Online shopping and retail in-store purchases dramatically increase at certain times, like during the recent festive period, and unfortunately these are also times when we see increases in skimming, phishing attempts, and cyber-attacks. Because of the number of incidents and the alarming statistics released over the years, consumers feel rather insecure when shopping online and more specifically every time they need to use their card details. Recent high profile data breaches have affected consumer’s confidence and the feeling of being insecure during a transaction, which in turn has had an impact on the number of purchase transactions. Businesses need to ensure that all necessary steps are taken towards the security of their customer’s data so that they can eventually bring them back into their trust.
InfoSec, SecNews, AppSec, Best Practices, Project Ideas, Source Code, etc. || Dr. Grigorios Fragkos, follow: @drgfragkos
Thursday, 18 December 2014
Thursday, 20 November 2014
Enhancing your cyber defence through a physical security assessment
Physical Security Assessments can be viewed as a penetration test against the physical infrastructure of an organisation. Instead of the assessment of computer networks and services, buildings and physical locations are being assessed. During this type of assessment the overall physical security of the location of a building, the facilities and the access controls are in scope. Physical security is often overlooked and the consequences of a physical breach can have the same impact as a computer breach.
Monday, 10 November 2014
Vulnerability Scanners you should know about
The discovery and patching of security vulnerabilities can be a very difficult and a time-consuming task, especially without the use of a proper vulnerability scanner.
The following, is a list of the most well-known vulnerability scanners currently available in the market. A security consultant should spend some time to familiarise himself/herself with these scanners. Find the scanner that is most suitable for your needs and use it to scan your network infrastructure for security vulnerabilities. Go through the reports these scanners generate and engage in remediating the vulnerabilities discovered. This can be an invaluable experience when it comes to becoming able to understand security issues affecting large network infrastructures.
Some of these scanner can be used under a free license for personal use.
01) Nessus - http://bit.ly/1prtrZ3
02) Nexpose - http://bit.ly/1NHBSML
03) CORE Impact Pro - http://bit.ly/19e7dWC
04) OpenVAS - http://bit.ly/1NHCdPy
05) QualysGuard - http://bit.ly/1MUn52l
06) MBSA (Microsoft Baseline Security Analyser) - http://bit.ly/1MJ2NCE
07) Secunia PSI - http://bit.ly/1iiTjGR
08) Retina - http://bit.ly/1MBNHzo
09) Acunetix - http://bit.ly/1PA8rfA
10) SAINTscanner - http://bit.ly/1RLtB9A
11) GFI Lan Guard - http://bit.ly/1RLt8V2
If you know of a vulnerability scanner that you have used and it is worth mentioning here, let me know and I will add it to the list.
Wednesday, 15 October 2014
POODLE SSLv3 Vulnerability
Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google who discovered this, released a security advisory which you can find on OpenSSL website [2].
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com
CVE-2014-3566 has been allocated for this protocol vulnerability.
I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )
Do you want to test manually?
Use this command:
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com
CVE-2014-3566 has been allocated for this protocol vulnerability.
I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )
Do you want to test manually?
Use this command:
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3
Sunday, 12 October 2014
Backdoors on Web Applications
There are different types of backdoors being used and deployed, depending on what kind of system/service is being targeted, how stealth it needs to be and how persistent. In this instance, we are discussing backdoors being uploaded through Web Applications to your Web Server, in order to provide access to unauthorised third-parties.
Subscribe to:
Posts (Atom)