Banking CyberSecurity Infographic

Posted in Security Blog | Tagged , , , , | Comments Off on Banking CyberSecurity Infographic

2014 IBM Cyber Security Intelligence Infographic

Posted in Security Blog | Tagged , , , , , | Comments Off on 2014 IBM Cyber Security Intelligence Infographic

RFID Skimming

It’s from a few years back. Is this still a vulnerability? Do banks still issue RFID cards? You can still find RFID credit card readers, so I wonder.

Posted in Security Blog | Tagged , , , , | Comments Off on RFID Skimming

Ruby On Rails Security Thoughts


Security questions in the video start at 2:25
Like any other framework, the Rails app needs to be kept up to date. From time to time security issues are reported in the Rails app. Developers of Ruby applications should keep the OWASP Top 10 in mind. Ruby on Rails developers should test for:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Here is the Ruby on Rails Security Guide

Preventing SQLi in Ruby
Ruby on Rails has a built-in filter for special SQL characters, which will escape ’ , ” , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.

  • Adopt an input validation technique whereby user input is checked against business rules and a set of defined rules for length, type, and syntax
  • Ensure that users with permission to access the database have the least privileges
  • Do not use system administrator accounts like “sa” for Web applications
  • Create application-specific database user accounts
  • Remove all stored procedures
  • Use strongly types parameterized query APIs with placeholder substitution markers, even when calling stored procedures
  • Make it a habit to think about the security consequences when using an external string in SQL.

Preventing XSS in Ruby
Rails provides helper methods to fend off XSS attacks.

  • HTML encode all user input returned as part of HTML
  • URL encode all user input returned as part of URLs(convert ?, &, /, <, >, and spaces to their respective URL encoded equivalents)
  • Convert all user input to a single character encoding before parsing
  • Preventing Ruby Logging Vulnerabilities
  • Rails logs all requests being made to the web application. Log files can be a huge security issue and should not contain sensitive information such as login credentials and credit card numbers. Ruby allows you to filter certain request parameters from your log files by appending them to config.filter_parameters in the application configuration. These parameters will be marked [FILTERED] in the log.

Veracode can assist in Security Development Reviews. They also are the ones I borrowed this information from.

Posted in Security Blog | Tagged , , , | Comments Off on Ruby On Rails Security Thoughts

Mid-year 2014 Data Breaches Exposed

0820.cybersecuritythreats.jpg-550x0

2014 is going to replace 2013 as the highest year on record for exposed records, according to Risk Based Security.

Mid-year 2014 at a Glance …
• There were 1331 incidents reported during the first six months of 2014 exposing 502 million records.
• Two Hacking incidents alone exposed a combined 318 million records.
• A single act of Fraud exposed 104 million records.
• The Business sector accounted for 54.9% of reported incidents, followed by Government (16.1%), Unknown (11.8%), Education (8.7%), and Medical (8.5%).
• The Business sector accounted for 64.3% of the number of records exposed, followed by Government (34.9%),
• 78.2% of reported incidents were the result of Hacking, which accounted for 78.7% of the exposed records.
• Fraud accounted for 20.7% of the exposed records, but represented just 2.1% of the reported incidents.
• Breaches involving U.S. entities accounted for 39.6% of the incidents and 74.3% of the exposed records.
• 61.7% of the incidents exposed between one and 1000 records.
• Ten incidents exposed more than one million records.
• Three First Half of 2014 incidents have secured a place on the Top 10 All Time Breach List.
• The number of reported incidents tracked by Risk Based Security has exceeded 12,700 exposing over 2.9 billion records.

You can view the 2014 Data Breach QuickView report here:
https://www.riskbasedsecurity.com/reports/2014-MidYearDataBreachQuickView.pdf

The Breach Report by Risk Based Security is a great enhancer to reports and presentations to business owners so they can invest in their Cyber Security teams.

Posted in Security Blog | Tagged , , , , , , , , , , , , , , , | Comments Off on Mid-year 2014 Data Breaches Exposed

SecurityNinjaTV DEFCON 22 Car Hacking with Charlie Miller & Chris Valasek

Posted in Security Blog | Tagged , , , , , , | Comments Off on SecurityNinjaTV DEFCON 22 Car Hacking with Charlie Miller & Chris Valasek

Spearphishing and Why Education and Awareness is Important

It was revealed yesterday that after an investigation by the Nuclear Regulatory Commission (NRC), which oversees the US nuclear power grid, three incidents uncovered that hackers were able to access internal documents. One of the hacking incidents, involved emails sent to 215 NRC employees designed to steal their login details, around 12 employees ended up falling for it.
More here

At the time, the below picture was not possible… Yet.
nuclear_explosion

Posted in Security Blog | Tagged , , , , , | Comments Off on Spearphishing and Why Education and Awareness is Important

Site Access With Tor

My webhosting uses CloudFlare which adds a mitigating control when trying to access it with a Tor Browser. I actually didn’t know it did this.

Screenshot from 2014-08-19 21:30:57

I host with bluehost

Posted in Security Blog | Tagged , , | Comments Off on Site Access With Tor

Searching the Deep Web – Infographic

Everything You Need to Know on TOR & the Deep Web - Via Who Is Hosting This: The Blog

Posted in Security Blog | Tagged , , , , | Comments Off on Searching the Deep Web – Infographic

Consumers Footing the Bill on Data Breaches

Found on this page

I really love infographics and how they put things into perspective.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Consumers Footing the Bill on Data Breaches