17 February 2015

Threats

Posts relating to the category tag "threats" are listed below.

28 November 2014

Game On at OWASP Cambridge and London

Next week I will be attending two free United Kingdom OWASP events, and providing a full talk at one of them.

Part of the OWASP Snakes and Ladders game board

Cambridge

On Tuesday 2nd December, I will speak for the first time at OWASP Cambridge about OWASP Cornucopia, the ecommerce website security requirement card game. Jerome Smith will present a second talk about a SSL Checklist for Pentesters.

Also at the event in Cambridge I will briefly mention the somewhat less serious application security awareness board game OWASP Snakes and Ladders and will be handing out free copies to everyone attending, kindly paid for by the OWASP Cambridge chapter. We will have time after the presentations to play both Cornucopia and Snakes and Ladders. On the subject of Snakes and Ladders, this week volunteers Yongliang He, Cédric Messeguer, Riotaro Okada and Ivy Zhang have generously translated the game for web applications into Chinese, French and Japanese.

Please register in advance for the free event in Cambridge The meeting will be held in the Lord Ashcroft Building, Room LAB003; 17:00 for a prompt start at 17:30 hrs.

London

On Thursday 4th December, OWASP London is holding its final event of the year in Skype's offices at 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST, 18:00 for 18:30 hrs start. Christian Martorella will be talking about Offensive Open-Source Intelligence (OSINT) — the process, techniques and how attackers are using it to prepare their cyber attacks. Afterwards project leader Matteo Meucci will speak about the new OWASP Testing Guide v4.

Then, as in Cambridge, I will mention OWASP Snakes and Ladders, with printed copies available for everyone, but this time paid for by the London chapter.

Please remember to register for OWASP London on Thursday 4th December.

Elsewhere

There are numerous other UK OWASP chapters — join their mailing lists to be informed of future meetings.

Seeking a bigger application security event? In January OWASP London will be organising a cyber security week, and AppSec EU 2015 is being held in Amsterdam next May. The call for research, papers and trainers for the latter are now open.

Posted on: 28 November 2014 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 October 2014

Denial of Service Attack Prevalence and Recurrence

I do not often refer readers of the blog to the Akamai State of the Internet report, but the latest edition contains some useful data on denial of service (DoS) attacks.

One of the distributed denial of service (DDoS) data charts from the Akamai State of the Internet report Q2 2014

The 2014 Q2 State of the Internet Report can be downloaded after registration and providing some sales lead information.

The observations on denial of service attacks describes how almost 30% of the ports attacked relate to web applications, and provides a break down of attacks by industry sector for its clients. But of particular interest in the latest report is data on the frequency of repeated attacks against a single organisation.

The report includes much more information on Internet adoption and usage.

The 2014 Q2 Global DDoS Attack Report is also available from Prolexic, now owned by Akamai. There is also a well-designed chart on this page from June showing the nation source and destination of DoS attacks.

Posted on: 22 October 2014 at 18:07 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 October 2014

Online Organised Crime 2014

Europol's European Cybercrime Centre (EC3) has published a new report about online organised crime.

Partial screen capture of the cover from European Cybercrime Centre (EC3) report '2014 Internet Organised Crime Threat Assessment (iOCTA)'

EC3 is the focal point in the EU's fight against cybercrime which supports Member States and the European Union's institutions operational and analytical capacity for investigations, and cooperation with international partners.

The 2014 Internet Organised Crime Threat Assessment (iOCTA) (summary findings and recommendations) identifies global trends, a service-based culture, and abuse of anonymisation as the main issues. the recommendations presented relate to activities in awareness, capacity building, training, partnerships, protection and investigation.

Although the data is rather generic for application threats, there is good information for broader risk assessments.

Posted on: 01 October 2014 at 09:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 September 2014

AppSensor 2x2x2

OWASP AppSensor co-project leader John Melton has published two further AppSensor v2 assets.

Screen capture of the AppSensor 2 web site showing the headings on the user guide section - instrument your application, test and deploy the system, monitor, and tweak as necessary

AppSensor defines how to implement application intrusion detection and automated response.

Website 2.0.0

John has designed, coded and written a new standalone website for AppSensor. It was published on Friday and includes a brief description of the concept, an overview, getting started information and a user guide for the reference implementation. In John's words, the objectives were to:

  • Explain the high level concept in a simple way and point people back to the project site and the book for more detail
  • Give developers a nice entry point to the project - modelled after other framework/library sites
  • Give us more flexibility in how we present the project (not just wiki format)
  • In the future, hoping to have live demos.

I think it succeeds on the first three of these, and I will help if I can with the final statement.

To provide feedback or to contribute, please use the project's general mailing list.

Code 2.0.0 beta

If the new website wasn't enough, John has also been putting in many hours of coding to finish developing the new standalone version AppSensor reference implementation. On Sunday he announced the beta release of version 2.0.0.

The reference implementation currently supports three execution modes:

  • REST web service
  • SOAP web service
  • Local (embedded Java).

John is hoping a final release can be arranged for October/November.

To provide feedback or to contribute, please use the project's code development mailing list.

2x2x2

So the AppSensor project now has a new guide, a new website, and will imminently have a final release of the version 2 code. I am thrilled. I will be highlighting this new code when I speak at the London API event tomorrow evening. If you are attending that, I will have some free printed copies of the AppSensor Guide with me — if you would like one, please ask me a question about AppSensor.

Posted on: 16 September 2014 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 September 2014

Out and About During September

I have mentioned before about the many useful security, design and development meet-ups and events that I try to get along to.

Photograph of Google's Addy Osmani speaking about memory management at the London Web Performance Group on 26th August

A couple of weeks ago, I went along to a very useful London Web Performance Group meeting with the title of Google Web Perf Special. It was a bit outside my normal day-to-day work, so I found it particularly useful. Well the talks were recorded are are now available on line:

My upcoming plans for event attendance are:

If you are attending any of those, please find me and say hello.

Posted on: 09 September 2014 at 08:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 August 2014

The Impact of Mobile App Security Issues on Public Safety

The US National Institute of Standards and Technology (NIST) has published a summary of its recent workshop on the risks to public safety of mobile applications.

The title cover on Internal Report 8018 'Public Safety Mobile Application Security Requirements Workshop Summary (DRAFT)'

NIST Interagency Report (NISTIR) 8018 (draft, July 2014) captures an initial draft of security requirements for public safety mobile applications identified during a workshop in February attended by representatives from Association of Public-Safety Communications Officials (APCO) International, the first responders' network FirstNet and the US Department of Commerce.

The workshop was based around six areas of concern:

  • Battery life (needs and device capabilities)
  • Unintentional denial of service (DoS) (e.g. first responders saturating local network with data especially video
  • Mobile application vetting (for reliability and security)
  • Protection of data based on its confidentiality, availability and integrity requirements
  • Location information (capabilities, intentions and control
  • Identity management (devices and people).

It was good to see this alternative viewpoint on information security risk. Many organisations assess risk based on the likelihood of occurrence and impact on the organisation. The impact on individuals, other organisations and society may not even be considered. The impacts identified are for mobile apps that are developed meet the functional, capability, security, and usability needs of people working in the emergency services such as police, fire, and ambulance services. These users have different mobile application security requirements to members of the public, or non-emergency service organisations themselves.

Amongst the recommended next steps for app vetting, the document suggests establishing a testing and certification infrastructure for apps for public safety.

NIST is seeking feedback on the document until 13th September 2014 by email to nistir8018@nist.gov

Posted on: 05 August 2014 at 15:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 July 2014

Cyber Security in the Utility, Energy and Manufacturing Sectors

The Ponemon Institute has published the results of a survey examining how utility, energy and manufacturing organisations are addressing cyber security threats.

Photograph showing people in one of the service tunnels under the Thames Barrier, London

Critical Infrastructure: Security Preparedness and Maturity draws from interviews with 599 global IT and IT security executives in 13 countries, with a third of the responses from Europe.

The report demonstrates that although there is a high level of awareness, the priority given to reducing cyber risk is low, with a resulting low level of IT security maturity. Regarding actual incidents and breaches, there seem to be a high proportion of, or at least awareness of, accidents/mistakes, with negligent insiders being the highest rated threat. I think I'd like to see data for each of utility, energy and manufacturing as I suspect there will be marked differences in the threats.

From a monitoring perspective it seems that "real-time alerts are not effective" and that "more than 80 percent are false positives".

I think that's a "could do better" report.

Posted on: 23 July 2014 at 19:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 July 2014

Results from the Nominet Internet Awards 2014

Following my card game's shortlisting in the Nominet Internet Awards 2014, the awards ceremony was held in the London Film Museum on Thursday 3 July 2014.

Photograph of the welcome sign to the Nominet Internet Awards 2014

The location has a large collection of original James Bond vehicles which added to the glamour of the event. Unfortunately Cornucopia was not successful in the Making the Internet a Safer Place category, but congratulations to:

Thank you to the Nominet for a very well organised competition and evening, the judges, and to all the other winners and other shortlisted entries.

I will be attending the related reception at the Houses of Parliament on Wednesday.

Posted on: 06 July 2014 at 16:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Threats : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.81.120.138 on Monday, 2 March 2015 at 18:59 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk