Category Archives: Web

150 Ways To Bypass Web Application Firewalls In One Tool

 

A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.

The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.

Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.

However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.

The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.

In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.

Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.

Source: Tool released at Black Hat contains 150 ways to bypass Web application firewalls | Security – InfoWorld.

The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?

 

Advertisements

Is Your Blog Over-optimized?

In the world of search engine optimization …

Well, that “level playing ground” is here with the April 24th release of the Penguin algorithm update, which has affected an estimated 3% of all search queries. If you saw your blog traffic dip unexpectedly on this date, it’s possible you’ve been “pecked” by the Google Penguin—an indication that your blog is considered to be over-optimized in the eyes of the search giant.

Of course, knowing that you’ve been affected and taking remedial actions to recover from a Penguin penalty are two different things. Because of Google’s natural reticence when it comes to revealing the exact parameters that cause a site to be flagged for over-optimization, it’s impossible to know exactly which factors led to your site’s penalty.

The key to determining how to move forward following a Penguin attack lies in identifying potential over-optimization flags that can be quantified and measured by the search engines. Remember, the Googlebot can’t manually assess the quality of every website online. Instead, it must rely on measurable signals that can be used to infer objective value.

Source:  Is Your Blog Over-optimized? : @ProBlogger.

Widely used Web attack toolkit exploits unpatched MSXML flaw

English: A candidate icon for Portal:Computer ...

(Photo credit: Wikipedia)

An exploit for an unpatched vulnerability in the MSXML (Microsoft XML Core Services) has been incorporated into Blackhole, one of the most widely used Web attack toolkits, according to security researchers from antivirus firm Sophos.

The security flaw is identified as CVE-2012-1889 and is what security researchers call a zero-day vulnerability — an actively exploited vulnerability for which an official patch doesn’t yet exist.

Source:  Widely used Web attack toolkit exploits unpatched MSXML flaw | Security – InfoWorld.

Be sure to keep that anti-virus up-to-date and also utilize the Fix-It tool Microsoft has made available.

“Top sites are covertly cramming cookies down users’ throats”

If you don’t like cookies …

“The number of websites that allow visitors to be tracked by third parties may be surprising to some, but as consumers begin to understand that their online behavior can be recorded, enterprises will have to work even harder to ensure that consumers’ privacy expectations are met,” said Ray Everett, Keynote’s director of privacy services.

According to Keynote, much of the data that companies collect via cookies is used for behavioral advertising. Third-party trackers place cookies to track a user’s clicks and path through the Web and to know what a visitor buys at any given site.

The problem here is, users don’t have a clear way of knowing which third parties are planting cookies, how they’re using the data they collect (beyond, say, providing more expensive travel offers to Mac users), or how well those third parties are protecting potentially sensitive data. Given that users are becoming increasingly concerned about their online privacy, site operators may feel greater pressure from customers, advocacy groups, and the feds to do a better job.

Consider this:

Looking at the 2,500 most popular websites, the researchers discovered that 87 percent had cookies and found a total of 442,055 cookies in all.

In other words there’s lots of baking and distributing of cookies going on.

Read more:  Top sites are covertly cramming cookies down users’ throats | Internet privacy – InfoWorld.

Hackers Outwit Security Systems

Thanks to “Man in the Browser”, even up-to-date anti-virus software combined with the latest generation of online banking security doesn’t protect those using online banking.

A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.

There is no specific risk to any one individual bank.

In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.

The threat does not strike until the user visits particular websites.

Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.

Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.

With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the “training exercise”.

“The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” said Daniel Brett, of malware testing lab S21sec.

“[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time.”

Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.

But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.

The key in this cat-and-mouse game continues to be the user and how high they set want to set their security settings on anti-virus software.  But even then NOTHING is 100% secure when it comes to data.

Enhanced by Zemanta

SOPA is Dead

As a result of massive opposition, SOPA has been pulled in the House.

Lamar Smith, the chief sponsor of SOPA, said on Friday that he is pulling the bill “until there is wider agreement on a solution.”

“I have heard from the critics and I take seriously their concerns regarding proposed legislation to address the problem of online piracy,” Smith (R-Texas) said. “It is clear that we need to revisit the approach on how best to address the problem of foreign thieves that steal and sell American inventions and products.”

In addition Senator Harry Reid has cancelled a scheduled vote on its counterpart.

“In light of recent events, I have decided to postpone Tuesday’s vote on the PROTECT IP Act,” said Senate Majority Leader Harry Reid (D-Nev.) in a statement Friday morning.

It’s a step in the right direction when it comes to an overreaching attempt to control a free Internet.

Enhanced by Zemanta

Hackers to expand cybercrime activity

After a successful 2011 by those who exploit cybersecurity for a living, consumers and businesses need to be mindful of these potential security issues in 2012 according to security software provider Cenzic.

Top Cybersecurity Issues and Themes for 2012

1. Social Networking Threats Social networking security threats will continue to persist, but login information won’t be the target for hackers. Instead, hackers will use social networks like Facebook to mine the data of company employees. Using this information, cybercriminals will devise more sophisticated phishing attacks in order to infiltrate corporate environments to steal private data.

2. Mobile Threats Digital wallets will gain greater acceptance in 2012, making them a bigger target for hackers. Most mobile phones have built-in safeguards against data theft, but improvement is needed in the way mobile-payment information is transmitted from mobile phones to the Web. The expansion of mobile apps with potential security flaws will also lead to increased risk.

3. Cloud Threats Cloud technology has transformed from a buzzword into reality. As the growth rate continues in 2012, hackers will focus on companies storing data in the cloud. Organizations that hand off customer data to cloud providers will find themselves most at risk.

4. Cybercrime Policy For Victims Companies will face additional scrutiny from legislature designed to make disclosures around cybercrime a priority. New laws will be made to give businesses strict guidelines for disclosing when they have been hacked, the type of data stolen, and what their customers need to do to protect themselves.

5. Hacktivists Mature More hacker groups like Anonymous will begin to ally themselves to political causes. As protesters march for and against causes in the real world, hackers will form “digital marches” that cause chaos for their opposing parties.

These are just five area of concern.  What additional  ways do you think hackers  will “take advantage of” to gain access to business and consumer information?

 

Enhanced by Zemanta

Google+ Pages Managed via 3rd Party Apps

Google has made it easier to manage pages on Google+.

Google+ Pages can now post, share and interact with content on third-party social media applications, such as HootSuite, Involver and Buddy Media.

For marketers using multi-platform social media marketing campaigns, the move will allow them to manage multiple accounts from any of the various social networks included in their websites. Among the other third-party apps included in the initial roll out are Context Optional, Hearsay Social and Virtue.

While the feature is not available for users of personal accounts, the move represents another major step for Google+, which only recently opened the network for use by businesses and other organizations.

Still, Google+ Pages have critics in the early stages of their roll out. The primary issue has been that the service is still open to multiple administrators of the same account. Since many businesses that use social media marketing pages have several employees or a third-party agency updating their accounts, the integration of multiple admins is critical to the success of Google+ as a marketing tool.

Not included in the initial rollout was TweetDeck, a third-party application purchased by Twitter earlier this year.

The level of integration appears to vary although all the apps provide analytics.

While the integrations with Google+ vary, the functionality seems extensive at first glance. Hootsuite, which also announced it was a launch partner, specifically mentions that it supports sharing to different Circles, searching public Google+ posts, viewing recent user activity and managing Circle membership. The launch partners are also offering analytics for tracking the performance of an individual Google+ Page.

The question still remains can Google+ be a true player without 3rd party app management being available for Google+ profiles.

Enhanced by Zemanta

 

Top 10 Social Web Products 2011

Interesting list for 2011 from ReadWriteWeb.

Almost every Web product these days has some kind of social element. But to make this list, the product has to have social networking or community building as a core part of its offering. So without further ado, here are our top 10 Social Web products of 2011:

1. Google+

Up till 2011, Google wasn’t known for its social networking prowess. Unless you count Orkut, a social network product that became a phenomenon…in Brazil only. At the end of June 2011 that all changed, with the worldwide launch of (in our opinion) the best social network product of the year: Google+.

Initially Google+ launched to a chorus of media outlets shouting “Facebook killer.” However, it soon became apparent that Google+ was going to be most useful to Google as the social component of its entire online product suite: including Google search, Google Reader and YouTube. Although it’s a more than useful standalone social network, too.

2. Facebook

Facebook not only continued its impressive growth over 2011, but released a number of innovative new features. Some of those announcements were spurred on by the arrival of Google+. But the important thing is that not only did Facebook respond quickly, they changed things up with a radical new design and an entirely new form of sharing media.

3. Twitter

Twitter was overshadowed a bit this year by Facebook and Google+, but it remains a force to be reckoned with as a mainstream social network. In September, it announced it had 100 million active users. It also got closely integrated into Apple’s iOS 5, which among other things enabled users to tweet directly from Apple apps like Camera, Maps, Photos and Safari.

Perhaps the feature that most epitomized Twitter’s continued growth as a mainstream tool was its usage with TV.

4. Tumblr

Tumblr is another social media product to have experienced huge growth over 2011. During the past year, Tumblr has grown from just over 100 million visits per month to over 350 million now (according to Quantcast). Tumblr gets over 12.5 billion page views per month, over 8 times more than WordPress.com. Although we should note that WordPress.com still gets more visits and it too has grown a lot over 2011.

Just as important as the user growth, is how Tumblr has brought the curation of content to the mainstream. Plus it’s having a big impact on journalism, with old and new media brands alike using Tumblr to provide curation to their readers.

5. Reddit

The Web of course is not just about reaching a mainstream audience – as Facebook, Twitter and others in our list have done. There are tens of thousands of social networks that appeal to a niche audience. Reddit is one example, although it has also shown strong growth by diversifying from its core tech-focused audience.

Go to the source to see which social web products were deemed to be in the top 10.  Do you agree with the rankings?  Considering Google has resorted to TV advertising for Google+ …

Enhanced by Zemanta

Share

Incredible Deal!

Today of course is “Black Friday” and like every retail outlet across America, Host Gator is offering INCREDIBLE savings today only.

If you are in need of  hosting for you website(s), look no further than Host Gator. In case you aren’t aware Host Gator is one of the top recommended hosting sites for WordPress.  And the tech support is awesome, which contributes to the great reputation for hosting WordPress blogs and sites.

Here’s the details:

Save 50% on ALL hosting services

Until 11:59 CST on Friday, November 25 you can get 50% OFF on ALL hosting services.  This includes shared hosting, reseller hosting, VPS hosting, Dedicated servers and Windows hosting!  However, this does not include domain names.

Here’s what that means:

Competitively priced web hosting at Host Gator gets even more competitive!

Shared hosting: As low as $4.95 Now only: $2.48/month (pre-paid)

Reseller Hosting: As low as $24.95 Now Only: $12.48/month (pre-paid)

VPS Hosting: As low as $19.95 Now Only: $9.98/month (First Month)

Dedicated Servers: As low as $174 Now Only $87/month (First Month)

Note that the discount of 50% applies to only the first month on the VPS and Dedicated Servers plans as these are billed monthly.  Also note that this is valid for new hosting plans only so existing customers can’t use it on plan renewals (though you could add a plan to your account).

So head on over to Host Gator  to get in on this GREAT hosting services deal.

 

Enhanced by Zemanta
%d bloggers like this: