15 April 2015

Detective

Posts relating to the category tag "detective" are listed below.

13 February 2015

Security Information Sharing Standards and Tools

European Union Agency for Network and Information Security (ENISA) has published a summary of security information sharing formats, at the same time of the release of its good practice guide on Actionable Information for Security Incident Response.

Diagram from the ENISA report 'Standards and Tools for Exchange and Processing of Actionable Information' illustrating the relationships between standards for sharing of security information

Actionable security information is accurate and timely information that may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited.

The companion to the good practice guide is Standards and Tools for Exchange and Processing of Actionable Information which describes 53 different information sharing standards that are a mix of formats, protocols, technical approaches and frameworks in common use. These span:

  • Information sharing formats
    • Formats for low level data
    • Actionable observables
    • Enumerations
    • Scoring and measurement frameworks
    • Reporting formats
    • High-level frameworks
  • Transport and serialization
    • Transport methods
    • Serialization methods.

In addition, the report highlights 16, primarily open source, information sharing tools and platforms for the exchange and processing of actionable information, spanning automated distribution of data, supporting analytics, general purpose log management and handling high-level information.

Very useful - thank you ENISA.

Posted on: 13 February 2015 at 11:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 February 2015

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.

One of the tables from NIST SP 800-163 'Vetting the Security of Mobile Applications' showing top level general categories of iOS app vulnerabilities

SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:

  • Planning
    • Security requirements
    • Understanding vetting limitations
    • Budget and staffing
  • Testing
    • General app security requirements
    • Testing approaches
    • Sharing results
  • App approval/rejection
    • Report and risk auditing
    • Organisation-specific vetting criteria
    • Final approval/rejection.

The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.

Posted on: 10 February 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 January 2015

OWASP AppSensor Code v2.0.0 Final Release

I was extremely pleased to read yesterday that the final version of the new AppSensor reference implementation has been published following three previous release candidates.

Screen capture from the AppSensor microsite developed by John Melton for the OWASP AppSensor Project

The OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response.

John Melton with the help of other code contributors and feedback from the project's code development mailing list have finished a complete overhaul of the previous code. In the words of the version 2.0.0 announcement, the most significant changes are:

  • Client-server architecture supporting multiple communication modes including: REST, SOAP, Thrift, local (shared JVM, java-only)
  • Any language can be used on the client application. The only requirement is that the language selected must support the communication protocol of the execution mode that is configured (i.e. if using REST as the execution mode, the language must be capable of making HTTP requests.) The server-side components are Java, but this places no restriction on the client applications themselves
  • There is no longer a hard dependency on [OWASP] ESAPI. AppSensor is a standalone project, though it can be integrated with projects that also use ESAPI if desired
  • The core components of the system have been renamed and now follow the AppSensor v2 book naming conventions, which is based on standard IDS terminology for clarity
  • Basic user correlation is supported so that client applications that share a user base (SSO) can share attack detection/response information.

John also created a special AppSensor microsite.

This is all free to use (see code licence). Begin using the new code with the getting started information.

Posted on: 30 January 2015 at 08:26 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2015

Anti-Automation Monitoring and Prevention

It seems London's Heathrow Airport has very little in the way of anti-automation monitoring or prevention in place.

Headline from the London Evening Standard which reads 'Heathrow noise complaints sent by automated software'

According to the London Evening Standard newspaper on Tuesday, a five-fold increase in complaints was in large part due to automated email submission.

Luck would seem to have been what led to the discovery that the emails were computer-generated when complaints were received an hour ahead of the flight schedule after the clocks changed from summer time.

Oops, let's hope that's not a metric used by the airport itself or a regulator.

Not that the airport would reasonably believe it to be the target of any activists! Surely not.

Posted on: 29 January 2015 at 16:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 January 2015

FTC Final Order Against Snapchat

Following a public comment period in May-June 2014, at the end of December the US consumer protection body Federal Trade Commission has approved a final order settling charges against Snapchat that lasts for twenty years.

Part of the FTC's final order against Snapchat Inc showing the text 'VII. IT IS FURTHER ORDERED that respondent within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report. VIII. This order will terminate on December 23, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order's application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.'

The charges related to how Snapchat deceived consumers about the automatic deletion of private images sent through the service.

The key FTC documents are:

The final order, 23rd December 2014::

  • Prohibits Snapchat from misrepresenting how its products or services maintain and protect the privacy, security, or confidentiality of any covered information
  • Requires Snapchat to establish and implement, and thereafter maintain, a comprehensive privacy program
  • Requires Snapchat to obtain an initial and, for 20 years, biennial assessments and reports from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession
  • Requires Snapchat to retain for 5 years records of all communications, complaints, notifications about possible order compliance failures, and assessment materials
  • Requires Snapchat to ensure it provides a copy of the order, and keep evidence of this, to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of the order
  • Requires Snapchat to notify the FTC of relevant corporate structure changes
  • Requires Snapchat to provide, within 90 days of the order, a document detailing the manner and form of its compliance with the order.

The order ends on 23rd December 2034 — an additional twenty year compliance overhead on top of the privacy program they should already have had in place.

I wonder if US consumers are also affected by the Moonpig API saga.

Posted on: 09 January 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 October 2014

Request to Participate in the OWASP CISO Survey 2014

The OWASP CISO Survey Report was published in January 2014.

OWASP is again conducting the survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2014 which will be free to access and use. The project team has asked if we can share this invitation with security contacts in companies and other organisations.

Dear colleague,

The new OWASP CISO Survey 2014 will be closing soon. Hundreds of CISOs already shared their thoughts, but we need to broaden the data pool further to later be able to derive good regional analysis of the results.

So please help by forwarding to your chapters, sharing with your colleagues, and forwarding to the security managers within your organisations and peers!

As respected information security leaders in the industry, OWASP (Open Web Application Security Project, www.owasp.org) would like to hear your opinion and invite you to share this survey invitation with your security managers and/or peers.

OWASP is preparing the Global CISO report 2014 and conducting a survey among CISOs and senior information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.

The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a free report on the owasp.org website, keeping your information completely anonymous. (If you are interested, the published results of the last CISO Survey Report 2013 can be found https://www.owasp.org/index.php/OWASP_CISO_Survey).

As you may know, OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity & non-profit in the USA and the EU. See more at https://www.owasp.org/index.php/About_OWASP.

The survey can be found here: https://www.surveymonkey.com/s/CISOSurvey2014

Or if you prefer a different language, this survey is also available in:

Early participants, before October-8 (23:59 GMT) [tomorrow!], can take part in a raffle. If you provide your contact details at the end of the survey, you will be entered into a drawing for one of the generously donated prizes. The Survey will finally close on October 31st.

Thank you very much in advance for your time and input.

Best regards,

Your OWASP Global CISO Survey & Report Project team

If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.

Posted on: 07 October 2014 at 18:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 October 2014

Online Organised Crime 2014

Europol's European Cybercrime Centre (EC3) has published a new report about online organised crime.

Partial screen capture of the cover from European Cybercrime Centre (EC3) report '2014 Internet Organised Crime Threat Assessment (iOCTA)'

EC3 is the focal point in the EU's fight against cybercrime which supports Member States and the European Union's institutions operational and analytical capacity for investigations, and cooperation with international partners.

The 2014 Internet Organised Crime Threat Assessment (iOCTA) (summary findings and recommendations) identifies global trends, a service-based culture, and abuse of anonymisation as the main issues. the recommendations presented relate to activities in awareness, capacity building, training, partnerships, protection and investigation.

Although the data is rather generic for application threats, there is good information for broader risk assessments.

Posted on: 01 October 2014 at 09:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Detective : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.167.144.170 on Tuesday, 5 May 2015 at 18:21 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk