On this episode of the Imperva Security Podcast Eldad Chai -- Imperva Web Application Firewall Product Manager, is interviewed.

Eldad talks about adding reputation to an application security strategy, anti-automation, and adaptive response.

He goes into detail on Imperva's ThreatRadar solution- what it is, how it's used, and what customers can expect to gain from it. He covers specific threat examples such as automated attacks and business logic attacks and how they can be addressed beyond blocking and alerting with capabilities such as CAPTCHA, challenge-response, redirection and more.

Related information

Next Generation Web Application Firewalls

• NG-WAF Whitepaper
• NG-WAF Podcast

Industrialization of Hacking

• Industrialization of Hacking Whitepaper

RSA San Francisco 2010

On Thursday, March 04 08:00 AM Tall Beery (Imperva Web Research Team Leader) and I will be presenting the topic:  Tell Me Your IP and I’ll Tell You Who You Are.  The RSA ID is NMS-301 and it will be in Orange Room #306.

Abstract 

IP addresses are considered an unreliable method for attack detection. The session demonstrates how information derived from IP addresses can be used to improve attack detection capabilities. The presentation discusses attributes such as Geo Location, Anonymous Proxy lists etc. The presentation is supported by corroborative evidence derived from actual log data and demonstrates some analysis tools.

RSA San Francisco 2010

On Wednesday, March 03 08:00 AM Tall Beery (Imperva Web Research Team Leader) and I will be presenting the topic:  Staring at the Beast: Six-Months of Attack Vector Research.  The RSA ID is SIP-201 and it will be in Orange Room #307.

Abstract 

Security officers and vendors alike must look beyond traditional vulnerability information and become privy to the true activities of attackers. The intelligence gathered through such data collection efforts provides insight into the actual focus of hackers, current attack trends, behavioral patterns of attack, and attack tools. This session will examine data to enable us to create more effective security policies and tools in a timely manner.

 Stop by our booth at RSA

In addition to the Next Generation Web Application Firewall (NG-WAF) Whitepaper Imperva has released a podcast with CTO Amichai Shulman on NG-WAF.

Amichai discusses the Industrialization of Hacking (Whitepaper on that topic found here) and how that's creating a need for WAF solutions to evolve so they can address automated attacks, business logic attacks, and the existing and growing list of technical attacks such as SQL Injection, XSS, etc. He also discusses mechanism for combating automated attacks and business logic attacks, deployments within MSSP and Cloud-based environments, and other components of Imperva's NG-WAF vision. 

Downloads

• NG-WAF Whitepaper
• NG-WAF Podcast
• Industrialization of Hacking Whitepaper

 Stop by our booth at RSA San Francisco this week (March 1st 2010) to learn more.

Download Whitepaper

Stop by our booth at RSA San Francisco this week (March 1st 2010) to learn more

Download the Whitepaper

Today, hacking is a $1T industry — up from a few billion just three years ago. In 2007, professional hacking represented a multibillion-dollar industry. At present, this same industry posts — in stolen data, IP and financial gain — more than one trillion in value. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cyber crime industry has similarly transformed and automated itself to achieve scalability and increase profits.

The industrialization of hacking coincides with a critical shift in what's considered today's prized commodity: data. This paper explores:

• The structure of industrialized hacking operations.
• Current technologies used by hackers.
• The most common attack methods and mitigation strategies.

Download the Whitepaper

Stop by our booth at RSA San Francisco this week (March 1st 2010) to learn more

On a recent visit to Asia I had the opportunity to sit with many of our regional partners to discuss IT security regulations specific to web applications and databases.  There was no surprise that PCI was at the top of the list followed by SOX for some international companies, primarily American, and then a short list of ISO and country specific regulations.  Each partner I spoke with talked about a different local requirement usually still being defined or just about to become officially enforced.  In each case I received the same question, "Will SecureSphere support the legislation?"

The short answer I gave them all was the same.  If the legislation requires web application security and/or monitoring, and/or defines requirements for securing and/or monitoring database and data access, the answer is 'yes'.  The reality that I have experienced so far has been that while there are various data security regulations, they all typically require the same fundamental output.  Data privacy regulations, regardless of the industry or country, at a minimum, require complying organizations to restrict and/or monitor (audit) who has access to, and to what degree they have access to, the data that must be regulated.

  Jimmy Private Data

This, of course, is quite easy for SecureSphere since it has the ability to secure and monitor (audit) any aspect of database and application activity.  All that is required of the administrator is to know what elements of data access should be monitored to comply with the regulation and to configure SecureSphere to secure and/or monitor that activity.  Of course, SecureSphere is pre-configured with the most common regulations, but as I say, it can be easily configured to meet even the most obscure legislation.

The most common current Asia regulations I identified are below:

PCI

SOX

J-SOX

K-SOX

ISO27001

As I stated above, there are some regulations in development for various countries, but they have yet to be ratified.  Additionally, some countries have existing regulations, but have yet to include IT data to the requirements and are still very much focused on the 'paper' books rather than electronic data.  Having worked extensively in various locations around the globe, it's always interesting to see the considerable differences from region to region and country to country.

Ellen Messmer, at Network World, published a short, entertaining article about an unemployed Russian system administrator who hacked into a giant public billboard on a Moscow street, replacing the advertisement with a pornographic movie.

…Interior Ministry's high-tech crime unit says the suspected billboard hacker is a 41-year-old unemployed man who police believe used the IP address of an organization based in Chechnya to breach a Moscow server…

Needless to say, this stopped traffic both on the street and on the sidewalks stuffing them with gawkers and cell phone videophiles.  Considering the ‘rubber-neck’ traffic created by someone changing a tire where I live, I can only imagine the backup caused this incident.  Taking the security of the billboard server and public safety issues of stopping traffic aside, this article underscored for me the idle hands environment we find ourselves into today with unemployment rates steadily rising. 

Statements attributed to police sources says the hacker was breaking into computers out of curiosity and had admitted to the stunt, which he allegedly said was an effort to entertain

At least in this case, the alleged intent was curiosity and entertainment rather than data theft or destruction. I also consider the distribution method in this case and how the billboard could have been made to show healthcare information, credit card numbers, private financial data, etc…

OWASP just released episode number 59.  They discuss a number of topics, but during the last third of the podcast they focus on the 32 million clear text passwords that were stolen from RockYou and later posted on the Internet. They also explore Imperva's research paper that explores the strength of those passwords.

The report identifies the most commonly used passwords:

   1. 123456
   2. 12345
   3. 123456789
   4. Password
   5. iloveyou
   6. princess
   7. rockyou
   8. 1234567
   9. 12345678
  10. abc123

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes," explained Imperva's CTO Amichai Shulman. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine."

Some key findings of the study include:

• The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as "brute force attacks."
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is "123456".
• Recommendations for users and administrators for choosing strong passwords.

Imperva has launched another resource:  Cookie Poisoning. This resource contains information about Cookie Poisoning as well as related White papers, Webcasts, and videos.

Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity.