What’s HOT in Application Security Vol #1

Feb 20, 2012 By Administrator

Hackers in China accused of a long term breach of Nortel

Application Security News

For almost ten years Chinese hackers gained complete access to the internal network of Nortel Networks, Ltd. Nortel was previously considered to be a telecommunications power house but has been struggling financially in recent years. The hackers stole several passwords from top Nortel executives (who were apparently working in China) sometime during the year
2000 and over the years downloaded a range of technical papers, business plans and employee information- this information is according to Brian Shields, who is now leading the internal investigation.

Staying Secure in the Cloud – Many still lack confidence putting applications into the cloud

Staying secure in the cloud is an issue on the forefront of anyone concerned about security. A recent study conducted on business executives by CompTIA, the IT industry association found that half of all respondents stated that securing cloud based applications like software-as-a-service were the main factor in their cyber security concerns.

According to CompTia, although most companies express confidence in cloud based security, most are still unwilling to put many types of data applications into the cloud.

For more information please go to: http://www.cso.com.au/article/415872/security_cloud_all_about_visibility_control/#closeme

East African Banks and Firms have come under attack by hackers using SQL injection

Several sites in East Africa were hacked in the past few days in what appears, for now, to be a series of spontaneous hacking attacks on several African websites. The Hackers are said to have used SQL injection- where vulnerabilities in the code of a page facilitate an attacker to insert their own code into the database, therefore gaining complete access to it. A group of hackers, calling themselves, the ‘Rwandan Hackers’ had posted information about SQL injection on the MTN Rwanda site. MTN is the largest mobile operator in Rwanda and a big telecommunications player across the entire continent.

It is not clear whether or not MTN have removed all vulnerabilities from their code, although their website is now operational.

For more information go to:
http://www.pcadvisor.co.uk/news/security/3337790/east-african-firms-caught-up-in-hacking-spree/

Romanian arrested after using SQL injection to hack Pentagon & NASA

Razvan Cernanianu made a grave mistake when he boasted to his friends about hacking into the Pentagon & Nasa’s computer systems. The 20 year old Romanian has been arrested and accused of revealing gaps in the security and publishing information about SQL injection vulnerabilities of the two organizations.
The hacker exploited of several well-known vulnerabilities that his victims should have discovered and resolved long before he took advantage of them using SQL Injection.

For more information please go to:  http://www.cso.com.au/article/415615/romanian_police_arrest_alleged_hacker_pentagon_nasa_breaches/

Microsoft Patches Six Lethal Exploitations

Microsoft released nine protection methods against a total of 21 vulnerabilities that are focusing mainly on web browsers and media players which have become primary targets for hackers. Four of these methods are critical for they patch six lethal exploitations. Very soon these methods will be available to download yet overall in comparison to prior years the number of vulnerabilities and defense mechanisms are comparatively diminishing.

For more information go to:
http://www.crn.com/news/security/232600841/microsoft-patches-six-critical-flaws.htm

Anticipations for RSA 2012 conference

Application Security is going to be under the spotlight and taking up a big portion of the show. You can expect to see quite a few vendors who redesigned their product so that they can carry through ‘SECaaS  using “the cloud” but, be sure to  watch out for vendors who regularly provide ‘network’ security all of a sudden provide ‘SECaaS’ making it difficult to point out the genuine ones.

How can we secure our application in a way which is both cost and time effective? This is quite difficult; the best way to achieve a very secure application is by purchasing the necessary security software that provide the best and most effective use of resources and takes all security requirements into consideration.

Expect a lot of commotion favoring the “white box” code analysis even though many customers still prefer the dynamic or, “black box” scanning.

A lot of large firms are relying on no more than firewalls and SSL alone as security. Why invite the disaster?!

For more information go to:
https://securosis.com/blog/rsa-conference-guide-2012-application-security

Busted: Google has been “tricking”

Google managed to find a loophole in tracking “cookies” on safari users so that they can notice the users’ behavior. Google then had the ability to control these users, follow their actions on the web and gather security information.

“We were not aware of this behavior,” said Michael Balmoris, AT&T Inc. spokesman. Google’s code was found on AT&T’s YellowPages.com. “We would never condone it,” he said.

For more information go to:
http://www.businessinsider.com/google-tracking-apple-users-2012-2

2012 Information Security Career Impact Survey

Currently while oaring in the seas of the financial crises and budgets are being cut down drastically, future seems quite promising for personnel seeking Information Security positions. According to the survey between 55-70 percent either received, or are expecting to receive, an increase in salary this year. One of the main reasons for this is the large growth in the cyber attacks against businesses and government agencies.

For more information go to:
http://www.itbusinessedge.com/cm/blogs/poremba/outlook-for-information-security-careers-looking-up/?cs=49771

Google Android is ‘now secure’

Google Android has been referred to as ‘malware-as-a-service’ by a CISO at an SC Magazine conference.  All major security companies are unfortunately well aware with the issues relating to Android. McAfee has claimed that in the third quarter of 2011- nearly all mobile malware was directed at android. Google often don’t address this issue publically, however this week released statement on this matter on its website by Security Engineer Adam Ludwig who states that; “We’ve been working on lots of defenses, and they have already made a real and measurable difference for our users’ security.”

For the full article, please visit:
http://www.scmagazineuk.com/google-android-now-secure/article/226556/

Criminal hackers have found a way round the latest generation of online banking security devices

Criminal hackers advertised on banks’ websites an “upgraded security system”, by using this you divulge personal information to hackers unknowingly who use it to gain access to your personal accounts. Money is then moved out of the account but this is hidden from the user.  In a test performed using vulnerability detection software, this particular type of malware was undetected by all.

For the full article, please visit:
http:/ /www.bbc.co.uk/news/technology-16812064

Web Application Vulnerability Statistics Still Show Losing Ground

A recent study has shown that developers are still unable to combat the most commonly exploited vulnerabilities from their code and are not detecting attacks such as SQL injection and cross-site scripting (XSS). The new Web application vulnerability statistics, which were released last week, emanated from London-based security services provider Context Information Security. In 2011, they used Penetration tests against web applications, originating from organizations in both the private and public sector based primarily in the UK. Similar studies which were done in 2010 have shown the issue of vulnerabilities within web application to be worsening.

For the full article, please visit:
http://searchsecurity.techtarget.co.uk/news/2240114927/Web-application-vulnerability-statistics-show-security-losing-ground

Government Web Applications Contain the Highest number of vulnerabilities

Almost two out of every three web applications have been found to be at risk from cross-site scripting (XSS).

According to the Web Application Vulnerability report released by security consultancy Context Information Security, web applications developed for government, financial services and law and insurance sectors show the greatest increase in vulnerabilities.

For the full article, please visit:
http://www.scmagazineuk.com/government-web-applications-contain-the-most-vulnerabilities/article/225925/

The following two tabs change content below.

Administrator

Latest posts by Administrator (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.