New and Noteworthy in Security for 9/24/09

Related Articles

• 1Password Login Manager and Form Filler for the Mac and iPhone
• New and noteworthy for 6/23/09
• Link roundup for 3/30/08

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

SANS’ report The Top Cyber Security Risks for September 2009 states that “Application Vulnerabilities Exceed OS Vulnerabilities.” The report lists two main areas of vulnerability. First, outdated client-side software such as Adobe Acrobat Reader, Flash, Microsoft Office, and QuickTime are the primary vectors for attack on desktops. Second, that web applications comprise more than 60% of the attacks overall and that SQL Injection, Cross-site Scripting (XSS), and PHP File Include attacks are the three most popular of those types of attacks.

Schneier’s post on Hacking Two-Factor Authentication reiterates his 2005 concerns that man-in-the-middle and trojan attacks are major risks two factor authentication. Schneier cites the recent article Real-Time Hackers Foil Two-Factor Security by Robert Lemos in MIT Technology Review. The story describes how a trojan application extracted more than 400 thousand dollars from a construction company’s bank account during the time the account manager was issuing payments. Schneier argues that banks need to increase their effort to authenticate transactions rather than individuals. He believes this will only occur when banks are forced to accept liability for the losses. Schneier says once this happens, the industry will begin to focus on authenticating transactions as the credit card companies have done.

David Naylor’s post on the Dangers of Custom Shortened URLs describes a problem where a user registered robots.txt as a bit.ly URL and then redirected it to another page. Naylor hypothesizes that a web crawler that performed insufficient checking could be convinced to not crawl the site or provide alternate information in a sitemap.xml. The general class of problem’s Naylor describes is more interesting than the specific example in the article. Similar problems could potentially occur in services that offer usernames in the format of www.servicename.com/username. This is a good example of why anyone offering custom namespaces in the forms of usernames or URL should give some thought to assignments with potential unwanted side effects or risks.