Tuesday, March 27th, 2012
Webcertiv Security Dashboard
Does your company have money to spend on web security? Chances are you have a (very) limited security budget, and you wouldn’t be alone. In the face of financial hardship, companies looking to cut costs often drop expensive security products and services from their budgets before anything else. Realizing this trend, Webcertiv has launched the Webcertiv Website Security Suite, an affordable, cloud-based security suite providing automated website vulnerability scanning, content integrity verification, and availability and denial-of-service monitoring. Security services can be deployed within a few minutes of creating an account, and the solution requires no hardware or software on the part of the customer. In addition, all security services can be configured, managed, and monitored from a single web-based interface. Best of all, Webcertiv offers a free version of the service for smaller websites. Now, there’s one less excuse for neglecting the security of your website!
Categories: General Security, Security News, Security Tools, Web Applications, Website Security
Wednesday, August 17th, 2011
Residual heat signatures detected by a thermal imaging camera
At the USENIX Security Symposium in San Francisco, researchers from the University of California at San Diego presented a paper on using thermal imaging to steal ATM PINs. In their paper, entitled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, Keaton Mowery, Sarah Meiklejohn, and Stefan Savage describe how thermal cameras can be used to detect which keys have been recently pressed on a numeric keypad based on residual heat left from key presses.
Read more »
Categories: Password Management, Physical Security, Security News
Tuesday, July 26th, 2011
Do you ever wish you could get your information security questions answered without the hassle of searching the Internet, posting to an online forum, or visiting the book store? Well, look no further. Get your questions answered now using our Ask a Security Expert service. It’s a free service for IT professionals and small business owners. Systems administrators, software developers, and IT managers alike will benefit from this no-strings-attached service.
Ask a question now >
Categories: General Security, Secure Mind Labs News
Monday, July 25th, 2011
When performing penetration testing, we consistently gain access to hosts and applications using educated password guessing attacks. This is especially true of web applications which often 1) maintain their own database of user accounts and 2) lack adequate password policy enforcement. One of the most successful techniques involves sweeping a list of usernames for weak passwords. You begin by compiling a list of valid usernames (see 8 Ways Your Website Could Be Leaking Login IDs for more information on how this might be done in the wild). Once you’ve collected a sizable list of usernames, you attempt to authenticate to each account using a very small set of weak passwords (e.g. password, password1, password123, Password1, 123456, 654321, etc.). By keeping the number of passwords small , this technique avoids triggering account lockouts, and it’s highly effective against relatively large lists (100 or more usernames). It even works against applications that require complex passwords, but that fail to filter out weak combinations, such as Password1, Password2, Password123.
We bring up this attack, because it highlights one of the primary weaknesses in many systems – poorly chosen passwords. How do you eliminate this weakness? By preventing users from choosing weak passwords in the first place. This is accomplished through a combination of password policy definition and enforcement within your applications.
Read more »
Categories: General Security, Password Management, SML Enterprise Security Tips, Web Applications
Thursday, July 21st, 2011
Hackers frequently gain access to computers and applications using compromised usernames and passwords. While phishing attacks account for a large percentage of compromised accounts, there are other techniques employed by attackers to identify valid login IDs for use in password guessing attacks. Here are eight ways that your website could be leaking login IDs…
Read more »
Categories: Information Leakage, Website Security
Thursday, July 14th, 2011
Welcome to the first post in the SML Enterprise Security Tips series. In this post, we’re going to discuss a danger present in many enterprise networks: HTTP port and protocol abuse.
Let’s start with a scenario. Like all good security administrators, you have installed a firewall between your internal network and the Internet, and you’ve configured the firewall to allow only those services required by your employees, customers, and partners. One day, you notice an unusually large amount of traffic originating from a desktop on your internal network to a host on the Internet. You inquire with the user of the computer, but he knows nothing about what’s going on. Fearing that the computer has been compromised, you removing it from the network. You later hear about a large, distributed denial of services (DDoS) attack against a high-profile U.S. government agency. After further inspection of your firewall logs, you realize that your host was likely involved in the attack.
Read more »
Categories: Information Leakage, Network Security, SML Enterprise Security Tips
Wednesday, July 13th, 2011
As information security professionals, we invest considerable time, effort, and money into staying just one step behind crackers and cyber criminals (yes, you read that correctly, one step behind). No sooner do we implement a cool new security technology to combat an existing threat than the hacker community devises a new type of attack. Keeping up with the growing list of possible threats and attack vectors is a daunting task. It’s a never-ending battle that requires vigilance, insight, and persistence. To keep you abreast of existing and emerging security threats and technologies, we’re launching SML Enterprise Security Tips – a collection of practical tips, tricks, and security insight for enterprise security administrators, architects, developers, and managers. So, stay tuned!
The Secure Mind Labs Team
Categories: General Security, Security News, Security Tools, SML Enterprise Security Tips
Friday, July 8th, 2011
“My web server was tested in our last network vulnerability assessment. Do I need a separate web application security assessment?”
We get asked this question often. The (not so) simple answer is… it depends. Network vulnerability assessments typically identify vulnerabilities in the host operating system and web server software. Web application security assessments, on the other hand, identify coding and logic flaws within the security framework of web applications. A comprehensive web application testing methodology takes into account user roles, business logic, and application context – three things that automated vulnerability scanners don’t do well. Consequently, your network vulnerability assessment probably won’t provide much feedback in these areas.
Read more »
Categories: Web Applications, Website Security
Wednesday, June 29th, 2011
If you’re reading this post, chances are you’re concerned about website security. As a responsible website owner or systems administrator, you have considered the obvious security precautions. You’ve placed your web server behind a firewall, you keep your web server software updated and patched, you use strong passwords, and you encrypt sensitive traffic sent between web browsers and your server. However, if your website hosts Microsoft Office, Open Office, Word Perfect, or PDF files (among others), you may be leaking more information than you think.
Read more »
Categories: Information Leakage, Security Tools, Website Security
Monday, June 27th, 2011
Welcome to the official blog of Secure Mind Labs! Stayed tuned for security insight, tips, tricks, and tools to improve your security knowledge and awareness.
Categories: General Security
