Category: Uncategorized

There are many different types of attacks hackers can conduct in order to take partial or total control of a website. In general, the most common and dangerous ones are SQL injection and cross-site scripting (XSS).

SQL injection is a technique to inject a piece of malicious code in a web application, exploiting a security vulnerability at the database level to change its behavior. It is a really powerful technique, considering that it can manipulate URLs (query string) or any form (search, login, email registration) to inject malicious code. You can find some examples of SQL injection at the Web Application Security Consortium.

There are definitely some precautions that can be taken to avoid this kind of attack. For example, it’s a good practice to add a layer between a form on the front end and the database in the back end. In PHP, the PDO extension is often used to work with parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. Another really easy technique is character escaping, where all the dangerous characters that can have a direct effect on the database structure are escaped. For instance, every occurrence of a single quote [‘] in a parameter must be replaced by two single quotes [”] to form a valid SQL string literal. These are only two of the most common actions you can take to improve the security of a site and avoid SQL injections. Online you can find many other specific resources that can fit your needs (programming languages, specific web applications …).

The other technique that we’re going to introduce here is cross-site scripting (XSS). XSS is a technique used to inject malicious code in a webpage, exploiting security vulnerabilities of web applications. This kind of attack is possible where the web application is processing data obtained through user input and without any further check or validation before returning it to the final user. You can find some examples of cross-site scripting at the Web Application Security Consortium.

There are many ways of securing a web application against this technique. Some easy actions that can be taken include:
Stripping the input that can be inserted in a form (for example, see the strip tags function in PHP);
Using data encoding to avoid direct injection of potentially malicious characters (for example, see the htmlspecialchars function in PHP);
Creating a layer between data input and the back end to avoid direct injection of code in the application.

SQL injection and cross-site scripting are only two of the many techniques used by hackers to attack and exploit innocent sites. As a general security guideline, it’s important to always stay updated on security issues and, in particular when using third party software, to make sure you’ve installed the latest available version. Many web applications are built around big communities, offering constant support and updates.
To give a few examples, four of the biggest communities of Open Source content management systems—Joomla, WordPress, PHP-Nuke, and Drupal—offer useful guidelines on security on their websites and host big community-driven forums where users can escalate issues and ask for support. For instance, in the Hardening WordPress section of its website, WordPress offers comprehensive documentation on how to strengthen the security of its CMS. Joomla offers many resources regarding security, in particular a Security Checklist with a comprehensive list of actions webmasters should take to improve the security of a website based on Joomla. On Drupal’s site, you can access information about security issues by going to their Security section. You can also subscribe to their security mailing list to be constantly updated on ongoing issues. PHP-Nuke offers some documentation about Security in chapter 23 of their How to section, dedicated to the system management of this CMS platform. They also have a section called Hacked – Now what? that offers guidelines to solve issues related to hacking.

Some ways to identify the hacking of your site
As mentioned above, there are many different types of attacks hackers can perform on a site, and there are different methods of exploiting an innocent site. When hackers are able to take complete control of a site, they can deface it (changing the homepage), erase all the content (dropping the tables of your database), or insert malware or cookie stealers. They can also exploit a site for spamming, such as by hiding links pointing to spammy resources or creating pages that redirect to malware sites. When these changes in your application are evident (like defacing), you can easily spot the hacking activity; but for other types of exploits, in particular those with spammy intent, it won’t be so obvious. Google, through some of its products, offers webmasters some ways of spotting if a site has been hacked or modified by a third party without permission. For example, by using Google Search you can spot typical keywords added by hackers to your website and identify the pages that have been compromised. Just open google.com and run a site: search query on your website, looking for commercial keywords that hackers commonly use for spammy purposes (such as viagra, porn, mp3, gambling, etc.):

[site:example.com viagra]

If you’re not already familiar with the site: search operator, it’s a way to query Google by restricting your search to a specific site. For example, the search site:googleblog.blogspot.com will only return results from the Official Google Blog. When adding spammy keywords to this type of query, Google will return all the indexed pages of your website that contain those spammy keywords and that are, with high probability, hacked. To check these suspicious pages, just open the cached version proposed by Google and you will be able to spot the hacked behavior, if any. You could then clean up your compromised pages and also check for any anomalies in the configuration files of your server (for example on Apache web servers: .htaccess and httpd.conf).
If your site doesn’t show up in Google’s search results anymore, it could mean that Google has already spotted bad practices on your site as a result of the hacking and may have temporarily removed it from our index, due to infringement of our webmaster quality guidelines.

In order to constantly keep an eye on the presence of suspicious keywords on your website, you could also use Google Alerts to monitor queries like:
site:example.com viagra OR casino OR porn OR ringtones

You will receive an email alert whenever these keywords are found in the content of your site.

You can also use Google’s Webmaster Tools to spot any hacking activity on your site. Webmaster Tools provide statistics about top search queries for your site. This data will help you to monitor if your site is ranking for suspicious unrelated spammy keywords. The ‘What Googlebot sees’ data is also useful, since you’ll see whether Google is detecting any unusual keywords on your site, regardless of whether you’re ranking for them or not.

If you have a Webmaster Tools account and Google believes that your site has been hacked, often you will be notified according to the type of exploit on your site:

If a malicious third party is using your site for spammy behaviors (such as hiding links or creating spammy pages) and it has been detected by our crawler, often you will be notified in the Message Center with detailed information (a sample of hacked URLs or anchor text of the hidden links);
If your site is exploited to place malicious software such as malware, you will see a malware warning on the ‘Overview’ page of your Webmaster Tools account.

Hacked behavior removed, now what?
Your site has been hacked or is serving malware? First, clean up the malware mess and then do one of the following:
-If your site was hacked for spammy purpose, please visit our reconsideration request page through Google’s Webmaster Tools to request reconsideration of your site;
-If your site was serving malware to users, please submit a malware review request on the ‘Overview’ page of Google’s Webmaster Tools.

http://googlewebmastercentral.blogspot.com/2009/02/best-practices-against-hacking.html

But data could be initially loaded to the SaaS application, then updated regularly or updated in real time using Web services.

In addition, Gartner said, businesses need to remember that SaaS applications can be customized and are no longer only for basic functions.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128347&source=NLT_PM

Information security management standard (ISMS) ISO/IEC 27001 encourages organisations to bring technical decision making about information security controls into a business-driven risk-based framework. This challenges all parties involved in information security management to communicate effectively, especially between technical and non-technical staff about effective security control implementation.

The guide’s author, Brian Honan, is widely recognised as an industry expert on information security and, in particular, on the ISO27001 information security standard.

A member of the Information Systems Security Association, the Irish Information Security Forum, and the Information Systems Audit and Control Association, Brian established Ireland’s first ever national Computer Security Incident Response Team.

“Written in non-technical language and in a style that makes its content accessible to non-technical ISO27001 project managers, Brian’s invaluable study will give IT security practitioners the information and knowledge they need,” says Alan Calder, Chief Executive of the book’s publishers, IT Governance.

IT Governance is ‘non-geek’, approaching IT issues from a non-technology background and talking to management in its own language.

http://www.emediawire.com/releases/2009/2/emw2084414.htm

According to a new study by security vendor McAfee of 1,000 IT decision makers, 41 percent said employee layoffs resulting from the recession represent the greatest threat to their computer security.

Organizations often over-extend their zones of trust to employees since they have a natural inclination to entrust them with privileges until their services are no longer needed or they do something to violate that trust.

For large companies executing mass layoffs—such as the 21,000-plus companies last year did—identity management is a major issue, says Brian Wolfe, co-founder and partner at Laurus Technologies, a solution provider in Itasca, Ill., that—among other things—specializes in security and identity management implementations.

“If you have large layoffs and you don’t have a provisioning system, and you’re going to revoke accounts manually, mistakes will be made,” Wolfe said.

Good identity management platforms—such as those offered by RSA Security, IBM, Courion and BMC Software—are more than just access control and single sign-on (SSO) applications. They create and provision accounts across networks and a broad array of applications based on employees’ specific job functions (role-based) or through group policies, manage accounts through the lifecycle of an account holder’s employment and, when necessary, ensure access rights are properly and thoroughly revoked when the person leaves—voluntary or involuntary—the organization.

Laurus Technologies service a number of enterprise’s identity management needs, and Wolfe says most are reaping the benefits of their investments now that they have to cut their labor forces. “For companies we’ve done implementations for, they’re able to bulk operations; they have a pretty easy time of disposing of a large number of accounts,” Wolfe says.

The situation is critical during a layoff or reduction in force, since an organization needs immediate revocation of network and application privileges to prevent pilfering of data and sabotage of systems.

http://www.channelinsider.com/c/a/Security/During-Layoffs-Superior-ID-Management-is-an-Imperative/

With the world economy in a state of turmoil, markets correcting themselves and employers reducing staff, the pull of illicit insider activity is stronger than ever. It may begin with the “dead wood,” but inevitably some companies are going to have to lay off talented IT and information security professionals. Illegal activities that once seemed unpalatable to out-of-work technologists may seem better than starving: Just as liquor store break-ins and gas n’ go crimes will increase, so will more sophisticated crimes, such as data theft and social engineering. While it may seem hard to imagine, criminal actions are often committed by former employees who rationalize the activity because they’re upset about losing their jobs.

The challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out.

Defense strategies: Proactive IAM processes Locks keep honest people honest, or, in the case of identity and access management, account terminations keep honest people honest. Identity management and information security professionals will need to scrutinize their account-termination processes like never before, because leaving an unauthorized or former employee’s account active and enabling access to sensitive or valuable data could be catastrophic.

IAM and budget cuts: Using frameworks and documentation Another challenge in 2009 will be funding. Budget promises made in 2008 are sure to be forgotten as many companies adjust to the new economic reality. This will initiate an ongoing process that can be refined in the future, perhaps with more sophisticated technology, when finances are better. Personnel reductions may still be mandated, but data can help you make those hard decisions in an unbiased way and set management expectations from the start about the consequences of staff reduction.

Important statistics to keep may include how many accounts are under management, turnaround time for account creation and removal, reporting demands from various departments, and objects under management such as mainframe profiles and Active Directory groups.

Conclusion: In such a troubled economy, external threats will increase as well. It’s still essential to be on guard by making sure the controls for external risk mitigation are assessed as well. It’s clear that 2009 will be drastically different from 2008.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1344839_mem1,00.html?mo=1&Offer=SEsswn09IAM119

Following the survey, Clavister has called into question current IT security products and policies and asks what companies can do to address flaws that are integral to us all as human beings.

“The purpose of a security policy is rather simple – to keep malicious users out of a network while monitoring potential risky users within an organization.” Rather than write this off as an issue too broad to address, Clavister has developed a set of six recommendations for companies to consider.

1. Design the policy so that it’s easy to read and understand
2. Educate the users about the policy
3. Enforce consequences
4. Make it easy to do the right thing
5. Dictate a hierarchy of access permissions
6. Monitor & improve

http://www.continuitycentral.com/news04297.html