Web application technologies like PHP, CGI, Javascript, and Ajax have made it much easier for people to construct and deploy services on the Internet. Unfortunately, this has opened a wide avenue for new attacks since it is as easy to unintentionally introduce new vulnerabilities into web applications as it is to intentionally introduce new functionality. Consequently, web applications have increasingly been the focus of attackers.
Read the rest of this entry »

• 0 Comments

Although traditional firewalls have effectively prevented network-level attacks, most future attacks will be at the application level, where current security mechanisms are woefully inadequate. Application-level security vulnerabilities are inherent in a Web application’s code, regardless of the technology in which the application is implemented or the security of the Web server and backend database on which it is built. A recent advisory published by Internet Security Systems (see the “Internet Resources” sidebar, p. 44) claims that 11 widely deployed shopping cart applications are vulnerable to a simple attack that lets hackers pur- chase goods for much less than their listed price. Worryingly, the attack does not require particular technical skill; it suffices to save the shopping cart’s HTML confirmation form to disk, use a text editor to modify the price of the goods (stored in a hidden form field), and load the HTML form back into the browser.
Read the rest of this entry »

• 0 Comments

Information and communication technologies continue to pervade our lives in various aspects which include health, education, entertainment and ecommerce. People need to be able to trust computer systems as the dependence on them increases. The Trustworthy Computing vision (CRA, 2003) refers to computer systems that are intuitive, controllable, reliable and predictable and that ensure availability and security. Secure cod- ing is not trivial and poor code security management may leave the developed web application vulnerable to attack or turn the application into a launch pad for serious attacks.
Read the rest of this entry »

• 0 Comments

The following document is intended as a guideline for developing secure web-based applications. It is not about how to configure firewalls, intrusion detection, DMZ or how to resist DDoS attacks. This is a task best addressed at system and network level. However, there is little material available today intended for developers. We have entered the dotcom age in which a web site is no longer an isolated site, but an extension of the internal business systems, yet there isn’t much about how to create this extension securely.
Read the rest of this entry »

• 0 Comments

The tone of recent news stories about the dangers of Facebook has been quite hysterical and many IT directors can be forgiven for feeling under threat from the phenomenon. But is a blanket ban for the site the best approach or merely a knee-jerk reaction, perhaps a more tailored approach with network management tools is appropriate?
Read the rest of this entry »

• 0 Comments

This paper details various security concerns and risks associated with web 2.0 technologies such as Asynchronous Java script and XML (AJAX), Syndication, aggregation and notification of data in RSS or Atom feeds, mashups created by merging content from different sources. This paper also describes the security implications leading with the usage of web 2.0 technologies such as AJAX, RSS, and Mashups. Increase in application functionality leading to the emerging new web technologies (web 2.0). These new web technologies open more avenues to security threats to the online applications and users. Efficient protection mechanisms should be considered when dealing with web 2.0 technologies usage.
Read the rest of this entry »

• 0 Comments

The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP links. In this paper we analyze Microsoft’s Windows NT implementation of PPTP. We show how to break both the challenge/response authentication protocol (Microsoft CHAP) and the RC4 encryption protocol (MPPE), as well as how to attack the control channel in Microsoft’s implementation. These attacks do not necessarily break PPTP, but only Microsoft’s implementation of the protocol.
Read the rest of this entry »

• 0 Comments

Two leading network access control standards — TCG’s Trusted Network Connect (TNC) and Microsoft’s Network Access Protection (NAP) — will now interoperate, providing enterprises with simpler, more cost-effective, scalable, and interoperable endpoint integrity and network access control.
Read the rest of this entry »

• 0 Comments