Security & Quality Assurance
While not trivial knowledge to all, application quality is also measured by its level of security. Lack of security testing procedures in software development life cycle can lead to insufficient quality, unneeded risks and potentially loss of business revenue and reputation.
Sunday, November 13, 2016
Yes, My Name is ||
Different cultures and nationalities have different naming conventions; I came from a one that led me to face the universe with a personal name "Or". In fact, my name has different meanings in different languages. In English the meaning of "Or" is function word that indicate alternatives and in computer coding languages the name "Or" is being used as Boolean operator that enable us to write conditions in our code.
So, Yes, I'm having hard time introducing my name to English speaking people, and yes, appending comment with my name in source code that I have written creates ambiguous meanings once being read by other coders!
But this time it has gone too far...
Read more about it in - https://blogs.akamai.com/2016/11/yes-my-name-is.html
Wednesday, August 31, 2016
How to Tell a Landscaper From a Thief
If I can see a person standing in front of a neighboring house inspecting the windows and the doors, should I call the police?
Maybe it is the air-condition technician looking for the best place to install a new air-condition unit, or maybe it is a robber doing reconnaissance and checking what is the easiest way to get into the house. It is hard to tell!
Now what if I can see a user sending requests to non-existing pages in my application?
Maybe these are broken links created mistakenly by that user, or maybe these are attack reconnaissance, pre-attack activity done by a malicious user. It is also hard to tell!
Continue reading on InfoSec Island - http://www.infosecisland.com/blogview/24626-How-to-Tell-a-Landscaper-From-a-Thief.html
Maybe it is the air-condition technician looking for the best place to install a new air-condition unit, or maybe it is a robber doing reconnaissance and checking what is the easiest way to get into the house. It is hard to tell!
Now what if I can see a user sending requests to non-existing pages in my application?
Maybe these are broken links created mistakenly by that user, or maybe these are attack reconnaissance, pre-attack activity done by a malicious user. It is also hard to tell!
Continue reading on InfoSec Island - http://www.infosecisland.com/blogview/24626-How-to-Tell-a-Landscaper-From-a-Thief.html
The Real Story Behind Cheating Stories? Blackhat SEO
Search Engine Optimization (SEO) campaigns are prevalent and legitimate ways to promote Web applications in order to get a better visibility and more traffic to your Web application. But what happens when an SEO campaign crosses the line into the dark side and becomes malicious?
Recently the Akamai Threat Research Team discovered a highly sophisticated SEO attack campaign that was promoting the search results rating for a Web application that allows users to share their cheating and infidelity stories.
The complexity of this attack campaign included defacement of hundreds of Web applications across the Internet by abusing vulnerable Windows Web servers and injecting HTML links – using an SQL injection technique. By injecting reference links between the defaced applications to the “cheating stories” application, the attackers tried to mimic normal distribution of content over the Web. Once the injected content is placed, the attacker counts on the scanning that search engines perform to determine what should be the best results for any given keywords. As a result, the rating of the “cheating stories” application will be calculated based on the quality and quantity of those links.
This article reveals the details and findings of the targeted SEO attack, including the end result: The “cheating stories” application being highly ranked by the leading search engines.
Read more in "the security ledger" - https://securityledger.com/2015/08/the-real-story-behind-cheating-stories-blackhat-seo/
Recently the Akamai Threat Research Team discovered a highly sophisticated SEO attack campaign that was promoting the search results rating for a Web application that allows users to share their cheating and infidelity stories.
The complexity of this attack campaign included defacement of hundreds of Web applications across the Internet by abusing vulnerable Windows Web servers and injecting HTML links – using an SQL injection technique. By injecting reference links between the defaced applications to the “cheating stories” application, the attackers tried to mimic normal distribution of content over the Web. Once the injected content is placed, the attacker counts on the scanning that search engines perform to determine what should be the best results for any given keywords. As a result, the rating of the “cheating stories” application will be calculated based on the quality and quantity of those links.
This article reveals the details and findings of the targeted SEO attack, including the end result: The “cheating stories” application being highly ranked by the leading search engines.
Read more in "the security ledger" - https://securityledger.com/2015/08/the-real-story-behind-cheating-stories-blackhat-seo/
Playing Hide and Seek In the Cloud
When we were young, we had fun playing hide and seek. As 5 year olds there were a limited number of places our friends could hide, and we could methodically check each one and then giggle when we found them. As we grew older, we expanded the boundaries of the game. Today, as security researchers, hide-and-seek is no longer so fun because the boundaries are nearly infinite. How do you find and evaluate the risk, for example, of one deadly SQL injection attempt across 200,000 daily attack events?”
Threat intelligence is the answer for that, by analyzing huge amount of data, it finds the malicious needle in the data haystack and provides actionable insights that will assist with mitigating the risk. One of the advantages of threat intelligence is that it facilitates security teams to move from the reactive approach, which is one step behind, to proactive approach, which is one step ahead. The proactive approach improves mitigation tactics against current threats and at the same time upgrades future mitigation strategies.
A key factor for proactive insights lay in the ability to have visibility to rich, diverse and continuous data; Therefore, it is only natural that cloud networks, such as content delivery networks (CDN), should utilize the rich, diverse and continuous data, streaming through their infrastructure into threat intelligence.
This article will show the unique power of threat intelligence utilizing cloud networks and present a case study that find and correlate those malicious needles into insightful and actionable intelligence.
Read more about it in "Infosec Island" - http://www.infosecisland.com/blogview/24680-Playing-Hide-and-Seek-In-the-Cloud.html
Threat intelligence is the answer for that, by analyzing huge amount of data, it finds the malicious needle in the data haystack and provides actionable insights that will assist with mitigating the risk. One of the advantages of threat intelligence is that it facilitates security teams to move from the reactive approach, which is one step behind, to proactive approach, which is one step ahead. The proactive approach improves mitigation tactics against current threats and at the same time upgrades future mitigation strategies.
A key factor for proactive insights lay in the ability to have visibility to rich, diverse and continuous data; Therefore, it is only natural that cloud networks, such as content delivery networks (CDN), should utilize the rich, diverse and continuous data, streaming through their infrastructure into threat intelligence.
This article will show the unique power of threat intelligence utilizing cloud networks and present a case study that find and correlate those malicious needles into insightful and actionable intelligence.
Read more about it in "Infosec Island" - http://www.infosecisland.com/blogview/24680-Playing-Hide-and-Seek-In-the-Cloud.html
Changing the Rules of the Game
A common defensive rule of information security is that once you detect an attack against your organization’s Web applications, you must mitigate the attack by stopping it. In other words: “stop it once you can”.
But what if the rules of the defenders vs. attackers “game” have changed and the teams are not playing in the same league anymore?
For example, here are some of the “game” changers from recent years:
In recent years we have seen an increased number of defenders changing the rules of the “game” and adopting new defensive techniques. Those techniques give the attacker a deceptive feeling that the attack was not detected, reducing the attack effectiveness to the point where it will take too much time and resources to be considered complete.
Maybe the common defensive approach is not good enough; maybe it is time for more defenders to step-up their game and introduce “game” changing rules?
Read more about it in "infosecurity-magazine" - http://www.infosecurity-magazine.com/opinions/changing-the-rules-of-the-game/
But what if the rules of the defenders vs. attackers “game” have changed and the teams are not playing in the same league anymore?
For example, here are some of the “game” changers from recent years:
- The playground (aka an attacker’s computing resources) became ridiculously cheap to hire (if not available for free)
- The players of team “black” (also known as attackers) became more persistent, targeted and ruthless
- The players of team “white” (also known as defenders) became overwhelmed by endless amounts of security incidents and are constantly one step behind the attackers
In recent years we have seen an increased number of defenders changing the rules of the “game” and adopting new defensive techniques. Those techniques give the attacker a deceptive feeling that the attack was not detected, reducing the attack effectiveness to the point where it will take too much time and resources to be considered complete.
Maybe the common defensive approach is not good enough; maybe it is time for more defenders to step-up their game and introduce “game” changing rules?
Read more about it in "infosecurity-magazine" - http://www.infosecurity-magazine.com/opinions/changing-the-rules-of-the-game/
Fighting Account Takeovers with Cloud Intelligence
One of the most important and yet challenging aspects of defending web applications is the ability to prevent account takeover attacks.
Once taken over, the potential damage can include losing access and control over the account, data breach and even fraudulent transactions. So why is account takeover prevention is so challenging? A recent article discussing the massive data breach of Alibaba Group’s website Taobao, a Chinese e-commerce website for online shopping, may offer a potential answer:
“Taobao, China's largest online marketplace that operates in a similar fashion to eBay and Amazon, has been hit with an attempted cyber-attack as hackers successfully compromised more than 20 million user accounts linked with the service. The hackers, who have already managed to amass a vast database of 99 million usernames and passwords from a number of Chinese websites unrelated to Taobao, eventually discovered that a significant amount of the data matched active user accounts on the popular ecommerce website.”
Using the Taobao data breach as an example, it is clear how hackers continue to breach secure web applications. Visitors to highly-secured web applications create login credentials and then recycle those credentials to access another potentially vulnerable web application. Once hackers breach the vulnerable web application, they have a free pass to the user’s account on the fortified web application.
Here comes the challenging part, even a fortified web application has no control over such a scenario, and many of their security authentication mechanisms are now useless in these cases. Despite the bad security practices of web application users, it ultimately remains the responsibility of the application to fortify its defenses and protect sensitive user data.
Read more about it in http://www.infosecurity-magazine.com/blogs/fighting-account-takeovers-cloud/
Once taken over, the potential damage can include losing access and control over the account, data breach and even fraudulent transactions. So why is account takeover prevention is so challenging? A recent article discussing the massive data breach of Alibaba Group’s website Taobao, a Chinese e-commerce website for online shopping, may offer a potential answer:
“Taobao, China's largest online marketplace that operates in a similar fashion to eBay and Amazon, has been hit with an attempted cyber-attack as hackers successfully compromised more than 20 million user accounts linked with the service. The hackers, who have already managed to amass a vast database of 99 million usernames and passwords from a number of Chinese websites unrelated to Taobao, eventually discovered that a significant amount of the data matched active user accounts on the popular ecommerce website.”
Using the Taobao data breach as an example, it is clear how hackers continue to breach secure web applications. Visitors to highly-secured web applications create login credentials and then recycle those credentials to access another potentially vulnerable web application. Once hackers breach the vulnerable web application, they have a free pass to the user’s account on the fortified web application.
Here comes the challenging part, even a fortified web application has no control over such a scenario, and many of their security authentication mechanisms are now useless in these cases. Despite the bad security practices of web application users, it ultimately remains the responsibility of the application to fortify its defenses and protect sensitive user data.
Read more about it in http://www.infosecurity-magazine.com/blogs/fighting-account-takeovers-cloud/
A Year Later, Clearly “Blackhat SEO” is still Working
A year ago Akamai’s Threat Research Team exposed a “Blackhat Search Engine Optimization (SEO)” attack campaign. The goal of the campaign was to manipulate search engines rankings and grow visibility for a web site that allows users to share their cheating and infidelity stories.
The attack method used SQL injection to inject HTML links to as many web sites as possible across the Internet. By doing so, the attackers created a nest of links referring to the promoted Web site. The expected result? The injected links would eventually lead to growth in the site’s ranking, driving traffic, and increasing awareness in search engines.
The success of SEO ranking manipulation is a product of time and referral links. In order to determine whether such “blackhat SEO” manipulation was successful, we measured the promoted web site ranking in the past year to see whether the Blackhat SEO “worked.”
Read more about it in the following blog - https://securityledger.com/2016/08/a-year-later-clearly-blackhat-seo-is-still-working/
The attack method used SQL injection to inject HTML links to as many web sites as possible across the Internet. By doing so, the attackers created a nest of links referring to the promoted Web site. The expected result? The injected links would eventually lead to growth in the site’s ranking, driving traffic, and increasing awareness in search engines.
The success of SEO ranking manipulation is a product of time and referral links. In order to determine whether such “blackhat SEO” manipulation was successful, we measured the promoted web site ranking in the past year to see whether the Blackhat SEO “worked.”
Read more about it in the following blog - https://securityledger.com/2016/08/a-year-later-clearly-blackhat-seo-is-still-working/
Subscribe to:
Posts (Atom)