Although traditional firewalls have effectively prevented network-level attacks, most future attacks will be at the application level, where current security mechanisms are woefully inadequate. Application-level security vulnerabilities are inherent in a Web application’s code, regardless of the technology in which the application is implemented or the security of the Web server and backend database on which it is built. A recent advisory published by Internet Security Systems (see the “Internet Resources” sidebar, p. 44) claims that 11 widely deployed shopping cart applications are vulnerable to a simple attack that lets hackers pur- chase goods for much less than their listed price. Worryingly, the attack does not require particular technical skill; it suffices to save the shopping cart’s HTML confirmation form to disk, use a text editor to modify the price of the goods (stored in a hidden form field), and load the HTML form back into the browser.
Read the rest of this entry »

• 0 Comments

The tone of recent news stories about the dangers of Facebook has been quite hysterical and many IT directors can be forgiven for feeling under threat from the phenomenon. But is a blanket ban for the site the best approach or merely a knee-jerk reaction, perhaps a more tailored approach with network management tools is appropriate?
Read the rest of this entry »

• 0 Comments

The definition of Web 2.0 is still being debated despite extensive discussion. Its staunchest advocates proclaim it a complete philosophical and technological reworking of how the web functions. Others declare that it is meaningless. However, most agree on common characteristics of a Web 2.0 application, such as increased interactivity, the acceptance of user input for building community and a reliance on client-side functionality. Additionally, Web 2.0 applications can be more vulnerable to exploitation by hackers than their predecessors. Hackers spend most of their time gathering information. When Web 2.0 applications push functionality and code to users, they provide hackers with information that can be used for formulating attacks. Often, old attacks such as cross-site scripting become more dangerous when used against Web 2.0 applications. This white paper defines some of the common technological components of Web 2.0 applications and discusses ways of securing them against exploitation.
Read the rest of this entry »

• 0 Comments

One new feature of “Web 2.0″, the movement to build a more responsive Web, is the utilization of XML content feeds which use the RSS and Atom standards. These feeds allow both users and Web sites to obtain content headlines and body text without needing to visit the site in question, basically providing users with a summary of that sites content. Unfortunately, many of the applications that receive this data do not consider the security implications of using content from third parties and unknowingly make themselves and their attached systems susceptible to various forms of attack.
Read the rest of this entry »

• 0 Comments

The winter of 2004 brought with it a new opportunity for me. I began learning and programming in PHP and MySQL as an independent study and also for my job with both the admissions department and financial aid department of Eastern Washington University. My first bit of programming got off to a great start and it was when I was put in charge of developing a secure website that I began researching the topic of website security. I knew very little about how people hacked into websites to do various illegal activities, so I decided that some of the basic entry points into a website and its server needed to be addressed.
Read the rest of this entry »

• 0 Comments

Basics Bluetooth Security Attacks via Bluetooth - Introduction BlueSnarf BlueSnarf++ BlueBug BlueJacking HeloMoto BlueSmack Cracking the Bluetooth PIN Conclusion Bluetooth Basics Originally invented 1994 by Ericsson Technology for connections of short range devices Bluetooth operates within license-free ISM band (2.4 – 2.48 GHz) To prevent interferences: frequency hopping base band frequency switched 1600 times / s ISM band devided into 79 freq. levels, 1 MHz distance Connect two devices: pairing Piconet
Read the rest of this entry »

• 0 Comments

Bluetooth Introduction
History
Technology Overview
The BlueSnarf Attack
The HeloMoto Attack
The BlueBug Attack
Bluetooone
Long-Distance Attacking
Blooover
Blueprinting
DOS Attacks
Sniffing Bluetooth with hcidump
Conclusions – Lessons tought
Feedback / Discussion
Read the rest of this entry »

• 0 Comments

This article shows how a network analyzer, historically used for network troubleshooting, can also be used to defend against the security threats. Certain features of a network analyzer can be set to monitor for virus and attack signatures and offer quick ways of isolating infected systems. For those organizations that are looking to invest in a network analyzer there are certain key features that should be considered. Introduction Chances are, your IT toolbox already contains a network analyzer. Historically, a network (or protocol) analyzer has been a great tool for troubleshooting network problems and monitoring for excessive bandwidth usage.
Read the rest of this entry »

• 0 Comments