This brings to mind the current state of the cloud computing market. The mad gold rush of cloud services providers continues. Everyone wants a piece of the action.  These companies offer a variety of hosting services for IT infrastructure, platforms and applications.  The lure of moving to the cloud is obvious. Let someone else do it better, cheaper, more reliably and worry about the  details. More organizations are taking advantage. Companies, large and small, are moving their data, applications, and systems to one or more of the legion of providers out there.  This means more dependence on these providers for accessing business critical resources.  Although there are some obvious leaders in the cloud market today ( Google, Amazon, Salesforce), there are also a many smaller boutique providers that compete mostly on price.

In coming years, I expect the market to settle. Some providers will flourish, others will go down in flames or be acquired by one of the larger shops. These changes could have real consequences to customers. What happens if your provider is using proprietary technology and goes out of business?  Migrating to a new provider might be difficult. Doing your due diligence before selecting a provider is very important. Verifying the financial stability of the company and developing a strong service level agreement are key requirements.  Your SLA must address uptime, performance and security. The ability to audit your provider is also very important.

Many small businesses would not exist without the cloud. Building, hosting, and managing an IT infrastructure can be cost prohibitive. Choosing the right provider, however, may be the difference between success and failure.

Related posts:

1. The real arguments for Cloud Computing As more vendors dive into the cloud computing market, every...
2. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...
3. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

Related posts:

1. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...
2. Microsoft says Do Not Call for Help! If it sounds like a horror movie….well, that’s because is...
3. Use Google Apps or Gmail? Avoid getting hacked! It can happen to the best of us. Blogger and...

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

Related posts:

1. Exploring Cloud Computing Information Leakage If you are in cloud computing security (or part of...
2. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
3. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...

“Enterprise customers will get compensation tailored to each individual customer and will receive a combination including products, services and support,” a McAfee spokesman told ZDNet UK on Tuesday.

The concept of companies paying for damages caused by buggy software has been often discussed. Is this a step in that direction or is McAfee  just doing some good customer management ?

Source: http://www.zdnet.co.uk/news/security-management/2010/04/27/mcafee-to-compensate-businesses-for-buggy-update-40088779/?s_cid=938

Related posts:

1. If Microsoft can do it, why not McAfee? Yesterday, a faulty McAfee anti-virus update labeled a critical Microsoft...
2. SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...
3. Skipfish-Web Scanning Security Tool from Google Google has released an open-source Web security scanner called Skipfish...

I couldn’t wait to get my hands on Assassin’s Creed II. It’s nice to be able to unwind for an hour or so at night, running across rooftops in 15th Century Venice, leaping on an unsuspecting Templar and burying my dual hidden blades in his neck. Well, it would be nice accept my wireless signal in my bedroom isn’t all that great (or maybe it’s a laptop hardware issue) and the game hangs every 2 mins for about 30 seconds because I lose my connection. Thanks to the Ubisoft’s always-online DRM. I have to be online at all times to play the game.

“Hackers have overcome Ubisoft’s controversial DRM system that relied on constant connection to the internet for games to function.

A crack for Ubisoft’s anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls.  A message from the group on a gamers’ forum sets out the group’s agenda: allowing legitimate copies of PC games to be played without an internet connection, rather than facilitating piracy. Skid Row cheekily thanks Ubisoft for posing an interesting intellectual challenge.”

I understand Ubisoft’s desire to protect its products from pirates but this causes a great inconvenience to legitimate customers like myself. Not to mention, it only took about a a dayto crack it. It causes me all this aggravation with controls that only held up for 24 hrs ?

Silent Hunter NFO:

Ü ß               ßÜ    ÜþßßßþÜ      Û                ÜþßßßþÜ
°   ÛÜ     ²Ü     °    ÜÛÝ  ß       ²Ü     ßßÛÛÛÜÜ     ° ÜÛÜ     ²ÛÜ
ßÛÛÛÜ ²ÛÛÜ     ÜÜÛÛÛÜÜß    °   ²ÛÛÜÜÜÜÜÜÜÛÛÛÛÛÜ ° ÜÛÛßÛÛÜ ° ²ÛÛ²  °     Ü
ÜÛÛÛÛßßßßßß ²ÛÛ²  ²ÛÛÛÛßÛ²²²Û  ÜÜÜÜÜܲÛÛ² ²ÛÛ²  ²ÛÛ²ß ÜÛÛ²   ²ÛÛÜ ²ÛÛ² °°°  ÜÛ²
ßßßßßß²²²²Üß²²²ßß²²²Ü   ßßß  Û²²²ß  ²²²² ²²²²ßß²²²ÜÜ ²²²² ° ²²²² ²²²² °°° ²²²²
±±±±±  Þ±±±±ÛÞ±±  Þ±±±± ²²²²²Þ±±±± ° ±±±± ±±±±  Þ±±±±Ûܱ±± ° ±±±± ±±±± °°° ±±±±
°°°°° ° °°°°°Ý°° ° °°°°°°°°°°Þ°°°° ° °°°° °°°° ° °°°°°°°°° ° °°°° °°°°  Ü  °°°°
±±±±± ° ±±±±±Ý±± ° ±±±±±Ü±±±±±±±±± ° ±±±± ±±±± ° ±±±±±Ý±±± ° ±±±± ±±²ßÜÛÛÛÜß²±±
Þ²²²² °Þ²²²²²²²² °Þ²²²²²Ý²²²²Þ²²²²Ý  ²²²² ²²²² °Þ²²²²²²²²² ° ²²²² ²²²²²ß ß²²²²²
ßÛÛ² ÜÛ²ÛÛßÜÛÛß  ²ÛÛÛÛ²ÛÛÛß  ²ÛÛÛ²ÜܲÛ۲ܲÛß   ²ÛÛÛ² ßÛÛ²   ²ÛÛß ²ÛÛß ° ° ßÛÛ²
°  ßÜÛÛßß   Ûß   ÜÛ²ÛÛß Ûß  °  ÛÛÛÛÛßßß   ß  ° ÞÛÛ²ÛÝ ° ßÛÛÜÛÛß ° ²ß   °     ßÛ
Üßß    °     ÜÛÛÛßß  ° ßþÜÜþß ßßÛÛÛÛÜÜÜþß  °  ßßÛÛÛÜÜÜÜÜÛÛß Eboy
ßÜÜþß     þßß                                     ßßßßßß
S   K   i   D   R   O   W

Üß               ->  T H E   L E A D i N G   F O R C E   <-                 ßÜ
ßÜ                                                                          Üß
ßßßßßßßßßßßßßßßßßßß ßßßßß  ß proudly presents ß  ßßßßß ßßßßßßßßßßßßßßßßßßß
° ÛÛÛ²²²²±±°° Silent Hunter 5: Battle of the Atlantic / Ubisoft °°±±²²²²ÛÛÛ °
±ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܱ
²                                                                           ²
²   RELEASE DATE : 03-03-2010               PROTECTION : Ubisoft DRM        ²
²   GAME TYPE    : Submarine Simulation     DISKS      : 1 DVD              ²
°                                                                           °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Release Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û The Skid Rowdies are looking new blood to fill up the ranks.   Û Û
± Û We're a professional team of dedicated sceners with big mark   Û Û
Û Û under sceners. We believe on the ground idealism of the root   Û Û
Û Û of the real old school scene. We do all this for fun and       Û Û
Û Û nothing else. We don't earn anything on our hobby, as we do    Û Û
Û Û this for the competition and the heart of what got the scene   Û Û
Û Û started in the mid eighties.                                   Û Û
Û Û                                                                Û Û
Û Û If you think you got something to offer, then don't hold back  Û Û
Û Û on contacting us as soon as possible.                          Û Û
Û Û                                                                Û Û
Û Û  _______  __     ___     _____   /__                          Û Û
Û Û      / |/ /_/_|         _  / /_ /  /                   Û Û
Û Û  / /| / / //| |     //_// / / / / / /                   Û Û
Û Û /   |   /  | |_   / / / /_/ / /// /                    Û Û
Û Û ____/|_|___/|___/ / /_/_/__/_/____/                     Û Û
Û Û     twice the fun   / double the trouble                      Û Û
Û Û                                                                Û Û
Û Û ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Û Û
Û Û                                                                Û Û
Û Û On with the game release information:                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 hails the return of the number one submarine   Û Û
Û Û simulation. For the first time the player will be able to play Û Û
Û Û & feel as U-boat captain leading his crew from a first person  Û Û
Û Û view in a true dynamic campaign.                               Û Û
Û Û                                                                Û Û
Û Û Operate against Allied shipping on a vast area all across the  Û Û
Û Û Atlantic Ocean and Mediterranean Sea and participate in famous Û Û
Û Û encounters with strong enemy warships. Can you do better than  Û Û
Û Û the best U-boat aces?                                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 raises the levels of interactivity and         Û Û
Û Û immersion inside the U-boat and outside                        Û Û
Û Û                                                                Û Û
Û Û For the first time the player will walk through highly         Û Û
Û Û detailed submarines in FPS view and be able to access every    Û Û
Û Û inside & outside part of the U-boot                            Û Û
Û Û                                                                Û Û
Û Û With the help of an advanced order system the player will      Û Û
Û Û interact with the submarine crew, watch them doing their daily Û Û
Û Û jobs and experience the tension & fear inside the U-boot.      Û Û
Û Û                                                                Û Û
Û Û Player actions will impact the outcome of battles and the      Û Û
Û Û scenario evolution in campaign. Depending on his approach the  Û Û
Û Û player can open new locations with upgrade and resupply        Û Û
Û Û possibilities, while the Allied response adjusts dynamically   Û Û
Û Û                                                                Û Û
Û °                                                                Û °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Install Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û 1. Unpack release                                              Û Û
± Û 2. Mount image or burn it                                      Û Û
Û Û 3. Install                                                     Û Û
Û Û 4. Copy the content from the SKIDROW folder on the DVD to your Û Û
Û Û    installation directory and overwrite                        Û Û
Û Û 5. Play the game                                               Û Û
Û Û                                                                Û Û
Û Û Additinal Notes:                                               Û Û
Û Û                                                                Û Û
Û Û Don't install/use Ubisoft launcher, or simply block any        Û Û
Û Û connection to internet.                                        Û Û
Û Û                                                                Û Û
Û Û Install game and copy crack, it's that simple!                 Û Û
Û Û                                                                Û Û
Û Û Support the companies, which software you actually enjoy!      Û Û

Source: http://www.theregister.co.uk/2010/04/28/ubisoft_drm_cracked/

Related posts:

1. Cloud Computing Security: An Insider's View As CSO of Qualys, Randy Barr is responsible for security,...

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Download the full report here.

Related posts:

1. Women in IT Security I recently had a conversation with a former student of...
2. Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...
3. Web Application Security Testing White Paper The need to provide web security and defend web applications...

The zero-day vulnerability in the latest full version 3.6 of Firefox was discovered by security researcher Evgeny Legerov last month.  Legerov controversially offered to sell exploit code he developed.  Mozilla acknowledged the security vulnerability on Thursday and promised the the next version of 3.6.2, due at the end of the month, would plug the hole.

I have to applaud the German government for taking such a proactive approach to online security of it’s citizens. I have to wonder what would be the response to such an approach my the US government here. As to the advice given, I’m of two minds really. Whereas home users are at liberty to switch browsers as often as their underpants, corporate users may not have that luxury. Whole scale software migrations in a corporate setting is no small undertaking. Ig it were, I doubt Google would have gotten hacked for using IE6.

Vulnerabilities in all browsers are discovered over time. Corporate users, does the musical browser approach really work even if it were possible? I think not. My advice: Test and Upgrade as soon as is feasible.

Related posts:

1. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
2. Pentagon and Congress wants control of your network during cyberattack There has been a lot of chatter in the news...
3. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...

Some of these vulnerabilities allows your system to be compromised simply by browsing a page with an infected image file so upgrade without delay.

According to Brian Cluley of Sophos , “It doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website”

Related posts:

1. More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...
2. Pentagon and Congress wants control of your network during cyberattack There has been a lot of chatter in the news...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

RSA COVERAGE

RSA 2010: Infosec Pros Get Raises Despite Recession An (ISC)2 survey suggests salary increases and hiring went up for many security practitioners in the last year despite the Great Recession. Ironically, the recession may be WHY it’s happening.

RSA 2010: Why 41 Percent of You Would Fail a PCI Audit Miscellaneous news bytes from the RSA 2010 press room: QSAs tell Ponemon Institute that 41 percent of companies would bomb their PCI security audit; hackers industrialize their sinister revolution and VeriSign opens a new compatibility lab.

RSA 2010: Can Adobe Stop the Hate? Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.

RSA Conference 2010: 4 Survival TipsFor the newcomer, the RSA security conference can be overwhelming. Follow these four strategies to get the most from it.

Social Networking is Risky Business From Computerworld: A panel discusses the risks associated with social networking sites.

Chertoff: Tracking Attacks to the Source is Key for Cybersecurity From Computerworld: An exclusive interview with former DHS leader Michael Chertoff.

RSA PODCASTS

RSA 2010: Microsoft’s Plan for Cloud Security Audio: Microsoft VP Jim Jones explains his company’s approach for securing its services in the cloud.

RSA 2010: Verizon Releases Its Threat Report Recipe Verizon Business will share the research framework used for its Data Breach Investigations Reports so companies can create reports tailored to their specific environments.

SECURITY B-SIDES COVERAGE

Security B-Sides: Perfect Authentication Remains Elusive Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.

One Man’s Life on the Security D-List At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn’t all it’s cracked up to be.

Security B-Sides: Rise of the ‘Anti-conference’ The RSA 2010 conference had some nearby competition. Here’s the story of Security B-Sides as the conference alternative.

Related posts:

1. Shmoocon 2010 Videos Online Shmoocon was this weekend. Unfortunately,I couldn’t get a ticket this...
2. Top 10 Web Application Security Risks for 2010 Yesterday, OWASP released its list of top ten web application...
3. Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...

No related posts.

The Microsoft Office productivity suite has risen to become the dominant application of its type for business IT management. But there are open source office productivity suites available that may provide a suitable alternative to Office, depending on your requirements.

1. OpenOffice.org

Ever since Sun Microsystems release the code to StarOffice back in 2000, OpenOffice.org has been a popular “free alternative” to Microsoft Office.

OpenOffice.org offers a complete suite of office apps, including a word processor, spreadsheet and presentation manager. In terms of user experience, it is the closest thing the open source world has to rival Microsoft Office and is thus popular with many home users as well.

Good file compatibility with Office is also a compelling feature of OpenOffice.org. Late last year the project announced 100 million downloads since version 3.0 was announced a year earlier. The next release will be 3.2,which is due in the coming weeks.

URL: http://www.openoffice.org
Licence: LGPL

2. KOffice

Not as popular as OpenOffice, but providing a similar level of functionality is KOffice. KOffice began life as an office suite for the KDE open source project on Linux, but has since been ported Windows and Mac OS X.

In addition to the standard office applications, KOffice also features apps for project management, flowcharting and graphic design. Also part of the KOffice suite is Kexi — an open source database alternative to Microsoft Access.

KOffice is in rapid development after a major release upgrade from the 1.x to 2.x series. The developers will release the 2.2 stable version this year, which is meant to be a “production” release suitable for everyday use.

Last year Nokia announced it will use KOffice as the basis of its mobile office suite for the N900 smartphone.

URL: http://www.koffice.org
Licence: LGPL & GPL

3. GNOME Office

While not as tightly integrated as OpenOffice.org or KOffice, the GNOME office suite is a collection of productivity applications typically shipped with the GNOME desktop environment on Linux, but it can also run on Windows.

The word processor, AbiWord, reached version 2.8 last year and now supports annotations, smart quotes and scalable vector graphics. A collaboration tool also allows multiple people to work on one document at the same time. This can also be used with the AbiCollab.net online storage service.

Gnumeric, the spreadsheet, has support for Microsoft Excel documents and claims more calculation functions.

GNOME office also includes the Evolution e-mail and groupware client. Evolution has a number of enterprise features and has an extensive repository of plug-ins available to enhance its functionality.

URL: http://live.gnome.org/GnomeOffice
Licence: GPL

4. Feng Office

Formerly known as OpenGoo, Feng Office is not your typical open source office suite in that it is Web-based, like many of today’s SaaS offerings.

Feng Office allows users to upload and share any type of document and certain files can be edited online as well. A spreadsheet component is under development.

In addition to document management, Feng Office has applications for notes, e-mail, contact management, calendaring, task management and time keeping.

A commercially supported version is available which can be hosted on-site or provided as SaaS.

URL: http://www.fengoffice.com
Licence: AGPL

5. Simple Groupware

As the name indicates, Simple Groupware was developed as an open source groupware suite, but we’ve included it here because of the increasing amount of office suite-like applications it contains, including an online spreadsheet.

Simple Groupware’s Simple Spreadsheet features support for formulas, functions, JavaScript macros, charts, cell manipulation and integration of images from the Web. Open Office and Microsoft Office documents can be previewed in a Web-browser.

With modules for HTML and wiki documents, Simple Groupware is starting to look a lot like a basic online office productivity suite. What’s more, the files module makes it possible to share files, track versions and manage folders.

URL: http://www.simple-groupware.de
Licence: GPL

Source: http://www.cio.com.au/

Related posts:

1. keimpx – New Open Source SMB Credential Scanner keimpx is an open source tool, released under a modified...
2. Trojan Pretends to Be Microsoft Security Suite Microsoft is warning users that a Trojan is masquerading as...
3. 100+ Open Source Security Tools Security testing  or assessment is a process to determine that...

How do you cost effectively defend web applications from hackers? Your organization relies on mission critical business applications that contain sensitive information about customers, business processes and corporate data. Moving away from proprietary client/server applications to web applications gives you a simpler, cost-effective, highly extensible delivery platform. These applications are more than a valuable tool to power your business operations; they are also a valuable and vulnerable target for attackers.

Web applications are increasingly the preferred targets of cyber-criminals looking to profit from identity theft, fraud, corporate espionage, and other illegal activities. The impact of an attack can be significant, and include:

Costly and embarrassing service disruptions

Down-time

Lost productivity

Stolen datav
Regulatory fines

Angry users

Irate customers

In addition to protecting the corporate brand, federal and state legislation and industry regulations are now requiring web applications to be better protected.

As you take action to protect web applications in a timely and effective manner, you must balance the need for security with availability, performance and cost-effectiveness. Protecting web applications requires both zero-day protection and rapid response with minimal impact to operations without impacting performance or changing system architectures.

2. Web applications are increasingly vulnerable.

Rapid growth leads to emerging problems

The number of corporate web applications has grown exponentially and most organizations are continuing to add new applications to their operations. With this rapid growth come common security challenges driven by complexity and inconsistency. New awareness into web application vulnerabilities, thanks to organizations such as the Open Web Application Security Project (OWASP), has helped organizations identify application security as a priority. But according to a June, 2006 survey (www.symantec.com/ about/news/release/article.jsp?prid=20060919_01), while 70 percent of software developers indicated that their employers emphasize the importance of application security, only 29 percent stated that security was always part of the development process.

Overlooked online application vulnerabilities

Unfortunately, it is not just application flaws that are leaving systems vulnerable. In addition to application issues, every web application relies on a large stack of commercial and custom software components. The operating system, web server, database and all the other critical components of this application stack, have vulnerabilities that are regularly being discovered and communicated to friend and foe alike. It is these vulnerabilities that most organizations overlook when they’re considering web application security.

As new vulnerabilities are found, patches become a critical part of managing application security. The process of patch management is complex and difficult to do successfully. Even the most proactive IT team must often reassign critical resources to deploy urgent patches, disrupting normal operations. The time required to patch responsibly lengthens the window of time a hacker has to exploit a specific vulnerability. With thousands of vulnerabilities and patches being announced each year the problem continues to grow. Even organizations with the most efficient patching processes in place can’t rely on this alone to protect them from attacks targeting web application vulnerabilities.

Hackers look for the path of least resistance

Today’s sophisticated attackers target corporate data for financial and political gain. They know they can more easily exploit vulnerabilities in web application stacks versus trying to defeat well built network and perimeter security. Hackers have a myriad number of vulnerabilities techniques to use including:

SQL Injection

Cross Site Scripting

Buffer Overflow,

Denial of Service

The number of application vulnerabilities in commercial applications and open source applications is growing at an alarming pace; anywhere from 200 to 400 new vulnerabilities are identified every month.

According to zone-h.org, 45% of attacks make use of vulnerabilities rather than configuration issues or use brute force. Attackers are working hard to find and exploit new vulnerabilities in web applications faster then they can be patched. The window of time, from when a hacker identifies a vulnerability to when it is communicated and eventually patched, makes a fast response defence- strategy critical to prevent a potentially damaging intrusion.

3. Required: A remote online web application security-testing service

Web applications are increasingly vulnerable and protecting them requires a system that can:

Ensure compliance today

meet the evolving needs of an organization for tomorrow

Respond quickly

To meet this challenge, by the optimal solution should locate these vulnerabilities as they are seen from the hacker’s point of view. Therefore a remote online Web application security testing service will best address those needs.

A web application security scan should reveal vulnerability for these attacks:

SQL Injection

Blind SQL Injection

Installation Path Disclosure

.Net Exception

Command Execution

PHP Code Injection

Xpath Injection

CRLF Injection

Directory Traversal

Script Language Error

URL Redirection

Remote File Inclusion

LDAP Injection

Cookie Manipulation

Source Code Disclosure

Cross-Site Scriptingv
Cross-Frame Scripting

The security scan must test vulnerabilities for a wide variety of website components:

Web Servers

Web Server Technologies

HTTP Methods

Backup Files

Directory Enumeration

Directory Indexing

Directory Access

Directory Permissions

Sensitive/Common Files

Third Party Application

The online web application security service must:

Remotely crawl the entire website.

Analyse each file.

List the vulnerabilities found along with the severity levels of each vulnerability.

Launch a series of web attacks to discover security.

Include option to make a tailor made attack

Be able to adapt to any web site configuration.

Produce dynamic tests, which will create relevant reports of online scan findings.

Provide a constantly updated vulnerability assessment

Include an automatic False Positive Prevention Engine.

Provide Enhanced Report Generation for Scanning Comparison. – Must include the ability to create comparison and trend analysis of your web applications vulnerabilities based on scan results generated over a selected time periods.

Recommend solutions in order to fix, or provide a viable workaround to the identified vulnerabilities

Author: Avi Bartov
Article Source: EzineArticles.com
Provided by: Programmable pressure cooker

Related posts:

1. Effectively Scoping Application Security Penetration Testing and Ethical Hacking When seeking to test if your web based application or...
2. SAHI – Web Automation & Application Security Testing Tool Sahi is an automation tool to test web applications. Sahi...
3. Top 10 Web Application Security Risks for 2010 Yesterday, OWASP released its list of top ten web application...

Desktop Security 2010 can also download additional malware to your computer which could complicate matters. It also uses quite effective self-defense methods. In some cases it blocks Task Manager so likely you won’t be able to end its processes. Then the rogue program blocks anti-virus software and block sany attempts to install a new one. The best remedy is to reboot your computer in safe mode with networking and run an anti-spyware program from there.

For more examples of fake security software, see Lavasoft’s Rogue’s Gallery.

Related posts:

1. Another fake security software alert I”ve previously warned of fake security software or scareware. Here’s...
2. A Guide to Computer Security As the number of people connecting to the Internet continues...
3. Beware of Haiti-Themed Scams and Attacks! Our thoughts and prayers go out to all those affected...

What would that do to your customer base?

Do you think their confidence in your ability to conduct business over the Internet would change?

What are the potential security threats to your Web application server? The threats are many. In fact, nearly every device that connects directly to the Internet on a broadband or dedicated (always on) connection is scanned multiple times.

Every device connected to the Internet receives an Internet Protocol (IP) address. That address has two components, a network component and a host component. A hacker can launch a program to ‘ping’ every host address within a given network and log the results. Simple analysis of the results reveals which addresses are assigned to active devices by responding to the ‘ping’. Armed with a list of active devices, the hacker launches other scans to determine the operating system or application programs the active device runs. Many operating systems and applications have security vulnerabilities that the hacker exploits.

So, what can the hacker do if he or she discovers vulnerabilities on your Web application server?

Let’s examine 5 Web application security threats.

1. Defacement and Altered Content. Once a hacker gains access to your system, the content is at his mercy. As previously stated, what would be the fallout if someone altered the content of your Web Server? If you rely upon your Web Server or Website to generate revenue or drive customers to your business, defacement or altered content could irreparably damage your relationship with your customers and prospects.

2. Data Theft. Another potential threat is data theft. If your site has e-mail addresses, account numbers, or other sensitive data, a hacker may steal that data and exploit it to his or her own gain. Imagine having to explain to your customers that the information stolen from your server led to identity theft or the unauthorized use of their financial data.

3. Unauthorized Access to Applications and System Resources. Sometimes a hacker uses your system for his or her own purposes merely denying you the ability to efficiently and effectively use your system. The fallout ranges from a minor inconvenience to a major catastrophe.

4. Denial of Service Attacks. Some hackers launch denial of service attacks, which overwhelm the connection and deny you and your customers access to your Website. Again, the fallout ranges from a minor inconvenience to a major catastrophe.

5. Propagation of Viruses, Worms, and Other Malware. Sometimes a hacker may access your system to use it as a springboard to launch viruses, worms or other forms of malware. This is done on your system to cover the hacker’s tracks.

The point is, take the security of your system seriously and employ all of the methods at your disposal to harden your site against attack.

Author: Tomer Shoha
Article Source: EzineArticles.com
Provided by: Pressure cooker

Related posts:

1. Effectively Scoping Application Security Penetration Testing and Ethical Hacking When seeking to test if your web based application or...
2. Web Application Security Testing White Paper The need to provide web security and defend web applications...
3. SAHI – Web Automation & Application Security Testing Tool Sahi is an automation tool to test web applications. Sahi...

So https indicates your communications to the web site is encrypted. Clicking on the golden lock displays the digital certificate and identity information. But what if your browsers decides it doesn’t like the certificate? Well it warns you. Ever seen these before:

If you have spent any amount of time on the web, you will have eventually come across these warnings. What do you generally do? Flee for your life? Read the details? Continue on to the web site anyway? Well, don’t just ignore this warning! There are multiple reasons why your browser might balk at pproceeding to the requested web site.

Certificates are generally issued by companies like Verisign and Thawte after the entity requesting the certificate has verified its identity. The certificates are digitally connected to a root certificate located at the issuer. Browsers are pre-configured with a number of more popular root certificates. That is why, when you access your online bank account, your browsers automatically recognizes the certificate and allows you to proceed without issue. The certificates are valid for a specified period of time and require renewal. If the certificate has expired, your browser will detect it and you will see the warning displayed  above. If your browser does not recognize the source of the certificate ( i.e no connection to a known root certificate), you will see the error message as well. This is the case when web site owners decide not to purchase a certificate issued by one of the aforementioned third-parties and create their own certificate which still provides the same functions: claims an identify and enable encryption.

This last point is key. Anyone can create a certificate. I can create a certificate in seconds claiming my laptop to be https://www.your-online-bank.com. Tools that enable a man-in-the-middle attack mentioned in yesterday’s post automatically do this.  Now, as your browser will recognize the lack of digital connection between my fake web site certificate and the real root certificate, it will warn you with one of the  errors displayed above. Beware that you don’t make it a habit of clicking to continue without giving it a second thought.

Related posts:

1. Enter the Dragon browser, the more secure Google Chrome The open source engine that forms the basis for Google’s...
2. Beware of Free Internet Connections Many hotels,coffee shops and other such establishments  offer free wireless...
3. SAHI – Web Automation & Application Security Testing Tool Sahi is an automation tool to test web applications. Sahi...

Related posts:

1. Google pulls out of China Is this a divorce or separation?  I chronicled Google’s dysfunctional...
2. Botnets give the hacker espionage tools formerly reserved for nation states The cyber attacks against Google, Adobe and a raft of...
3. Pause your Google History Have you ever used your Google search history? If you...