Smartphones and Security: Protecting Yourself in 5 Easy Steps

Smart phone Security

Many people remain unaware that smartphones face even greater security threats than home computers. Viruses, hacking and theft can put sensitive personal information at risk. An article published in The Star Press during early 2012 warned that hackers frequently obtain account information and credit card details from smartphones. This also happens to the users of home and business computers.

However, the many integrated features of a smartphone make it even more valuable to hackers. It’s possible for them to listen in on your telephone calls and take pictures with the phone’s built-in camera, according to The New York Times. Some hackers can even monitor your personal conversations when the phone appears to be off. Over 1 million smartphones have already been hacked.

Fortunately, you can follow these tips to minimize smartphone security risks:

1. Use care when downloading smartphone applications. It can be very hazardous to download apps that were designed with ill-intent or negligence. Pennsylvania State University warns that such applications may cause serious harm to users, devices and cellphone networks. They can steal private information or make your smartphone more vulnerable to hacking. A study conducted by PSU in 2010 found that two out of three well-known apps transmit private data without user consent. Some retrieve the user’s phone number or location.

One way to find safe applications is to obtain them from reputable companies. You should know who created an app before using it. Some apps have lists of permissions that you can view before starting a download, according to The New York Times. Carefully inspect these lists and see if they make sense. For example, a card game shouldn’t have permission to take pictures or check your current location. (continue reading…)

Saudi Hackers Claims hack of hundreds of thousands of ‘Israelis credit cards’ after hacking one website Saudi hackers , I seem that hackers exploit a critical vulnerabity in the web applications of one.co.il

Skip the password using SQL Injection in cookies .

SQL Injection via cookies gives an attacker the ability to exploit using cookie parameter .

useraccountid= [sql injection]

Example1: useraccountid= x’ or username=’SYSMOX’#

*log on to account SYSMOX

Example2: useraccountid= x’ or 1=1#

Or
useraccountid= x’ or username like ‘%25com’

In 2009 the twitter dns company got hacked some people think that twitter dns password got brute forced; or web application security flaws .

But we discovered that the attack was more sophisticated. Hackers use SQL injection via cookies to target the twitter dns provider company .

Attacker can inject via cooke :

sql injection via cookies

(continue reading…)

Web Application Security : Formal Trust and Authentication :

Secure web application design is not product-specific: it is helpful in securely designing and implementing any web application, regardless of the platform. This article, part of a series of security-related, but many of these concepts are relevant to any application development cycle, including non-web applications.

  1  Formal Trust.

  2  External Resources (Including Users).

  3  Client Applications (Including Users).

  4  Authentication (Trusting Identification).

  5  Summary.

Keeping computer security issues at bay is a full-time job. These columns provide general education, point out common security issues in implementations, and can aid you in both design and troubleshooting. However, they are not a substitute for a full-time security specialist individual or group in your organization.

Bear in mind that individual links are provided for reference; they may not be applicable to your specific architecture or configuration. Be sure to carefully check whether the procedures suggested or described apply to your configuration before implementing them. Also, be sure to test any change to your current configuration or process in a testing environment prior to applying them in any production environment.

1 Formal Trust :

Last month’s column, How to Design Secure Web Applications, briefly discussed formal trust in the context of input validation and architectural research and design. This column discusses formal trust as a general concept, including how it relates not only to input validation, but also to topics such as working with external data resources (including users), building client-server applications (both web-based and not), and most importantly, authentication.

The first thing to keep in mind about formal trust is that it barely resembles the personal act of trusting (such as,. the “Can I trust my friend Bob?” idea). Formal trust is usually a calculation based on existing policies and on informed opinion about the implementation environment and relevant architecture in which an application is intended to execute. When a security analyst calculates the formal trust relationships for a given application implementation, she examines the requirements of the policy and existing procedure, compares these resources to the facilities provided by the data and other supporting resources, and makes implementation and design decisions based on how closely the resources match the policy.

Perhaps a more approachable way to think of the process of calculating formal trust is comparing it to a hiring process. Candidates must be appropriate to the position that is open, but beyond reading their resumes, it is still necessary to do background checks, interview them, and perhaps test them. You usually do this whether or not you personally think that candidates are trustworthy. You do it both because your HR policy states proper procedure for hiring someone to fill the role you need to fill and because you cannot afford to take chances. In no way is the standard way your company hires resources meant to be a personal criticism of a candidate; it is just the way the policy says it must be done.

(continue reading…)

The number of vulnerabilities discovered is still on the rise with an increase of more than 70% over the past two years .

sysmox delivers vulnerability management security solutions that provide websites of all sizes with a more effective way to secure and manage their most valuable digital assets.

Website Security Testing for a Financial Company

Small & Medium sized web Business security Solutions 

Solutions for small and medium sized websites.

Why Manage Vulnerabilities :

The reality today is that the amount of security information is virtually unmanageable and on top of this the number of newly discovered vulnerabilities is increasing while time for remediation is decreasing. This forces IT departments to reassess their approach to protect the corporate web server.

The effectiveness of targeted and automated websites attacks has clearly demonstrated that most web portals are without sufficient vulnerability protection strategies despite the fact that 99% of all exploits leverage known vulnerabilities (Source: US CERT). Hackers use vulnerabilities to exploit web sites with a JavaScript malware most website got flaged “this site may harm your computer” .

Attacker use wordpress vulnerabilities ; Oscommerce ; In-house … to target websites .

This site may harm your computer

sysmox’s aim is to give you exactly the intelligence you need to address vulnerabilities fast and effectively before intruders cause serious harm to your website.

Whether you control security from a central security department or have distributed security responsibilities, our services assure that you receive security alerts tailored to your IT infrastructure.

(continue reading…)

 Flash is an interface for rich Internet applications and the core technology behind several popular Web 2.0 web sites. We all have it and we can’t imagine how our Internet experience would be without it. But what about security and privacy?

Adobe allows you to configure Flash security settings via the Settings Manager. In a nutshell, it is a special configuration panel that is displayed only when visiting the Adobe Flash web site. The Settings Manager lets you manage global privacy settings, storage settings and security settings. The information is stored on your local computer.

Global Privacy Settings (continue reading…)

Coldfusion security : Top seven ColdFusion Security Issues

This installment discusses the most prevalent security issues with server configurations and application implementations for ColdFusion. Future articles will discuss other security-related topics, both for other sysmox products specifically as well as for general security concepts that should be helpful for developers, server administrators, and others involved in web implementations.

+  Why Should You Care About Security Issues?

1         Coldfusion Directory traversal

2         FCKeditor bug

3         ColdFusion Administrator on Production Servers

4         Unvalidated Browser Input

5         Sample Applications and Documentation on Production Servers

6         CFFILE, CFFTP, and CFPOP

7         ColdFusion Studio and RDS with Production Servers

Please keep in mind that keeping computer security issues at bay can be a full-time job. While these columns seek to provide general education and point out common security issues in implementations, they are not meant as a substitute for a full-time security specialist group or individual in your organization.

Please also remember that when links are provided for reference, they may be advisories not applicable to your server or configuration. Be sure to carefully check whether the fixes and workarounds suggested apply to your configuration before implementing them. Also, be sure to test any patch in a testing environment prior to applying to a production environment.

Why Should You Care About Security Issues?

Security should be everyone’s concern. Over time, the professional security community has learned that the best-implemented security is carried out in a thorough and prevalent manner. If a developer, architect, or designer is not thinking explicitly about security, it simply won’t happen spontaneously.

Additionally, the wild, wild web is literally saturated with motivated attackers just waiting for a juicy target to attack and subvert. To make matters worse, many would-be attackers can find simple, automated “scripts” (automated tools that search for and exploit known security issues) with which to attack and subvert your server(s).

If any standard, well-known security issue is a concern with your server’s configuration, it is only a matter of time before an unknown attacker finds that she can, and does, successfully attack and potentially subvert your systems.

1 – Coldfusion directory traversal:

Variation of a classic directory traversal vulnerability it can be used for arbitrary file retrieval ;  special encoding the bug will let you grab any file ending in “.xml”, but by adding a “%00″  its sophisticated :

The exploit:

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

If the login admin password was stored hash (Using SHA1 algorithm, similar to CF MX7), the attacker then attempts to crack it via an offline password cracking attack or rainbow table lookup. Note that the default setting in ColdFusion 8 is encrypted=true as per password.properties file. Otherwise. (continue reading…)

It’s been said that the internet is a global community made of all the users on the network. Like any community, there are businesses conducting commerce, individuals going about their daily lives, and even a few bad actors. But unlike our physical communities, there are no police cars roaming the neighbourhoods looking for these bad actors. There aren’t even boundaries that help law enforcement activities. At the end of the day, this global community without boundaries means that every enterprise has to be on the lookout for not just the security of their own systems, but also the security of the community as a whole.

This is obviously a difficult situation. It’s hard enough to secure your own systems or websites ; being on the lookout for the entire internet is an impossible situation. Further, it is outside the commonly accepted mission of most IT security departments to be accountable for security beyond the network boundaries. So, how do you balance the need to be a good security citizen with the need to minimise operational costs and maximise the assurance of your systems?

Passive mechanisms (continue reading…)

As with any other element of a company’s security programme, effective document security requires a combination of physical security measures, policies and procedures, and personnel. No security programme is complete or effective without some combination of these three security elements.

In today’s environment of information theft, just making sure documents are thrown in the trash is no longer an acceptable security risk. Document collection and destruction must be the cornerstone of effective document security. While some companies may destroy their own documents, for the purposes of this discussion it is assumed a company hires a document destruction contractor to perform that function.

The first phase of a document destruction security plan is to control the exit of documents. In other words, make sure the documents that require destruction actually leave the building to be destroyed rather than in regular waste or even worse in someone’s briefcase.

This is not as easily accomplished as one might think be and may never be foolproof. The first step is to develop written policies and procedures as to what constitutes a document that needs to be destroyed and in what manner the documents are collected to facilitate the destruction. These policies and procedures will certainly vary from company to company.

The second step is to have personnel adhere to and enforce the written policies and procedures. One element of this is training every company employee on how to determine what documents need to be destroyed and how to handle and collect those documents. As with any training, it needs to be ongoing.

Another element is overseeing and enforcing the policies and procedures to make sure they are being followed. In some ways that may seem like a kindergarten-style policy, but the consequences of the information falling into the wrong hands may be so severe that this oversight is the best practice.

The third step is to have physical security measures in place to help facilitate the security of the documents. These measures can include access control systems for the exterior or interior parts of the building to restrict access to documents, CCTV systems for visual identification and verification and burglar alarm systems for after hours.

For even more secure documents, RFID technology can be employed where documents are tagged and alerts are provided if the documents begin to leave the building. Strict enforcement may also include physically checking those that leave for any documents. Any physical security measures in place cannot be used in a vacuum, they require interaction with both policies and procedures and personnel.

The second phase of a document destruction security plan is evaluating and monitoring the security plan of the contractor used to destroy the documents. It would not make any sense to spend the time and money to help ensure that the documents wi (continue reading…)

The bad news is that denial-of-service (DoS) attacks are becoming more numerous on the Internet. Not only are DoS attacks more frequent, they are more potent with the potential to do much greater harm than they’ve done to date. The good news? Right now, according to experts,is there a solution ?.

DoS attacks overwhelm computers, Web sites and servers with floods of bogus data, and hackers are increasingly aiming them at routers, according to a recent report by the Sysmox team, either special-purpose computers or software packages, that connect two or more networks or parts of networks.
“Essentially routers have trust relationships with each other, and are the means by which networks interconnect with each other,” Kevin Houle, one of the authors of a CERT white paper on the subject, told News Factor Network.
“If I can take advantage of that trust relationship to inject bogus routes in the routing tables, there’s a potential for denial-of-service between two or more networks. They can be separated from each other.”

(continue reading…)