[SecurityRatty] tag: woes

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

Links List 11.17.08

Mon, 17 Nov 2008 19:35:52 +0000

Wow. I think we all know that we can take or leave surveys – numbers don’t mean a lot without context. In this case the “context” is the current economic meltdown. The Society for Information Management (SIM) released the results of their 2008 IT Trends Survey – predicting an “upbeat” forecast for IT jobs; the HUGE caveat here is that the study was conducted before all the recent economic woes. Apparently organizations are using IT to drive efficiencies, streamline operations, and cut costs rather than just slashing the IT budget to save money during the downturn. What would be a nice follow-up: a quick second survey comparing responses before and after. Regardless Jerry Luftman, SIM vice president of academic affairs, still says the survey results demonstrate “that the overall state of IT remains very strong.”

The sky is falling! Trip Chowdhry, the analyst with Global Equities Research who claimed Red Hat was ‘rubbish and the entire LAMP stack is potty, too’ published some eye-opening predictions, predominantly negative, about tech business in Silicon Valley. Now Chowdhry claims that “almost every VC funded open-source company is struggling and will run out of money within the next six months.” (Probably not the most unbiased guy about open source) Matt Asay argues that organizations in general are struggling, but open-source companies are not that high on the list. (But are they high on the VC “axe” list??) He notes Alfresco, Pentaho and JasperSoft are some of the players with ‘millions in the bank and growing revenue.’ Asay also says Chowdhry has a responsibility to do real due diligence and not create myths. Take that, Chicken Little! (img from Disney-Clipart)

We’re not as far behind as we thought we were. Google presented the results of a study they conducted about how IPv6- capable “ordinary users” are at the RIPE meeting in Dubai a few weeks ago. Turns out Apple Macs drive IPv6 penetration in the US. Fifty-two percent of all IPv6 users in the U.S. own a Mac and use 6to4 (creating IPv6 addresses from an IPv4 address and tunneling packets) – making the US fifth in the list of countries using IPv6. Russia and France took first and second place with .76 and .65 percent IPv6-enabled traffic . The US is at .45 percent. Worldwide, 0.238 percent of Google users’ systems are IPv6-enabled and prefer to use IPv6 over IPv4.

Obama’s win = Google’s win? Apparently Google CEO Eric Schmidt and President-Elect Obama are very good buddies and “this terrifies Microsoft”. Now competitors are more on guard against Google’s growing empire and popularity. Although Schmidt was mentioned as a possible candidate for the country’s new national CTO position, he said he would not accept the post if asked. I guess that’s one less thing Microsoft has to worry about.

Google deals, Microsoft's Azure, IT money woes

Thu, 30 Oct 2008 21:00:00 +0000

Google proposed settling lawsuits related to its book-scanning and indexing project, and word also seeped out through The Wall Street Journal that the company's search advertising deal with Yahoo could be scrapped because of regulatory issues. Meanwhile, Microsoft unveiled its Azure cloud-computing services strategy.

Clickjacking causing Browser woes

Sun, 12 Oct 2008 19:16:28 +0000

The article is a good explanation of what happens with Clickjacking and how to take steps to defeat it.

clipped from peterhgregory.wordpress.com

Stop “clickjacking” with Firefox and?NoScript

Clickjacking is one of the newest and most dangerous web browser vulnerabilities discovered to date. Every browser is vulnerable, even those that can defend against the similar Cross Site Request Forgery (CSRF) vulnerability.

How clickjacking works: when you visit a compromised web site, your browser loads an invisible button that hovers below the mouse pointer. When you visit a legitimate site like online banking or e-mail, when you click on a link, you’re actually clicking the invisible button placed there by the malicious code. As explained by Jeremiah Grossman, CEO of Whitehat Security:

Why some security pros hate SharePoint

Fri, 10 Oct 2008 00:00:00 +0000

Some SharePoint customers are finding that it's difficult to automate user administration, among other woes.

Poor records organization at root of Palm Beach County recount woes

Tue, 16 Sep 2008 09:00:00 +0000

In the wake of a voter recount controversy in a South Florida county, election officials are being advised to use better record-keeping and filing and additional oversight.

Palm Beach County's election woes continue

Mon, 08 Sep 2008 09:00:00 +0000

A close election in a Florida county triggers recounts that aren't matching up with the number of ballots that were cast.

Black Hat spotlights virtualization, DNS issues

Fri, 08 Aug 2008 09:00:00 +0000

DNS woes, Cisco's return, and a gimlet eye cast on the virtualization craze -- if you couldn't bring yourself to brave Vegas in August, the Black Hat wrapup brings the highlights to you.

TOP 10 - Hacks, more hacks, Ballmer on Yahoo, OLPC woes

Thu, 24 Apr 2008 20:00:00 +0000

Those nasty JavaScript attacks that besieged thousands of Web sites from January until March started back up again this week, with the hackers setting up shop at a Chinese IP address. Meanwhile, security officials in China expressed worries that computer systems there will be hacked during the Olympics in August, even as hackers went after the CNN site and defaced a sports page with a message that Tibet is part of China, now and forever. Elsewhere, Steve Ballmer said Microsoft is prepared to carry on even if it does not succeed in buying Yahoo, OLPC head Nicholas Negroponte vexed open-source developers with his push to make the XO laptop interface Windows-compatible and a federal court said it's OK for customs agents to spark up our laptops and look over the contents, just because they can.

INFOSEC - SANS: Pressure on vendors can prevent security woes

Tue, 22 Apr 2008 20:00:00 +0000

Companies are having more success in pressuring software vendors into baking security into their products, a trend that vendors are resisting less, the director of research for the SANS Institute said Wednesday.