20 March 2015

Preventative

Posts relating to the category tag "preventative" are listed below.

09 January 2015

FTC Final Order Against Snapchat

Following a public comment period in May-June 2014, at the end of December the US consumer protection body Federal Trade Commission has approved a final order settling charges against Snapchat that lasts for twenty years.

Part of the FTC's final order against Snapchat Inc showing the text 'VII. IT IS FURTHER ORDERED that respondent within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report. VIII. This order will terminate on December 23, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order's application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.'

The charges related to how Snapchat deceived consumers about the automatic deletion of private images sent through the service.

The key FTC documents are:

The final order, 23rd December 2014::

  • Prohibits Snapchat from misrepresenting how its products or services maintain and protect the privacy, security, or confidentiality of any covered information
  • Requires Snapchat to establish and implement, and thereafter maintain, a comprehensive privacy program
  • Requires Snapchat to obtain an initial and, for 20 years, biennial assessments and reports from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession
  • Requires Snapchat to retain for 5 years records of all communications, complaints, notifications about possible order compliance failures, and assessment materials
  • Requires Snapchat to ensure it provides a copy of the order, and keep evidence of this, to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of the order
  • Requires Snapchat to notify the FTC of relevant corporate structure changes
  • Requires Snapchat to provide, within 90 days of the order, a document detailing the manner and form of its compliance with the order.

The order ends on 23rd December 2034 — an additional twenty year compliance overhead on top of the privacy program they should already have had in place.

I wonder if US consumers are also affected by the Moonpig API saga.

Posted on: 09 January 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 January 2015

Moonpig Website Vulnerability, Incident and Breaches

Personalised greetings card service Moonpig was all over the popular news yesterday.

Partial screen of the Moonpig customer support page that states 'A MESSAGE TO OUR CUSTOMERS: You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.'

Paul Price found an exploitable weakness in Moonpig's public API and contacted them in August 2013, and again a year later. Eventually he gave up and published details on Monday.

Following much Twitter activity, yesterday Moonpig tweeted:

We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.

Interesting spin, since the vulnerability relates to other personal data — passwords or payment card holder data. Shortly afterwards, Moonpig tweeted:

As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations: http://www.moonpig.com/uk/Information/Press/

Moonpig also added the following message to their customer support page:

A MESSAGE TO OUR CUSTOMERS: You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.

Although Moonpig has not responded to the core issue (personal information), the published details appear to indicate:

  • Breach of principle 7 of the Data Protection Act
  • Breach of the Payment Card Industry Data Security Standard (PCI DSS)
  • A disregard for customers' data when the company has been aware of the problem for so long, and it continued to collect and process personal data through the period.

PCI DSS is only relevant here if the system components for api.moonpig.com are within the PCI environment. There is no need for a cardholder data breach for there to be a breach of compliance with PCI DSS. The main www.moonpig.com systems are definitely within scope since payment cardholder data is collected on forms generated by the website and the data is sent back to the same Moonpig website.

Nevertheless, by passing through the shopping basket and check out, other application security and privacy concerns are evident such as system information leakage, sending personal data over unencrypted channels, and third-party code on checkout pages.

The API issue and the other public issues on the web site do not seem to even meet the baseline security controls published for years by OWASP.

The help page about Payment and Personal Details Security states:

Security is an important priority for us and we are committed to protecting your privacy. We are registered as required under the Data Protection Act 1998 (Reg. Z4843659) and we use the most up-to-date technology available to protect your personal details. To avoid the risk of computer fraud, your credit card number is not stored in our system at any point in the payment process. Please see our privacy and security policy here.

That is clearly not true and might therefore be a breach of the Advertising Standards Authority Online Remit. The above also hints that somehow payment cardholder data is safe because it "is not stored". That's good, but it is not the same as saying it is not processed by Moonpig systems at all, which is likely to be misleading to some consumers. The terms and conditions say very little about protecting personal data - except from "in transit", and as we know that is not true for all parts of the web site that collect or display personal data.

If that is not enough for Moonpig, if the API vulnerability also affects United States customers, we will see the US Federal Trade Commission get involved. That body has been very strict in recent enforcement actions for online privacy failings. Affected US readers can submit complaints to the FTC online.

Posted on: 07 January 2015 at 12:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 November 2014

Two ENISA Reports on Cryptography

At the end of last week, the European Union Agency for Network and Information Security (ENISA) published two reports on the use of cryptography.

One of the tables from ENISA's report 'Algorithms, Key Size and Parameters 2014'

Algorithms, Key Size and Parameters 2014 (PDF) provides guidance on appropriate cryptographic protective measures for the protection of personal data in online systems. The report defines primitives/schemes that can be considered for use today, as well as those for new/future systems. The document is intended for technical specialists designing and implementing cryptographic solutions..

The second report, Study on Cryptographic Protocols (PDF) extends the previous report to look at how the primitives/schemes are used in cryptographic protocols.

Both reports are free to access without registration.

Posted on: 25 November 2014 at 18:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 October 2014

Denial of Service Attack Prevalence and Recurrence

I do not often refer readers of the blog to the Akamai State of the Internet report, but the latest edition contains some useful data on denial of service (DoS) attacks.

One of the distributed denial of service (DDoS) data charts from the Akamai State of the Internet report Q2 2014

The 2014 Q2 State of the Internet Report can be downloaded after registration and providing some sales lead information.

The observations on denial of service attacks describes how almost 30% of the ports attacked relate to web applications, and provides a break down of attacks by industry sector for its clients. But of particular interest in the latest report is data on the frequency of repeated attacks against a single organisation.

The report includes much more information on Internet adoption and usage.

The 2014 Q2 Global DDoS Attack Report is also available from Prolexic, now owned by Akamai. There is also a well-designed chart on this page from June showing the nation source and destination of DoS attacks.

Posted on: 22 October 2014 at 18:07 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 October 2014

Request to Participate in the OWASP CISO Survey 2014

The OWASP CISO Survey Report was published in January 2014.

OWASP is again conducting the survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2014 which will be free to access and use. The project team has asked if we can share this invitation with security contacts in companies and other organisations.

Dear colleague,

The new OWASP CISO Survey 2014 will be closing soon. Hundreds of CISOs already shared their thoughts, but we need to broaden the data pool further to later be able to derive good regional analysis of the results.

So please help by forwarding to your chapters, sharing with your colleagues, and forwarding to the security managers within your organisations and peers!

As respected information security leaders in the industry, OWASP (Open Web Application Security Project, www.owasp.org) would like to hear your opinion and invite you to share this survey invitation with your security managers and/or peers.

OWASP is preparing the Global CISO report 2014 and conducting a survey among CISOs and senior information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.

The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a free report on the owasp.org website, keeping your information completely anonymous. (If you are interested, the published results of the last CISO Survey Report 2013 can be found https://www.owasp.org/index.php/OWASP_CISO_Survey).

As you may know, OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity & non-profit in the USA and the EU. See more at https://www.owasp.org/index.php/About_OWASP.

The survey can be found here: https://www.surveymonkey.com/s/CISOSurvey2014

Or if you prefer a different language, this survey is also available in:

Early participants, before October-8 (23:59 GMT) [tomorrow!], can take part in a raffle. If you provide your contact details at the end of the survey, you will be entered into a drawing for one of the generously donated prizes. The Survey will finally close on October 31st.

Thank you very much in advance for your time and input.

Best regards,

Your OWASP Global CISO Survey & Report Project team

If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.

Posted on: 07 October 2014 at 18:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 October 2014

Free Software Security Training Course

Coursera provides a platform for universities to publish and deliver free online courses.

Partial screen capture from the Cousera page about the free training course 'Software Security'

I noticed the platform now has a software security course run by Professor Michael Hicks (blog) from the University of Maryland. The syllabus covers:

  • Secure software design principles and process
  • Secure coding
  • Security testing, and auditing, including the following topics.

The course requires 3-5 hours work per week for six weeks. Two sessions are coming up:

  • 20th October to 6th December 2014
  • 23rd March to 4th April 2015.

I do not have experience of the course or Coursera but it looks like it might be a good introduction for software developers, if you can commit the time.

Posted on: 03 October 2014 at 08:25 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Preventative : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.227.9.98 on Sunday, 29 March 2015 at 08:24 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk