CSRF Tidbits
Sep
30
30 September 2008, RedNeck @ 8:43 am

Well it has been awhile since CSRF has made the headlines. But here we go again. There was a paper publish by Ed Felten and Billy Zeller within the past few days that describes CSRF attacks in 4 major web sites, ING Direct, Youtube, Meta Filter, and New York Times. The wost of the attacks, ING Direct, would allow an attacker to tranfer funds out of a users account or open additional accounts on behalf a user.

Source: http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
White Paper: http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf

Filed under: Protecting Your Finances,Security Awareness,System Security,Web App Sec | No Comments »
Verizon Data Breach Study
Jun
13
13 June 2008, RedNeck @ 8:55 pm

Wake up America, the banks, retailers, utilities, government agency’s and the like are not doing enough to keep our personal information private and secure.

The other day Verizon business released a study of 500 forensic investigations that shows how much cooperations and governments are out of touch with the reality of the underground.

Some key findings:

Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:

  • Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
  • Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
  • Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
  • Nine of 10 breaches involved some type of “unknown” including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
  • In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don’t know where data is, you certainly can’t protect it.

The also have some good information on the black market for identities stolen and some recommendations for enterprises.

All I have to say is wake up people. It is time to start doing what is right for the people and not what is right for the bottom line.

I will post some more info on what we as consumers can do to help protect our information in a later post.

Filed under: Forensics,Incident Response,Protecting Your Finances,System Security,Web App Sec | No Comments »
Is it Really a Vulnerability
Jun
02
2 June 2008, RedNeck @ 9:04 am

Here recently we discovered a web site, that contained PII, in which you could conduct directory browsing on it. So here is my question. Is it really a vulnerability when you can browse the directories on a web site.

I can hear it now, most everyone is going to say “May Be”, with that I agree. It does depend on what is contained in the directories that are browsable.

Filed under: Incident Response,Pentesting,Web App Sec | No Comments »
    
RedNeck Hacker is based on WordPress platform, RSS tech , RSS comments design by Gx3.