Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

What’s Hot in Application Security Vol #21

DARPA funded hacking device ready for release

The Defense Advanced Projects Research Agency (DARPA) has just finished funding a new device called The Power Pwn. The new device which is cunningly concealed as a regular power strip is anything but! The new device is actually a Hacking tool for launching remotely-activated WI-Fi, Bluetooth and Ethernet attacks.

DARPA’s Cyber Fast Track program helped to fund the new $1,295 hacking platform which was developed by the company Pwnie Express. The company has repeatedly drawn attention to the ingenious look of the harmful device which is perfect for corporate espionage such as hacking a network.

The new device is already available for pre- order with first shipping dates estimated at 30th September. The new device once planted in an unsuspecting corporate office can cause a number of vicious attacks. The Power Pwn can launch Wi-Fi, Bluetooth and Ethernet remotely-activated attacks in order to find network vulnerabilities. Commands can be sent by the units built-in 3G radio, directly by text message or by web interface. The device even has the option of using Apple’s Siri voice-recognition software to send commands. Other capabilities include: Tunneling through application-aware firewalls & IPS, Supports HTTP proxies, SSH-VPN, & OpenVPN, Unpingable and no listening ports in stealth mode. .

Pwnie Express CEO has already stated that 90% of the company’s clients are commercial or federal organizations leaving the other 10% up to speculation?

For more information please go to:

Nvidia forums subjected to SQL injection attack

NVIDIA has become another victim to the recent wave of SQL injection attacks that have also affected Sony, Nokia and other high profile companies. Hackers used the fact that user databases are publicly hosted to send the databases programmed request strings that are designed to execute non-authorized commands.

NVIDIA has expressed concerns that the hackers could target user email addresses for a variety of uses and trick them into supplying user passwords. NVIDIA has not publically stated what hashing algorithms it uses to protect passwords but there is a fear that these could be cracked.

An NVIDIA spokesperson has admitted that the hackers got hold of some user information such as username, email address, hashed passwords with random salt value. The NVIDIA forums are currently down due to NVIDIA looking into the scale and damage of the breach.

NVIDIA forum users are recommended to immediately change any passwords which are the same elsewhere.

For more information please go to:

Apple OS X also vulnerable to App Store style free application usage

The Russian hacker who recently exposed his APP Store fraud which enabled users to bypass payment for applications has added Apple’s OS X. The new hack will affect only developers of applications and not users.

The new hack will allow users to receive free applications for OS X. The hack procedure in receiving free APP’s is the same for mac users as it is for iOS users with the inclusion of the installation of the app called the ‘Grim Receiper’ which allows users to simply ‘drag and drop’ the applications which they wish to use for free without payment.

Apple has stated that the iOS vulnerability will be addressed in iOS 6 which is slated for release in October 2012. A fix for OS X is expected to be in the form of a security update.

For more information please go to:

DDOS Amazon and eBay hacker arrested

Cyber bandit Dmitry Olegovich Zubakha was arrested last Wednesday on an international warrant in Cyprus and is awaiting extradition to the United States. According to the indictment, Zubakha with the help of another hacker carried out harmful DDoS attacks on Amazon and eBay in June 2008.

Zubakha and his partner caused the attack by programming botnet computers to request very large and resource intensive web pages, disrupting customer transactions. The hackers face a number of charges including; intentionally causing damage to a protected computer, possession of unauthorized credit card numbers.

In total, the charges against the two co-conspirators stand at a possible 27 years. This is a triumph of international co-operation on cyber-crime and a warning to others that increasing international efforts to find and prosecute offenders is a new reality.

For more information please go to:

Lessons from the Yahoo data breach for cloud security

Last week’s hacking of 450,000 Yahoo passwords from the ‘Yahoo Voice’ service was big news everywhere and another wake up call for cloud security. The SQL injection attack was the chosen tool of the hackers which led to the publishing of the stolen material. So what can be learned from this latest attack on a cloud service?

Exposing too much Metadata

While the best practices of database design in the past was the correct use of data name, today this practice has become a major vulnerability and just assists any potential hackers. Databases holding sensitive information such as credit card numbers and passwords do not need to be labeled ass PIN or Credit_Card. It is highly recommended to avoid too much meta data sensitive columns and keep them as part of supporting documentation instead.

Not Masking Data

Masking data is basically the taking of data in its normal form and converting it into a different format for storage purposes. This is slightly different from inscription in that the data is readable but will display jumbled data with no value unless the de-masking algorithm is known.

Data such as credit card numbers, social security numbers and any other sensitive information no longer needs to be displayed in clear columns or rows for hackers to easily interpret the data. It is a relatively easy fix to have credit card numbers for example, placed into a number of rows and flipped back to front. When the need arises, the application would reassemble the sensitive information in a way that that is readable only with the de-masking algorithm.

Not following security fundamentals during SaaS development

Due to pressured time constraints on time to market for most SaaS developers , fundamental security basics are often overlooked. Today’s multi-tenant world make the chances of a successful SQL Injection attack ever more likely as a hacker can always enter the system as a legitimate user by creating a valid account and then start hacking valuable data of other customers.

If your SaaS application is accepting input from the user then that action need to always be validated first before being acted upon.

Jump to Category