15 May 2015


Posts relating to the category tag "monitoring" are listed below.

13 June 2014

Characterising Fraudulent Online Customers

Payment processor 2Checkout has launched a new quarterly report detailing payment fraud trends.

Partial view of one of the charts from 2Checkout Fraud Index 2014Q1

2Checkout Fraud Index 2014 Quarter 1 contains information from the company's own checkout and payment fraud monitoring systems, cross tabulated against other observed buyer characteristics.

The report includes data on and ranks buyer fraud by:

  • Credit card issuer
  • Billing address
  • IP address
  • Currency
  • Cross border status
  • Product type
  • Value of transaction.

Any prior national prejudices might be challenged. Useful stuff if your are running your own online fraud monitoring system and setting thresholds for potential fraud alerts.

Posted on: 13 June 2014 at 09:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 May 2014

AppSensor Guide Part VI: Reference Materials

This post describes Part VI, the final part, of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a street barrier with a notice stating 'Caution - Traffic management Trial - Do Not Move'

"Part VI: Reference Materials" comprises seven sections:

  • Glossary
  • Detection Points
  • Responses
  • Data Signaling Exchange Formats
  • Awareness and Training Resources
  • Feedback and Testimonials
  • References.

Part VI includes the primary information sources including all the lists and details about detection point types and the response types. This part therefore includes a quarter of the 40 tables and 51 figures included in the guide.

Updates to these and further reference materials are maintained on the OWASP AppSensor Project website.

Previous posts describe the other parts of the new guide.

Posted on: 10 May 2014 at 12:12 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 May 2014

AppSensor Guide Part V : Model Dashboards

This post describes what is in Part V of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a technician lying on the ground in the middle of a street behind a barrier, working on a display sign

"Part V : Model Dashboards" comprises three shorter chapters:

  • Chapter 27 : Security Event Management Tools
  • Chapter 28 : Application-Specific Dashboards
  • Chapter 29 : Application Vulnerability Tracking.

Part V introduces the necessary concepts for visualising AppSensor data, and presents example application-specific dashboards that have already been created.

Data visualisation of real-time attack detection and response provides organisations with much needed insight into whether their applications are under attack, and by whom.

Previous and a subsequent post describe the other parts of the new guide.

Posted on: 09 May 2014 at 15:19 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 May 2014

AppSensor Guide Part IV : Demonstration Implementations

This post describes what is in Part IV of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a wooden gate to a field, with a sign 'Beware of Bull' on it, with verdant green grass and coniferous trees behind

"Part IV : Demonstration Implementations" comprising seven chapters, each three pages long, describes model implementations:

  • Chapter 20 : Web Services (AppSensor WS)
  • Chapter 21 : Fully Integrated (AppSensor Core)
  • Chapter 22 : Light Touch Retrofit
  • Chapter 23 : Ensnare for Ruby
  • Chapter 24 : Invocation of AppSensor Code Using Jni4Net
  • Chapter 25 : Using an External Log Management System
  • Chapter 26 : Leveraging a Web Application Firewall.

Part IV provides practical examples of how the AppSensor concept can be deployed, including some standalone components that could be utilised within an organisation's own deployments, or to act as inspiration. The OWASP code portion of the AppSensor Project, that aims to build a reference implementation for concepts conveyed in the guide, is described in chapters 20 and 21.

Each chapter describes the source of the implementation, provides a schematic arrangement, defines which types of detection points and responses are possible, the location of source code, and details of any considerations and related implementations. There is no single implementation method or single best-suited out-the-box solution, since the approach is application-specific.

Previous and subsequent posts describe the other parts of the new guide.

Posted on: 09 May 2014 at 11:57 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2014

AppSensor Guide Part III : Making It Happen

This post describes what is in Part III of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a construction materials compound surrounded by a wire fence with a red and white reflective warning stripe along it

"Part III : Making It Happen" comprising seven chapters, is the largest part of the guide except for the reference materials:

  • Chapter 13 : Introduction
  • Chapter 14 : Design and Implementation
  • Chapter 15 : Verification, Deployment and Operation
  • Chapter 16 : Advanced Detection Points
  • Chapter 17 : Advanced Thresholds and Responses
  • Chapter 18 : AppSensor and Application Event Logging
  • Chapter 19 : AppSensor and PCI DSS for Ecommerce Merchants.

Part III describes the process of planning, implementing and operating application-specific attack detection and response. The process described is technology agnostic and attempts to be descriptive rather than prescriptive, providing awareness, a description of the problem set, an outline of different approaches at a higher level and some generic approaches.

A description is provided of how to integrate AppSensor concepts into the software development lifecycle (SDLC), and includes mappings to the Open Software Assurance Maturity Model (Open SAMM), the Building Security In Maturity Model (BSIMM), the BITS Financial Services Roundtable Software Assurance Framework, and the Microsoft Security Development Lifecycle (MS SDL). Chapters 17 and 18 provide further information for those wishing to delve deeper into the selection and definition of detection points, attack determination thresholds and responses.

The guide shows how success using AppSensor concepts comes down to many details, and how the process suggested in Part III should be adapted to an organisation's own culture, its working practices and its risks.

Previous and subsequent posts describe the other parts of the new guide.

Posted on: 08 May 2014 at 13:12 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2014

AppSensor Guide Part II : Illustrative Case Studies

This post describes what is in Part II of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a sign that reads 'Keep Out' in large white letters on a blue background

"Part II : Illustrative Case Studies" comprises eight chapters, each 1-2 pages long:

  • Chapter 5 : Case Study of a Rapidly Deployed Web Application
  • Chapter 6 : Case Study of a Magazine's Mobile App
  • Chapter 7 : Case Study of a Smart Grid Consumer Meter
  • Chapter 8 : Case Study of a Financial Market Trading System
  • Chapter 9 : Case Study of a B2C Ecommerce Website
  • Chapter 10 : Case Study of B2B Web Services
  • Chapter 11 : Case Study of a Document Management System
  • Chapter 12 : Case Study of a Credit Union's Online Banking.

Part II demonstrates how AppSensor can be used for a range of different software application architectures and business risk. They span market sectors, and application types including web sites, web services, mobile apps, critical infrastructure, and client-server.

Each case study demonstrates how business objectives influence the selection of detection points and responses. They show how there is no one single AppSensor solution applicable to all applications and organisations.

Previous and subsequent posts describe the other parts of the new guide.

Posted on: 08 May 2014 at 07:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 May 2014

AppSensor Guide Part I : AppSensor Overview

This post describes what is in Part I of the new OWASP AppSensor Guide v2.0, published on 2nd May.

Photograph of a sign on some security fencing that reads 'Warning - commit a crime here and you will be forensically tagged'

"Part I : AppSensor Overview" comprises four chapters spanning almost 30 pages of content:

  • Chapter 1 : Application-Specific Attack Detection & Response
  • Chapter 2 : Protection Measures.
  • Chapter 3 : The AppSensor Approach
  • Chapter 4 : Conceptual Elements.

Part I gives a high-level overview of the concept. It also details why it is different to traditional defensive techniques. This is then followed by a description of the general approach towards implementing AppSensor within application software projects.

It describes how the OWASP AppSensor Project defines a conceptual framework, methodology, guidance and example code to implement attack detection and automated responses. It is not a bolt-on tool or code library, but instead offers insight to an approach for organisations to specify or develop their own implementations - specific to their own business, applications, environments and risk profile - building upon existing standard security controls.

Subsequent posts describe the other parts of the new guide.

Posted on: 07 May 2014 at 17:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 May 2014

AppSensor Guide v2.0 Released

I have been working on writing a new full guide to OWASP AppSensor, the project that describes and explains creating attack-aware software applications with real-time defences. It is now complete.

Banner image for AppSensor Guide v2 using a photograph by Colin Watson of Light Installation by David Press taken at the Kinetica Art Fair 2012, Ambika P3 Gallery, London and overlaid with the words 'AppSensor Guide v2.0 - Application-Specific Real Time Attack Detection and Response'

The new book was announced to the project's mailing lists in a message sent a short time ago. The AppSensor Guide v2.0 is written in English, and is available in three formats:

OWASP AppSensor is free to use and it is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

The guide was completed entirely on a voluntary basis with no funding. However we are fortunate to have received some funding from the OWASP Project Reboot Initiative to help promote the new book.

I would like to thank co-authors Dennis Groves and John Melton, and the other contributors, editors and reviewers, Ryan Barnett, Michael Coates, Craig Munson and Jay Reynolds. The growth and increased maturity of the project would not have been possible without the other people who contributed feedback, suggestions and ideas to the project, primarily through the mailing list and at OWASP chapter meetings. They are also listed in the book's acknowledgements.

The project has also benefitted greatly from the generous contribution of time and effort by many other volunteers in the OWASP community including those in the OWASP ESAPI project, members of the former OWASP Global Projects Committee, and participants at the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

The foreword, written by project founder and OWASP board chair Michael Coates, is followed by a motivating preamble, written by co-project leader and OWASP co-founder Dennis Groves. The core of the book is arranged into the following parts:

Over the next days I will enumerate further what is in each of these sections.

Posted on: 06 May 2014 at 17:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 April 2014

Worry When Your SEO is Worse Than Your Attackers

Sometimes fake web sites can be "better" than their originals. As reported this week, the Victoria's Secret web site has been duplicated in a very convincing copy. So good in fact, Google ranks it higher when searching for "Victoria Secret UK".

Screen capture of the google.co.uk search results for 'victoria secret uk' with the first result being the fake website

The possibly fake website is quite convincing, allows payment in five currencies, and cheekily has the "Verisign Secured" and "McAfee Secure" logos on the product pages. If this is a fake site, the motive could be to gather personal data through the registration process, or to steal cardholder data via the payment form using "ZHBPay Payment Gateway", or to sell counterfeit goods. Of course, it might be a valid site of a local agent or reseller, but the product ranges seem different. The conditions of use page is quite poorly written. It's a bit odd.

Screen capture of a catalogue page on the fake website showing the Verisign Secured and McAfee Secure logos

The real primary Victoria's Secret website, aimed at North American customers is:


But there is a real UK-orientated splash page at the .co.uk equivalent domain (whois lookup):


The possibly fake site is (whois lookup):


A quick check on common factors used to improve search engine rankings suggest that the primary .com website has some problems, the fake site has some more. But what differentiates it here is that the fake site is better for the term "uk" than the real splash page.

The victoriassecrettuk.co.uk domain name was registered by an individual:

Nominet whois tool data for victoriassecrettuk.co.uk'

Another site, found searching for "victorias secret uk" gives a site www.thegrapescafebar.co.uk as the first result which redirects to the fake site above.

Screen capture of the google.co.uk search results for 'victoria secrets uk'

What's even more confusing is that the UK customer care email address uses yet another domain (tellvictoria@victoriassecret.uk.com) and www.victoriassecret.uk.com redirects to the UK splash page (on www.victoriassecret.co.uk).

Domain name fail, and search engine optimisation (SEO) fail. Attacker win. The suspicious site is still there, three days after that initial report. I have emailed the real company just in case they are still not aware.

Posted on: 29 April 2014 at 21:39 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 April 2014

Third-Party Tracking Cookie Revelations

A new draft paper describes how the capture of tracking cookies can be used for mass surveillance, and where other personal information is leaked by web sites, build up a wider picture of a person's real-world identity.

Title page from 'Cookies that give you away: Evaluating the surveillance implications of web tracking'

Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan at Princeton University's Department of Computer Science investigated how someone with passive access to a network could glean information from observing HTTP cookies in transit. The authors explain how pseudo-anonymous third-party cookies can be tied together without having to rely on IP addresses.

Then, given personal data leaking over non-SSL content, this can be combined into a larger picture of the person. The paper assessed what personal information is leaked from Alexa Top 50 sites with login support.

This work is likely to attract the attention of privacy advocates and regulators, leading to increased interest in cookies and other tracking mechanisms.

The research work was motivated by two leaked NSA documents.

Posted on: 09 April 2014 at 10:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Monitoring : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by on Wednesday, 27 May 2015 at 14:39 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk