2Q report by IBM X-Force, 23% of websites vulnerable.

CSRF or Cross Site Request forgery is the highest likely method of attack

Broken Authentication is second

And cross-site scripting(XSS) is third

SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.

 

OWASPvsIBM

The IBM report at X-Force blog  recounts the challenges a web application scanner has as to when and what to scan.

 

As one has to be careful with how to scan production systems.  If not done well, a vulnerability may not be exposed or a production system may have ill effects.

 

We are aware of this in our product offerings.

Scan Solutions at Oversitesentry

 

Apple beats estimates, what is this backdoor in iOS?

today Apple beat estimates:  Deadline.com  with 35.2 mil iPhones sold

 

threatpost  has the info about a “stream of data” on an iPhone

It looks like Jonathan Zdziarksi, a forensic scientist  and at Twitter: @JZdziarski.

found a backdoor in iOS, it is supposedly used by Apple for troubleshooting, diagnostics and enterprise.

 

Apple responded to the work of Jonathan and he wrote about it on his blog.

 

Jonathan’s final comment on this backdoor is that he is skeptical of its use as a pure diagnostic nature. It breaks the security model and does not inform the user of the lack of security on every iOS.  In specific he points out that the encryption the phone has can be circumvented with this unencrypted channel on the phone.

 

In specific his comment: “Tell me, what is the point in promising the user encryption if there is a back door to bypass it?”

Good point Jonathan!

 

Another CC breach at Goodwill industries or not?

KrebsonSecurity has a good rundown on what we know so far. Basically there has been a breach, some CC companies are noticing bad traffic, and the US secret service is in on the act.

July 17th  the first card companies were noticing suspicious traffic.

There is no other information in the news reports

Goodwill Industries International own press release does not confirm an actual breach only an investigation.

Excellent Security computing scientific papers collection

By Bradley Susser’s Blog bot24.blogspot.com 

Science papers direct link

I like Back to Basics  where the paper reviews our bad security model –  which used to work as networks were small and fixed computers on the inside protected from systems on the Internet.

 

Today our security model is where new devices get set up internally, or malware is on the inside network which are not secure and could be compromising the Internal network. Or the cloud has permissions and could be compromised in new ways.

 

The network  is no longer a fixed type, there are a lot of grey areas.  The suggestion is to increase the granularity of the network building blocks where security can be tested or builtin.  Sort of like testing the network traffic packet by packet.  They are also discussing building blocks in the virtual machine area, where each application is tested.

the idea is to get people thinking closer to 100% secure environments, rather than the risk based models today.

The Kill chain discussing the Target data breach is also on this site.  The details of the target 40 mil credit card number stealing.

default account name on BMC software was one of the culprits, one needs a good testing plan, both internal testing and external independent audits/or scans.

(We can do an independent audit /scan of your network)

There are many other good papers.

 

Computer hacker pleads guilty on ATM fraud

CBS local in New York has an audio spot

$14mil  in 2 days in 17 countries on 15000 ATM devices.

Apparently JPMorgan Chase processed debit card transactions for the American Red Cross.

 

The hackers increased the withdrawal limits on the debit cards and then used the card information to withdraw money all over the world.

 

It took 2 years for the authorities to prosecute Qendrim Dobruna (Albanian).  Apprehended in 2012, and on 7/11 he pled guilty.