not strike until the user visits particular websites.
Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.
Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.
With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the “training exercise”.
“The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” said Daniel Brett, of malware testing lab S21sec.
“[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time.”
Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.
But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.
The key in this cat-and-mouse game continues to be the user and how high they set want to set their security settings on anti-virus software. But even then NOTHING is 100% secure when it comes to data.
- Hackers outwit online banking identity security systems (annozijlstra.wordpress.com)
- Hackers may be able to ‘outwit’ online banking security devices (go.theregister.com)
- New ‘Man In The Browser’ Attack Bypasses Banks’ Two-Factor Authentication Systems (gizmodo.com.au)
As a result of massive opposition, SOPA has been pulled in the House.
Lamar Smith, the chief sponsor of SOPA, said on Friday that he is pulling the bill “until there is wider agreement on a solution.”
“I have heard from the critics and I take seriously their concerns regarding proposed legislation to address the problem of online piracy,” Smith (R-Texas) said. “It is clear that we need to revisit the approach on how best to address the problem of foreign thieves that steal and sell American inventions and products.”
In addition Senator Harry Reid has cancelled a scheduled vote on its counterpart.
“In light of recent events, I have decided to postpone Tuesday’s vote on the PROTECT IP Act,” said Senate Majority Leader Harry Reid (D-Nev.) in a statement Friday morning.
It’s a step in the right direction when it comes to an overreaching attempt to control a free Internet.
- SOPA and PIPA Defeated? Smith Postpones Bill (techgopher.wordpress.com)
- Senator Reid postpones vote on PROTECT IP Act, Romney and Gingrich come out against SOPA (digiphile.wordpress.com)
Today of course is “Black Friday” and like every retail outlet across America, Host Gator is offering INCREDIBLE savings today only.
If you are in need of hosting for you website(s), look no further than Host Gator. In case you aren’t aware Host Gator is one of the top recommended hosting sites for WordPress. And the tech support is awesome, which contributes to the great reputation for hosting WordPress blogs and sites.
Here’s the details:
Save 50% on ALL hosting services
Until 11:59 CST on Friday, November 25 you can get 50% OFF on ALL hosting services. This includes shared hosting, reseller hosting, VPS hosting, Dedicated servers and Windows hosting! However, this does not include domain names.
Here’s what that means:
Competitively priced web hosting at Host Gator gets even more competitive!
Shared hosting: As low as $4.95 Now only: $2.48/month (pre-paid)
Reseller Hosting: As low as $24.95 Now Only: $12.48/month (pre-paid)
VPS Hosting: As low as $19.95 Now Only: $9.98/month (First Month)
Dedicated Servers: As low as $174 Now Only $87/month (First Month)
Note that the discount of 50% applies to only the first month on the VPS and Dedicated Servers plans as these are billed monthly. Also note that this is valid for new hosting plans only so existing customers can’t use it on plan renewals (though you could add a plan to your account).
So head on over to Host Gator to get in on this GREAT hosting services deal.
- Black Friday 2011: the best apps and services for holiday shoppers (venturebeat.com)
- Black Friday Now Featuring Mobile Madness (whitehouse.gov)