The Three Headed Threat

The Highest Web Application Risks

 

The three headed web application Threats that can cause major problems for your web application and become a nightmare.

• Cross-Site Scripting (XSS)
• SQL Injection
• Denial of Service (Dos)

For me these are the big three, for other security professionals it could be a mix of others. I choose these three because they occur so often.

 

Cross-Site Scripting (XSS)

Using the special characters below attackers can compromise your web application and steal its data with cross site scripting.

< >" ' % ; () & + \ # { } | ^ - [ ]

 

Filter the input andoutput of the characters mentioned above is the common method of safeguarding against cross-site scripting attacks.

Impact of Cross-Site Scripting

Hackers can successfully exploit XSS vulnerabilities in a web application by inserting a script allows them to have full control over that gives end users' account credentials. Then are able to perform many malicious activities, such as:

• Hijack an account
• Spread web worms
• Access browser history and clipboard contents
• Control the browser remotely
• Scan and exploit intranet appliances and applications

SQL Injection

SQL Injection is input of data that can have unintended results while executing a database query. The input of the data will contain other characters that change the intended SQL string data query. 

Mitigation:

• Have all SQL statements be built within a stored procedure instead of the application.
• Filter key SQL elements from the data before executing your inquiry.

 

Denial of Service (DoS)

Denial of Service attacks are caused by an attacker who sends sufficient traffic volume to your web application; typically using free tools available on the internet, which cause the web service to stop responding or become unavailable to answer legitimate web traffic requests. Leaving legitimate users unable to access your web site or application.

Diagnosis:

• Unusually slow network performance (opening files or accessing websites)
• Unavailability of a particular website
• Inability to access any website
• A dramatic increase in the number of spam emails received

Mitigation:

Have a business continuity plan that utilizes alternate web server resources and IP addresses that can be easily configured to allow legitimate web traffic of customers so they can access the site.

Turn on and review log files to determine if the web application is under a DoS attack; sometimes a DoS attack may not be one at all, but something configured incorectly or something polling your website by mistake.

Their are also cloud services available that can absorb a DoS attack for your web site and only pass legitimate traffic to your site.

 

And for safety's sake; Encrypt The Data!

The only weakness that the mythical three headed dog Cerberus had was that it fell to the mighty strength of Hercules. 

 

Use the mighty strength of encryption to protect your data!

 

All three of the above threats put your data at risk. Anytime your data is at rest (stored), or in transit make sure it is encrypted.

 

 Enjoy,

 

Julius

Healthcare.gov Fix: U.S. Government Sponsored Hackathons

New Idea - The U.S. Government should make these overpriced government Information Technology firms compete against Hackathon public projects when drafting their technology proposals..

This would spark many youth to pursue careers in technology. Because of the rebellious nature of youth, many would get a kick out of creating competing products to stick it to the man! Thus, helping to solve America's STEM crisis.

 

Healthcare.gov would have been child's play for America's young adults who have built social media mega infrastructures, which were originally developed and hosted from dorm rooms and cramped apartments on computers sitting on the floor. 

Until we read again!

Take care!

How To Prevent A Hacker From Spying On You Using Your Web Cam

Your webcam can be used against you by hackers to spy on you, record you and possibly blackmail you, or be used for revenge or extortion against you. See NBC News article--> FBI Arrests suspect in Miss Teen USA 'sextortion' case.

Because these stories are becoming more and more common in the news, Michael, a friend of mine asked me to share on his Facebook page, a way that individuals can secure their web cams and prevent it from being hacked. More like reduce the likelihood that your webcam gets hacked into. Just know that anything connected on the Internet can be hacked or compromised.

1. Use a computer account that does not have Administrator rights. Limited rights is perfect.
2. Keep antivirus software up to date and don't skimp, pay for the annual renewal!
3. Set your PC or Laptop to download and install security patches automatically.
4. Keep the computer’s firewall turned on all the time.
5. Don’t let your children use your computer. Buy your children their own computing devices. Disable the camera on their computer if they have no need to use it. See steps 6 & 7.
6. If your web cam is external, keep it unplugged until you need it.
7. If your web cam is internal, consider deleting the drivers for it and purchasing an external web cam and follow step 6.
8. For internal web cams, use tape or post-It Note to cover camera lens if you are not using it.
9. Microphone – Turn the microphone input volume down to “zero”, when not using it.
10. For the Ultra-Paranoid, delete the device drivers for both your web cam and microphone.
11. Create complex login passwords.

Thanks for asking me to write this article Michael!

Enjoy,

Julius, CISSP

In addition, if you are new to the IT Security field, or have no experience and want to change your career consult with me at:

www.cybersecuritycareeradvisor.com 

Getting Real. The Real Deal Costs of a Data Breach - ExcellentInfographic

Excellent Infographic

This is a great Infographic regarding the money lost due to a Data Breach. Everyone needs to be Cyber Security smart. Stop. Think. Connect
Link---> http://visual.ly/real-cost-data-breach

 

 

 

How To Set Up Multi-Factor/ Dual Authentication on Facebook

Enabling Dual/ Multifactor Factor authentication for Facebook is a great way to strengthen the security for your Facebook account. Multi-Factor Authentication significantly lowers the risk that someone will gain unauthorized access to your Facebook account via web browser; This is not enabled for mobile apps yet; the web browser has the higher risk surface.

Multi-Factor authentication works by requiring you to have not just your ID and Password to prove who you are, but in-addition what you have! About everyone has a mobile phone with text messaging enabled with a unique phone number that only you have. So if you have your mobile phone with you, you will be able to log into your Facebook account. This will keep Malware out, snoops and identity thieves from accessing your account from a web browser.

This will also alarm you if someone is trying to log into your account without authorization!

It will require you to enter in a code that Facebook will send to you via text message to complete your login.

How To Setup
Go to Settings and select Privacy Settings.

Select Security



Select Login Approvals



Select Require a Security Code To Access My Account from Unknown Browsers



Select Get Started

A Wizard Will Finish Walking You Through The Setup Process

A Wizard Will Finish Walking You Through The Setup Process


Facebook Will Text You a Confirmation Code to Enter Into The Box Above.


Click No  Thanks, Require a Code Right Away.



Note that Login Approvals reads: A Security Code Is Required When Logging in From an Unknown Browser.

Ther you go! Enjoy!

Julius