You are currently browsing the archives for the Web Security category.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Nov | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
23 October 2009 by Jeff Hayes.
Yesterday, U.S. communications regulators voted unanimously to support an open Internet rule that would prevent telecom network operators from barring or blocking content based on the revenue it generates.
“I am pleased that there is broad agreement inside the commission that we should move forward with a healthy and transparent process on an open Internet,” FCC Chairman Julius Genachowski said.
The vote came despite a flurry of lobbying against the net neutrality rule by telecommunications service providers like AT&T, Verizon and Qwest which say it would strip them of the ability to manage their networks effectively and would stifle innovation and competition.
[The rule] allows for “reasonable” network management to unclog congestion, clear viruses and spam, and block unlawful content like child pornography or the transfer of pirated content.
The challenge is how much favor is oriented toward the end consumer versus how much to control the free market. How much freedom should an ISP have in deciding how to manage traffic on their networks? What should be done to make sure one ISP does not play favorites by slowing traffic to their competitors?
From the looks of if, the FCC is leaning towards preventing service providers from discriminating what services and content they will carry over their networks and under what circumstances.
What if I am in a one-horse town and I only have one reasonable option for high-speed Internet and my ISP decides it does not like specific sites like the Drudge Report, Fox News, CNN or categories of sites like hate, gambling, drugs, adult (not talking child porn here), or all sites in Arabic?
One the other hand, what if I decide that I want an ISP that supports my moral values and I elect that company to provide me my Internet service?
What if my ISP elects to throttle-down P2P traffic? Is that bad? It is bad for the P2P user but is it bad for everyone else? So should the ISP be given free reign or should there be some regulation?
I support the principle behind net neutrality in that all Internet traffic should be treated equally. As rule, I don’t like the idea of my ISP screening, interrupting or filtering Internet content without court order. Any fragmentation of services or control over specific protocols should be the exception and not the rule.
Posted in Web Security, Privacy | Print | No Comments »
10 September 2009 by Jeff Hayes.
When I began my career in the 80s, I worked for a firm (NCR Comten) that competed against IBM. We provided communication processors for the mainframe/cluster controller/terminal industry. In the 90s, I worked for firms (Network Systems, Xylan, Alcatel) that sold channel extension, security appliances and switching products against Cisco. In both cases, were with outsider, trying unseat the incumbent. Outside of feature/function/benefit/pricing comparisons and long-term personal relationships between the sales team and customer, we had to combat fear, uncertainly and doubt (FUD).
FUD is based on the notion that if you — the customer — buy the incumbent’s product, you will regret it. Comments might include: “it will not work as advertised;” “the long-term costs will be greater than what you think;” “it will be a support nightmare;” and “your administrators and end users will not like the new solution.” In the security space, the points are the same but the infosec vendors add a new spin to fear.
Security entrepreneurs recognize a problem that is not being properly addressed by current products. They design, develop, test and market a new mousetrap. The challenge for all of them is to find a market large enough to cover the investment and to build a business upon the new market. Few people are aware that many of these problems exist. Enter marketing.
The infosec firm needs to define the problem so more people are aware of it. They need to expand the scope of it. They need to make you feel like if you don’t have this product, you are opening yourself up to a security disaster.
We all know technology and the exploitations evolve. Many of these new products do have merit but most do not. That’s why so many of these firms go out of business or cannot grow beyond $5-20 million in annual revenue. The lucky ones find an exit strategy by being acquired.
I was reading an article in CSO magazine, 7 Reasons Websites Are No Longer Safe. Though not a infosec vendor, it makes the read think that all Web sites are insecure and you might as well forget about it trying to secure them. Hum. So all of the e-commerce, banking and investment sites are unsafe?
The infosec industry makes its money by making people feel insecure. Fear is key to the marketing message. For most businesses, they do not need all of these leading-edge security devices or software. The sky is not following, despite the vendor-speak.
Posted in Infrastructure Security, Web Security | Print | No Comments »
13 May 2009 by Jeff Hayes.
Many businesses, large and small, engage in product promotion on Google, Yahoo! and MSN. Pay-per-click (PPC) is a way organizations can buy face-time with those in their target markets. For some industries and with certain keywords, this can be expensive.
Ideally, having an optimized Web site for natural searchers is optimal, but sometimes difficult and costly. So many companies will spend a great deal of their marketing budgets on Internet promotion. They will create an ‘ad word’ campaign, limiting themselves to some daily budget. That budget might be $25 a day or $25000 a day.
For each keyword or range of keywords an end user enter into a search engine, a certain number of sponsored links will be returned, along with the natural search results. Those bidding the highest will achieve the most prominent positions on the search results page. The end user has the option of clicking any of those resulting items, based on their relativism to their inquiry. If the user clicks on one of the sponsored links, that single click will cost the owner of that site a certain amount of money — whatever the bid was for that word and position. (It pays for it by having a credit card or some payment means with the search engine supplier.) Based on the number of searches for that range of keywords, the firm running the PPC will often reach their daily budget. Once the budget is gone, there will be no more searches returned for that range of keywords or that campaign until the 24-hour clock resets.
A problem confront those engaged in PPC is that someone with ’bad intent’ can click on a competitor’s PPC ad with the explicit purpose of spending its competitors PPC budget. The result wastes its competitor’s money and can give the competitor a high page position, often without spending as much money as its competitor. There is little the PPC campaign owner can do. In fact, it takes careful analysis by the marketing manager to even suspect foul-play. It is a problem that only the search engine provider can address.
Recently, the Interactive Advertising Bureau has published guidelines for determining when fraudsters are taking advantage of pay-per-click (PPC) advertisements. The Click Measurement Guidelines (the 27-page PDF Guidelines document can be downloaded <HERE>, summarized as follows:
Estimates of fraudulent click range from below 10 percent to as high as 17 percent. Regardless, as one who has and does run PPC campaigns, seeing the advertising industry and the search engine providers making attempts to address this is welcomed. With the amount of money we are talking, it is critical for building credibility for this form of advertising.
Posted in Web Security | Print | 1 Comment »
6 May 2009 by Jeff Hayes.
Where do most security incidents comes from? External hackers? Disgruntled employees? Probably not. For most organizations, the innocent employee.
Whether it is politics, business or technology, the most damaging thing is ignorance. People are ignorant of what damage that can occur through careless browsing habit. Why? Because significant security incidents are rarely experienced by the average computer user.
Most computer users do a few limited number of thing: they check email, run a word processor, download photos, copy music and browse the Internet for news, sport, products, etc. A browser is the most used application on most desktops, laptops or netbooks. Few have had any instruction on the security implications of their browsing habits.
Recently, Joan Goodchild posted a short-list of five security mistakes people make when browsing the Internet:
Most people do not know what Active X even is. All they know is if they check it, the pop-up box goes away and they get to their “intended” destination. Likewise, who knows what SSL is? A “Bad SSL cert” means what to the average bloke? A user clicks on a link that requires an application that does not appear to be on the users local machine. The pop-up says you can run it if you click “here.” What does the average user do? Clicks “here,” where ever “here” might take him/her.
Spam is still rampant because enough people, albeit a small number, still click on the message to find-out more, whether it is a free financial check-up, a must-have coupon for lunch, or someone from your high school that is interested in hooking up.
We all view our computer as a utility: it just must work. Most of the time it does. But ignorant browsing is going to catch-up eventually, if it has not already (most will not associate their insecure browsing habits to PC performance degradation).
In March 2009, Bill Brenner, gave his 10 IE Browser Settings for Safer Surfing:
You know the cliches: “Common sense is not all that common.” “If something seems too good to be true, it probably is.” Free is never free.” I know it is hard to face but 23 year old beautiful women are not interested in blind dates or 50+ year old men.
A little education can go a long way in protecting our personal and business computing environments. It all starts by prudence by the end user and the browser.
Posted in Web Security | Print | 2 Comments »
25 March 2009 by Jeff Hayes.
Easlier this week, Cenzic, a web application security company, describe in it’s Q3-Q4 Trends Report (30 page PDF) that the web vulnerabilities and attacks through Web applications continue to grow.
The total number of reported vulnerabilities went up to 2,835, an increase of more than 10 percent from the first half, of which the percentage of vulnerabilities relating to Web applications hit a staggering 80 percent.
Some key findings include:
A few months ago, a company I was working with had its web server completely taken over by a some Chinese-bourn bot. The server was running Windows Server 2003 and IIS (version old). It had not been patched for a couple of years. It was co-located at a reputiable firm in Salt Lake City (XMission). There was no system managment contract with them — just rack space for a decent Dell server and a Cisco PIX firewall (which also had not been updated for a few years).
The reason it was in the secure data center was because of an application that was running that was used occasionally by a third party which required it to be in a physically secured location. The XMission data center, though not Ft. Knox, was good enough. The weakness was in the server.
This bot had taken total control over the server. As we stried to identify the cause of the outage (the server was no longer serving up Web pages), we noticied some strange processes running. We stopped them, or at least we tried. Within two or three seconds, they’d start right back up again. This server was really hosed.
The initial plan was to re-install Windows Server 2003 and IIS, and update them to the latest patch levels. Turns out, no one was in possession of the media or the license. With no real technical know-how in the firm or longer term plan to hire or outsource, the plan that was agreed upon was to move it to a managed data center.
This turned out to be the right decision. The people who manage the site (Portal Web Hosting in Aberdeen, SD) were willing to offer a deal that was actually cheaper and more extensive than what XMission was offering — secure data center, on-site technical assistance and server management, and a dedicated server running up-to-date Windows Server 2008, IIS and dedicated firewall.
Moral of the story: if you don’t have the technical resources, budget or need to do it yourself, don’t. There are plenty of solid firms that can provided a business with a reliable and guaranteed web server solution. Make sure they have a plan to do regular vulnerability scans and to keep the software patched appropriately.
Posted in Web Security | Print | No Comments »