Don’t Take Vulnerability Counts At Face Value
A posting from Dark Reading in there Vulnerability Management Section: In 2012, there were 5,291 vulnerabilities documented by security researchers and software firms. Wait, no, make that 8,137. No, 9,184. Well, it could even be 8,168 or 5,281.
In reality, the exact number of vulnerabilities reported in different databases each year varies widely–by as much as 75 percent in 2012. The fundamental problems in counting vulnerabilities, along with the issues assigning a meaningful severity to each vulnerability, means that analyses based on the data should be treated with skepticism, argue two security professionals that plan to outline problems with vulnerability data at Black Hat in Las Vegas later this summer.
Researchers Brian Martin, content manager of the Open Source Vulnerability Database (OSVDB), and Steve Christey, principal information security engineer in the security and information operations division at The MITRE Corporation, say that the goal of their talk is to not only point out unreliable data but also to help people pinpoint what reports are based on such shaky foundations.
To read more click here:
New OWASP Top 10 Reflects Unchanged State Of Web Security
A posting from Dark in there Application Security section:
The oft-cited and oft-debated OWASP Top 10 list of the most critical vulnerabilities in Web applications got an update this week with the most prevalent flaw—injection–remaining at the number one slot.
Injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function-level access control, cross-site request forgery (CSRF), using known vulnerable components, and unvalidated redirects and forwards round out the Top 10 list, respectively. XSS actually dropped down a slot from the number two position in 2012, and broken authentication/session management moved up.
According OWASP, the jump in broken authentication and session management is most likely due to these bugs being scrutinized more closely. “We believe this is probably because this area is being looked at harder, not because these issues are actually more prevalent,” OWASP wrote in its report on the new list of Web app flaws.
CSRF dropped from number five to eight, mainly due to developers doing a better job in eliminating those flaws, according to OWASP.
To read more click here:
Best Practices for Creating a Password
Passwords are usually the first line of defense when it comes to protecting computers and information assets. What happens when that first line of defense is not properly created? I think we already know…
One of the best ways to create a strong password is to create a pass-phrase.
One of the easiest way to remember and hardest way to crack password is to use pseudo-random password. The actual password is generated from an easy to remember pass-phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will NEVER forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
Example of a Good Pass-phrase:
pass-phrase: My Brother’s Birthday Is april Twenty Second Nineteen Eighty three
The pass-phrase translated to a password: MbbiAtt1983
Cybersecurity hearing: NSA head Keith Alexander testifies in front of Senate -LIVE VIDEO
Gen. Keith Alexander, the head of the National Security Agency, is testifying in front of the Senate Appropriations Committee
A World of Vulnerabilities – InfoSec Institute
An article by Pierluigi Paganini:
Introduction
Every day, we read about cyber-attacks and data breaches, incidents that represent in many cases a disaster for private companies and governments. Technology plays a significant role in our lives; every component that surrounds us runs a piece of software that could be affected by flaws and exploited by those with ill intentions.
Of course, the impact of these vulnerabilities depends on the nature and scope of the exposed software. Some applications are more commonly used, and their vulnerabilities could expose users to serious risks. Take for example the recent vulnerability discovered in Skype, in which a bug allowed an attacker to obtain full access to any Skype account by simply knowing the email address used by a victim during the creation of the account.
The possible damage that the exploit of a vulnerability could do depends on different factors such as the level of diffusion of the application compromised, the previous knowledge of the vulnerabilities, and the context in which the compromised application is used.
Zero-day vulnerabilities
In the wide universe of vulnerabilities, zero-day vulnerabilities represent a real nightmare for security experts. Knowledge of any leak about them makes it impossible to predict how and when they could be exploited. This characteristic makes their use ideal in state-sponsored attacks and in the development of cyber weapons.
Interest in the discovery of unknown vulnerabilities for a widespread application has totally changed the role of hackers. In the past, they were figures who kept away from government affairs; today, the industry and even intelligence agencies have launched a massive recruitment campaign for this new type of expertise.
Profiting from these vulnerabilities can be done through different channels: flaws could be sold to the makers of the compromised application; a government interested in exploiting a flaw could acquire it to conduct cyber-attacks against hostile countries; or it could be sold in the underground market.
Around this concept of vulnerability grew a market in which “instantaneity” of any transactions is a fundamental factor. Once a new bug is found and exploited, the researcher must be to quickly identify possible buyers, contact them to negotiate a price, and then complete the sale. Timing is crucial; the value of the sale could decay to zero if any third party preemptively divulges information on the vulnerability.
Read more at the InfoSec Institue’s Blog
Was Microsoft’s takedown of Citadel effective?
A posting from Naked Security:
As we mentioned last week, Microsoft recently fought back against more than 1,400 Citadel botnets by sinkholing their Command and Control (C&C) infrastructure.
SophosLabs has been monitoring Citadel for some time, including individual botnets such as those targeting Canadian institutions, so I decided to take a closer look at the impact of the takedown.
I took a snapshot of the active Citadel botnets we are currently seeing and cross referenced 72 C&C servers with the list published by Microsoft.
Then, I verified where the DNS records of those servers were now pointing.
Worryingly, I found that 51% of the 72 domains analysed did not appear in Microsoft’s published list.
A more worrying 20% of the Citadel domains were on Microsoft’s list but were not ending up at the sinkhole.
This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners.
Furthermore, as described by Swiss researchers at abuse.ch, Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown.
To read more click here:
