I use Comcast, and really have no complaints, although I have heard other people say the service is less than adequate. I found this article about Comcast tries pop-up alerts to warn of botnets. This new service for Comcast users is being tested here in Denver. In another article from SearchSecurity, there is interesting information about the new generation of botnets that are tinier, stealthier and can contain thousands (87K in one example) of variants of malware.
I'm glad to see Comcast responding actively to this issue.
Saturday, October 17, 2009
Monday, October 12, 2009
How safe is your password?
This is an interesting article from a user that started out with a 6 character password years ago, and now is changing all passwords for all applications. I understand the idea of it being hard to memorize many different passwords. I had an instructor tell me that all users should use passwords that are at least 16 characters long, and they should type them in 10 or so times to remember them. It is the weakest link in the chain.
Saturday, October 3, 2009
Next Gen Bank Trojan
Interesting article here about a new bank trojan that is spread through malicious javascript or Adobe pdf files. They put up a site, had 90,000 hits, infected 6,400 machines, stole money from a few of those users. Their technique is to steal the $ out of the account while the user is logged in and show the user a fake bank balance. They stole $438,000 in 22 days.
Sunday, September 27, 2009
How much government control in cyber crisis
I read this article on MSNBC.com "How much government control in cybercrisis". There have been 18 bills already already introduced in Congress to define when and how the federal government should step in in case of digital disaster. The very number of bills is an indication that this subject is not understood or represented correctly by the lawmakers. It raises so many questions. What is the risk of an all out cyber attack? Should the federal government be given the authority to shut down the internet? Is this the right approach? Experts say that a system under attack should not be shut down, but isolate it and filter out the bad traffic from the good. Does the government have the agility to do something like that? I don't see it so much as a political issue as a technical one. The problem is that there is no one set way of implementing cyber security due to the vastness of the systems in place. Will there ever be a cut and dried way of securing information, or will it remain a moving target for the forseeable future?
Sunday, September 20, 2009
I have been aware for some time that I have the ability to track exploits in the web sites I support, before the network people know that anything has happened.
This article in www.searchsecurity.com confirms the role of the developer in website security. The fact that most attacks penetrate browsers through infected web pages places responsibility for security on the developer. The high incidence of SQL injection again places responsibility on the developer to think about how the data layer is implemented, and not just take the first example that they see on MSDN as the template for the data access layer.
These tools:
This article in www.searchsecurity.com confirms the role of the developer in website security. The fact that most attacks penetrate browsers through infected web pages places responsibility for security on the developer. The high incidence of SQL injection again places responsibility on the developer to think about how the data layer is implemented, and not just take the first example that they see on MSDN as the template for the data access layer.
These tools:
- Vulnerability Scanning
- Penetration testing
- SDL and source code security scanning
- Web application firewalls
- Choice of browser
- Application whitelists
will not be effective until they are combines with good coding practices like:
- Error Handling, including logging
- Client AND server validations
I like the idea of categorizing all web servers according to business risk. This idea can be combined with adherence to different security standards, like HIPAA.
This is from a developer's point of view, any discussion on that?
Saturday, September 19, 2009
CNG 275 - What I have learned so far
- VMWare is a lot harder to work with than it looks
- Networks are not easy to set up
- Security means locking everything down
- VPN and wireless networks don't mix
- Network people don't get Developers, and vice versa, it's a cultural thing
- The boundary area between network and the web application is a lonely place, with neither side having all the answers all the time
Application Firewall
After class on 9/16, I did a search on Application Firewall, also called Deep Packet Inspection Firewall. I found that a Web Application Firewall is an appliance server plug in or filter that applies a set of rules to an HTTP conversation. An Application Layer Firewall is a computer networking firewall operating at the application layer of a protocol stack. This firewall looks at the request/response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some of them look for attack signatures. The firewall can be either hardware or software and are installed in front of the webserver, between the server and the client.
Anyone have any experience in setting one of these up?
Anyone have any experience in setting one of these up?
Subscribe to:
Posts (Atom)