2012 HouSecCon, 10/11/2012 (in Houston)
HouSecCon is coming up – October 11th in Houston. The agenda is shaping up with a bunch of hot topics and well-known speakers. I’ll (Dan Kuykendall) be speaking on mobile security. At NT OBJECTives, we have been working on how to effectively test mobile service calls. Most of the mobile security focus is on device security. During this talk, we are going beyond device security and into mobile application hacking with several demos and hacking tools. Hope to see you there!
Top Security Threats and Attackers by Country
Web security firm Incapsula this week released the first of what it says will be a monthly report that breaks down the origin of Internet attacks by country. The first survey confirmed that the U.S. and China produce the highest volume of attacks on websites, but they don’t necessarily have the most hackers per capita operating from within their borders.
There are four main types of website attacks, according to Incapsula. Server takeovers by means of Remote File Inclusion, Local File Inclusion, Directory Traversal, and other methods are the most common, in part because they can be easily automated, the company said. Data theft by means of SQL injection and credentials theft through cross-site scripting (XSS) methods are the other main types of directly damaging attacks, while a fourth type, vulnerability scanning, is more akin to “casing” a website for future direct attacks.
Cybercrime-Fest Targets Mobile Devices
The lineup of depressing security stats in a recent report by the Government Accountability Office on mobile devices is growing,
- The number of variants of malicious software aimed has reportedly risen from about 14,000 to 40,000 in less than a year.
- New mobile vulnerabilities have been increasing, from 163 in 2010 to 315 in 2011, an increase of over 93%.
- An estimated half million to one million people had malware on the Android devices in the first half of 2011.
- Three out of 10 Android owners are likely to encounter a threat on their device each year as of 2011.
Attacks against mobile devices generally occur through four channels of activities.
- Software downloads
- Visiting malicious websites
- Direct attacks
- Physical attacks
iOS, Android Vulnerabilities Found at HP’s Mobile Pwn2Own Event
Both iOS and Android fall to hackers at this Pwn2own event in Amsterdam. HP awarded two sets of researchers with $30,000 for finding and demonstrating their attacks.
The Android attack was built on the Near Field Communications attack demonstrated by Charlie Miller earlier this year at a Black Hat event.
The iOS attack exploited a previously unreported WebKit flaw on an iPhone 4S. WebKit is the underlying rendering engine used in Apple Safari on iOS / Mac OS, and Google for Chrome on Android.
Simple Cross Site Scripting Vector That Webkit XSS Auditor Ignores
Google Chrome has a lesser known feature called “XSSAuditor” that was added to help mitigate reflective XSS. It is similar to NoScript and IE built in XSS filter.
This post shows a trivial attack to circumvent this feature on Chrome version 4 and above as well as Safari 5.1.7
ViewState XSS: What’s the Deal?
Using ASP.Net to provide a detailed example of exploiting an unproperly protected ViewState with reflective XSS. Even hard coded values can be manipulated.
10 Common Mobile Security Problems to Address
Poor security practices of consumers and inadequate technical controls make mobile devices a target waiting to be attacked. The GAO report came up with a list of mobile vulnerabilities it says are common to all mobile platforms and it offered a number of possible fixes for the weaknesses.
Over Half of Companies Suffered a Web Application Security Breach in the Last 18 Months
Forrester Report published.
The results of “The Software Security Risk Report,” a commissioned study conducted by Forrester Consulting on behalf of Coverity were released this week. This study looked at application security and testing practices and found that security incidents are becoming more common and expensive. The results included several interesting findings:
- Most companies experienced at least one breach in the last 18 months and many companies lost hundreds of thousands, if not millions, of dollars.
- The majority of companies have not implemented secure development practices, “most often citing time-to-market pressures, funding and the lack of appropriate technologies suitable for use during development as their primary roadblocks.”
HoneyMap – Alpha
A real-time world map which visualizes attacks captured by honeypots of the Honeynet Project. Red markers on the map stand for attacks, yellow markers are sensors (honeypots).
This project is highly experimental and should be considered an ALPHA version. So far, current Chrome and Firefox browsers should work fine. Opera, Safari and Internet Explorer probably won’t work.