Vendors like WhiteHat (registration required) and Veracode (registration required) release extremely useful and informative reports on vulnerabilities:  how many are out there as well as what kinds.  Indeed, it’s important to be aware of vulnerabilities.  But there’s something interesting about the data when you compare it to our hacker attack data from our web application attack report (registration NOT required) from last July.  While vulnerability scanners make no mention of RFI/LFI issues, our report highlighted them as one of the top four attack methods (SQL injection, Directory Traversal and XSS rounded out the list).  Why the disparity?

The main reason we don't see LFI/RFI in code review is because many website owners/security officers are not necessarily aware of the underlying tech that powers their website. For example, if you install Wordpress, the most popular content management system on the Internet, you get PHP on your server.  Not surprisingly, no one is paying attention to PHP code—especially when it comes to code scanning.  This is because most organizations who invest in code review technologies (or serious web scanning) are not using PHP for their core application. On the other hand, PHP applications are the most prevalent (in terms of absolute numbers) in the web, hence a strong interest by attackers.

Most web applications are PHP based because this is the platform of choice (at least up until now, as you can see at the end of this entry) for small, low cost applications, and MOST applications on the web are small, low cost, applications. As we all know, security expenditure among owners of small applications is very low and they will certainly not invest in Veracode or other code review technology.

How prevalent is PHP?  It's interesting to note that although PHP is by far the most frequently used Server side programming technology (see stats below) it's being ignored by the security community:

• Veracode " Approximately half of the code was in Java, one quarter in .NET, the rest in C/C++, PHP, etc."
• RFI/LFI doesn’t get much respect and visibility ,e.g. not really covered in OWASP top 10, although they are a major factor in hacking websites such as when 1.2 million websites were hacked. 

Some interesting stats and trends on PHP.  First, note the most popular server-side programming languages:

Second, note the growth of PHP into major websites, some  popular sites using PHP include:

• Facebook.com
• Baidu.com
• Wikipedia.org
• Qq.com
• Taobao.com
• Sina.com.cn
• Wordpress.com
• Weibo.com
• 163.com
• Soso.com

Sites using PHP only recently: 

• Soso.com
• Reuters.com
• Wsj.com
• Forbes.com
• 39.net

Merry Christmas everyone!

Lots of coverage on the WSJ's reporting of the breach at the Chamber of Commerce.

This coincides, ironically, with Rich Mogul's column on data security.  He writes:

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. 

Rich goes on to recommend a combination of database activity monitoring, data leak prevention and file activity monitoring.  

The Chamber hack is a good example showing the need for file security that Rich articulates:

The intruders used tools that allowed them to search for key words across a range of documents on the Chamber's network, including searches for financial and budget information, according to the person familiar with the investigation. The investigation didn't determine whether the hackers had taken the documents turned up in the searches.

Newt Gingrich's official website is this one:  http://www.newt.org/.

However, someone at the Newt campaign failed to take ownership of all the Newt-related domains. It seems that someone has taken ownership of the www.newtgingrich.com domain and is redirecting visits to negative press articles or websites like Fannie/Freddie Mae or Tiffany's. (These sites are related to some of Newt's political baggage).  Indeed, every time you visit the site, you'r redirected somewhere else. Simply looking at the header response information courtesy FireFox, you see the redirect (click to BIGGIFY):

Again, we see how 2012 will be the first major election year where hacking will be a big, huge factor. Just because this is Newt does not make it a Republican problem only.  All current and future Karl Roves or James Carvilles will need to have a "war room" response for hacking built into the campaign contingency plans.  But the more astute, well-funded campaign managers will bring in a good-quality security team.

Imperva's Noa Bar Yosef assembled a great list of personas to help security teams identify potential security threats.  Today, eWeek published an excellent slideshow detailing the these personas.  

Cisco published their annual world technology report.  The bad news?  This is a 110 page PowerPoint. The good news?  We've gone through it so you don't have to.

The report is based on 1441 college students (18-24) and 1412 end users (21-29) who completed an online survey. It was conducted in 14 countries. There are lot of findings regarding security that are quite interesting:

• More than 1 in 4 college students indicate never changing their passwords.
• About one-third of end users from the total sample indicate that they change their computer/online passwords on a regular basis.
• Under half (45%) of college students are somewhat careless in protecting the confidentiality of their passwords.
• Nearly 4 in 10 (37%) end users are somewhat less careful in protecting the confidentiality of their passwords because they store it on the device itself, in a computer document, on a post-it note near their computer or because they share it with friends and family.
• One in four college students have experienced identity theft of their personal information by age 23. Roughly half of students from China and one in three students from Spain, Russia and India have had their identity stolen at least once in their lives.
• More than 1 in 5 end users have experienced identity theft of their personal information at some point.
• Two of five students know friends and/or family who have experienced identity theft.
• More than half (52%) believe they are not responsible for securing their work devices and data –service providers and IT are.
• More than 2 in 3 (70%) Students have allowed their family members to use their laptop, tablet or smartphone without supervision, while a slightly smaller amount have allowed their friends to do the same.
• More than half (56%) of end users have allowed someone to use their company-issued computer without supervision—particularly those in China.
• Almost one in five college students have lost or had their laptop, tablet, smartphone or other computing device stolen in the past 12 months.
• Exactly 15% say they have lost or had their mobile phone, laptop or other device stolen in the past 12 Months.
• At least 7 in ten students from the total sample believe their generation is extremely/moderately concerned about internet security threats.
• One of four are not concerned about security threats when accessing corporate information from outside the office.
• One in three students are not guarded with the type of information they share online.

From the Associated Press about hackers trying to manipulate the upcoming Iowa Caucus:

Taking seriously an apparent threat from a notorious collective of computer hackers, the Iowa Republican Party is boosting the security of the electronic systems it will use in two weeks to count the first votes of the 2012 presidential campaign.

If I were one of these `hacktivists' who had no scruples, I would be really strongly tempted to see if I could get into the computer and see if I could make `SpongeBob SquarePants' win.

What can be stolen:

"It's very clear the data consolidation and data gathering from the caucuses, which determines the headlines the next morning, who might withdraw or resign from the process, all of that is fragile," said Douglas Jones, a computer science professor at the University of Iowa who has consulted for both political parties.

The attack method of choice?  SQL injection:

When elections officials in Washington D.C. tested an online voting system last year, University of Michigan researchers were able to use an SQL injection to quickly invade the system and make it play the Wolverine fight song every time someone voted, he said.

"These SQL vulnerabilities are notorious, widely known and yet it's a mistake people keep making," Jones said. "It is one of the first things that you try these days."

By contrast, New Hampshire has a paper system and they're not worried.  But they should be--there are other ways to impact elections, as noted in this recent piece, including:

...infiltrating campaign email accounts, publishing falsehoods that go viral or knocking out candidate websites with denial-of-service attacks

Hackers have either threatened or attacked elections in:

• Turkey
• Russia
• Korea

In the US, 2012 will be a big election year and is a natural, high-profile target.  Federal, state and local election authorities need to think seriously about hackers who have already shown an ability to influence poll results.   The Iowa caucuses and the primary season can be a chance to build and test the security of election infrastructure--even for Democrats.  To date, the main attack types have been DDoS, email hacking and data theft/manipulation.  Ironically, few are hitting the panic button.  And the consequences can be severe:  any hint of election tampering and we'll be joyously reminiscing about hanging chads.  

Recently Accuvant published a study on browser safety.  As the study’s sponsor, Google won!  This is in contrast to another browser comparison from NSS Labs from July 2011 whose results had IE 9.0 as the most secure browser. 

What should consumers and IT professionals believe?  Who has the manliest browser?  Which browser is the girly-man, little-baby loser that landed in their own baby poo?


Browsers are very much like cars only in earlier stage of their life cycle.  In the beginning, the competition was on who has the best basic features (e.g., driving from point A to point B or showing web content). After the basic functionality was achieved, Maslow’s law of hierarchal needs sets in.  Namely, users focus moves to functionality and efficiency (e.g., fuel consumption or speed of rendering). 

However, when comparing security features, some of the logical conundrums that plague cars similarly plague browsers:

• If one car has ABS system and the other one has air bags – who is safer?
• If one browser runs flash in sandbox and the other has anti-XSS filter – who is the safer?

The answer:  depends on the criteria.  Of course, any judgment depends on several factors such as driving/browsing habits and skills.  The problem when evaluating browsers is this:  what are your crash test criteria and how do you weigh the scoring?

Let’s look at the NSS results.  They summarize:

Socially Engineered Malware remains the most common security threat facing Internet users today. Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

European users have found themselves particular targets of malware authors over the last 12 months. In 2010, threat researchers discovered new ZBOT variants specifically targeting banking systems in four European countries.

According to the EU’s statistics office, Eurostat, almost one third of internet users in the European Union were victims of malware infections in 2010 despite the majority having security software installed. Of the 27 EU countries surveyed (totaling over 200,000 users), those with the highest malware infections include Bulgaria (58%), Slovakia (47%), Hungary (46%), Italy (45%) and Estonia (43%.)

The NSS study focused solely on malware blocking.  The conclusions:

• Very good results for IE – a clear leader with Chrome and others far behind.
• Reputation services are crucial for mitigating attacks – This is critical since all of the browsers are using URL reputation services. But even when everyone is using reputation services there are two main differences:
  • Quality of data – obviously IE is using a more comprehensive and rapidly updating sources.
  • Integrating several different sources of reputation service – IE9 demonstrates the combination of URL reputation services AND application reputation lead to 100% (!!!) detection rate:

The Accuvant study, by contrast, added and focused on other criteria.  URL reputation and application reputation are barely considered.  In fact, the category “URL Blacklisting” doesn't get a lot of attention:

What is the bottom line of all this?

• If you’re a geek, go for security through obscurity:  The best way to minimize accidents' consequences to is to avoid it altogether. The way to avoid cyber accident is by using a platform which is less targeted by hackers due to its small market share. Such an example would have been Firefox with Linux when Windows and IE dominated the web.  At the time, Firefox wasn't less vulnerable than IE but it was less exploited due to its marginal market share. This method is of course limited to tech geeks willing to invest in installing learning and dealing with exotic platforms in rapid manner.  But this won’t work for the masses who may not have the time nor expertise to learn a new browser.
• For consumers, use newer browsers:  We do know that while safer cars (up until now) did not dramatically reduce the number of accidents they do reduce dramatically the number of casualties. So, if randomly accessing an infected page is like having an accident you’d better be driving 2011 made browser (IE9, updated chrome, etc.) and not an AMC Pacer (IE6). The problem is that when we drive the road we assume that everyone else is trying to avoid accidents rather than plan for them to happen. This is clearly not the case with navigating cyberspace where someone is constantly plotting on getting us into accidents.

Interesting interview on Anonymous' site explaining "Spirit of LulzX­mas," a hacking campaign that claims to have "spent over $76,000 of the banks lovely money."  (For more on who actually funds these campaigns, read here.)  No way to corroborate if any of this is true, but it is interesting to see how hacktivism continue to evolve.

Some highlights:

• The objective:  "aim­ing for a mil­lion by xmas"
• The process: 
  • "we hack mas­sive hosts to get the VPS’s [virtual private server] and domains etc then we hit banks accounts ter­mi­nals to lit­er­ally steal from the rich and put in vir­tual e-credit cards"
  • They also use SQL injection.  In one case, they stole clothes online:  "the web­site was SQLi vuln so we hacked it"
• The impact:  they claim to have stockpiled "25 x $50K" in virtual credit cards.  They're using this to buy
  • Apple products: "iPods, iPads, iphones etc iPad is more asked 4"
  • Pizzas for the occupy movements.

One question the interviewer failed to ask:  "How do you feel about raising credit card and banking fees for the 99% as a result of your hacking campaign?"

Nearly two years ago, Imperva's ADC published a detailed analysis of 32 million breached passwords in our report Consumer Password Worst Practices.  Today, Tsvika Klein from Imperva's ADC published a "sequel", Enterprise Password Worst Practices.  The report is available here (no registration required).  

Our first report was aimed at consumers.  This second is aimed at the IT geeks who manage the technical infrastructure to safeguard passwords.

Our contention:  Instead of consumers, we believe responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data.  We hope this paper guides enterprises to rectify poor password management practices.

The reports details:

• How hackers bypass security controls to protect passwords.
• Popular, key online resources hackers employ, including one website containing 50 billion possible password permutations.
• Key steps that Imperva recommends IT teams within enterprises undertake in order to mitigate password breaches