Facebook-Security

What’s HOT in Application Security Vol #24

Aug 14, 2012 By asaphs

Facebook accused of falsely verifying developers apps security

An investigation by the US Federal Trade Commission (FTC) has disclosed that Facebook took no steps whatsoever to authenticate the security of Facebook apps who were awarded a Facebook verification badge.

It is speculated that Facebook was paid around $95,000 by developers whose applications were entered into the now defunct  ‘verified apps scheme’. The certificate was awarded to applications that supposedly passed Facebook’s ‘test for trustworthy user experiences’. Verified apps were given privileges such as prominence in search results and higher rankings on the directory of apps than those without the ‘verified badge’.  

The  FTC further commented by stating that sites awarded with the verification badge did not go through any more rigorous testing for application security than ‘steps that may have been taken regarding any other Platform Application’.

This pay for security verification status is a worrying trend that could see developers bypass normal channels for genuine security worthiness by buying security certification and deceiving application users.

For more information please go to:

http://www.guardian.co.uk/technology/2012/aug/13/facebook-developers

Hacker M.R.S.CO claims he hacked into Israeli government websites

The hacker known as Emad who has already posted credit card details and passwords of Israeli credit card holders has claimed that he has hacked Israeli government websites ending in Gov.il. The posted sites M.R.S.CO claimed to have hacked includes sites for the Prime Minister’s office, Accountant General, Ministry of Environmental Protection and more.

So far the only site that appears to be affected is the Soil Erosion Research Station which redirects to the hackers website. The hacker has managed to gain access to the server farm that hosts the websites and gained access to the archived files and altered the homepage image to a link to the hackers website.

Such sites however are stored on private servers and not on secure government servers even though they share the same domain name.  The ability of the hacker to breach government secured websites remains to be seen.

For more information please go to:

 http://hightechnologyforensics.com/arab-hacker-claims-hacked-into-israeli-government-sites-ynetnews

Reuters’ news agency Twitter page hacked twice in 48 hours

Last Sunday saw pro-Syrian hackers breach the Thompson Reuters news agency’s Twitter page in order to post favorable Syrian government tweets.

The news agency revealed that its Twitter news technology page @ReutersTECH was hacked and changed to @ReutersME in order to post  Syrian government propaganda. Tweets included:

@ReutersME: FOX news asks, #Americans left wondering: Is #AlQaeda An Enemy Or Not? http://t.co/vVlGrxV3

@ReutersME: FSA high ranking officer Gen. Mustafa Al-Sheikh dies during clashes in Anadan, Aleppo

In total, 22 false reports including false reports as to the number of Syrian opposition members killed in action against government troops were sent supposedly from Reuters news sources.

The incident followed another breach to the Reuters blog,  gaining access to a Reuters journalist blog.

Web Applications: Attacked 120 days a year

If web application security isn’t at the forefront of your mind then perhaps this will change your tune- a recent report showed that the median number for annual attacks was 274, with one ‘victim’ reporting a shocking 2,700 incidents in a year!

The report’s findings weren’t shocking, but it was surprising to see that things are not getting better in the world of web application security, only worse. The report went on to conclude with a poignant end:

Good intelligence saves lives on the cyber battlefield.

Wait, haven’t we been saying that for years?

For more information please go to:

http://www.itbusinessedge.com/cm/blogs/poremba/report-web-applications-under-attack-120-days-a-year/?cs=50934

The following two tabs change content below.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.