CSRF or Cross Site Request forgery is the highest likely method of attack
Broken Authentication is second
And cross-site scripting(XSS) is third
SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.
The IBM report at X-Force blog recounts the challenges a web application scanner has as to when and what to scan.
As one has to be careful with how to scan production systems. If not done well, a vulnerability may not be exposed or a production system may have ill effects.
We are aware of this in our product offerings.
Scan Solutions at Oversitesentry
today Apple beat estimates: Deadline.com with 35.2 mil iPhones sold
threatpost has the info about a “stream of data” on an iPhone
It looks like Jonathan Zdziarksi, a forensic scientist and at Twitter: @JZdziarski.
found a backdoor in iOS, it is supposedly used by Apple for troubleshooting, diagnostics and enterprise.
Apple responded to the work of Jonathan and he wrote about it on his blog.
Jonathan’s final comment on this backdoor is that he is skeptical of its use as a pure diagnostic nature. It breaks the security model and does not inform the user of the lack of security on every iOS. In specific he points out that the encryption the phone has can be circumvented with this unencrypted channel on the phone.
In specific his comment: “Tell me, what is the point in promising the user encryption if there is a back door to bypass it?”
Good point Jonathan!
KrebsonSecurity has a good rundown on what we know so far. Basically there has been a breach, some CC companies are noticing bad traffic, and the US secret service is in on the act.
July 17th the first card companies were noticing suspicious traffic.
There is no other information in the news reports
Goodwill Industries International own press release does not confirm an actual breach only an investigation.
By Bradley Susser’s Blog bot24.blogspot.com
Science papers direct link
I like Back to Basics where the paper reviews our bad security model – which used to work as networks were small and fixed computers on the inside protected from systems on the Internet.
Today our security model is where new devices get set up internally, or malware is on the inside network which are not secure and could be compromising the Internal network. Or the cloud has permissions and could be compromised in new ways.
The network is no longer a fixed type, there are a lot of grey areas. The suggestion is to increase the granularity of the network building blocks where security can be tested or builtin. Sort of like testing the network traffic packet by packet. They are also discussing building blocks in the virtual machine area, where each application is tested.
the idea is to get people thinking closer to 100% secure environments, rather than the risk based models today.
The Kill chain discussing the Target data breach is also on this site. The details of the target 40 mil credit card number stealing.
default account name on BMC software was one of the culprits, one needs a good testing plan, both internal testing and external independent audits/or scans.
(We can do an independent audit /scan of your network)
There are many other good papers.
CBS local in New York has an audio spot
$14mil in 2 days in 17 countries on 15000 ATM devices.
Apparently JPMorgan Chase processed debit card transactions for the American Red Cross.
The hackers increased the withdrawal limits on the debit cards and then used the card information to withdraw money all over the world.
It took 2 years for the authorities to prosecute Qendrim Dobruna (Albanian). Apprehended in 2012, and on 7/11 he pled guilty.