SQL Injection-how about your site ?

<br> Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.<br> <br> Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build an SQL query. The following logs examples are based on true stories, unfortunately.<br>

SQL Injection-how about your site ?

Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby b…

Read more »

New Standard Pushes for a More Secure Web

There is no silver bullet when it comes to encryption. Even the most complex, invulnerable encryption today could be child’s play in the future. The NIST (National Institute of Standards and Technology) is <a href="http://www.pcworld.com/businesscenter/article/260922/new_nist_encryption_guidelines_may_force_federal_agencies_to_replace_old_websites.html">publishing new encryption standards</a> for public review to try and keep up with the times and stay a step ahead of the bad guys. <br> <a href="http://images.pcworld.com/images/article/2012/04/secure_browser-11351369.jpg"><img alt="" height="227" src="http://images.pcworld.com/images/article/2012/04/secure_browser-11351369.jpg" width="320"></a>The NIST is a government agency, and its guidelines only really impact other government agencies. However, many security experts and organizations look to the NIST standards as a baseline. <br> All of security is more or less a game of cat and mouse. Security measures are put in place, and they work for a while until attackers find the weak spots, or figure out how to compromise or circumvent them. Then, security experts have to devise new methods, and the game starts over. Website encryption, and the certificates we use to prove a site is legitimate, are subject to this same cause and effect.<br>

New Standard Pushes for a More Secure Web

There is no silver bullet when it comes to encryption. Even the most complex, invulnerable encryption today could be child’s play in the future. The NIST (National Institute of Standards and Technolog…

Read more »

Defcon Wi-Fi Hack Called No Threat to Enterprise WLANs

<p>Enterprise Wi-Fi networks can keep using WPA2 security safely, despite a <a href="http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html">recent Defcon exploit</a> that has been widely, but wrongly, interpreted as rendering it useless. <p>The exploit successfully compromised a legacy authentication protocol, MS-CHAPv2, which was created by Microsoft years ago. But the vulnerabilities of this protocol (and other similar ones) are well known, and Wi-Fi Protected Access 2 makes use of additional mechanisms to protect them. That protection is still in force, according to both the Wi-Fi Alliance and a wireless architect, who blogged in depth on this issue after the Defcon exploit was reported. <p>IN PICTURES:&#160;<a href="http://www.networkworld.com/slideshow/58324">Quirkiest moments at 2012 Black Hat security conference</a> <p>In the wake of the Defcon demonstration, enterprises were being urged by some to abandon MS-CHAP, the Protected Extensible Authentication Protocol (PEAP), WPA2 or all of the above. None of that is necessary. <p>The Wi-Fi Alliance has reviewed the chapcrack tool and cloudcracker service announced last week at Defcon 20 and these tools do not present an exploitable vulnerability in Wi-Fi CERTIFIED products, according to statement issued by the Wi-Fi Alliance, via Kelly Davis-Felner, the WFA marketing director. These tools exploit previously-documented weaknesses in the use of Microsoft CHAP (MS-CHAP).&#160;All uses of MS-CHAP in WPA2 are protected by the Transport Layer Security (TLS) protocol. TLS is the same strong cryptographic technology that protects all online e-commerce transactions. TLS prevents interception of the MS-CHAP messages used in WPA2 Enterprise and effectively protects against attacks using chapcrack or cloudcracker.</p> </p></p></p></p>

Defcon Wi-Fi Hack Called No Threat to Enterprise WLANs

Enterprise Wi-Fi networks can keep using WPA2 security safely, despite a recent Defcon exploit that has been widely, but wrongly, interpreted as rendering it useless. The exploit successfully compromi…

Read more »

DNSChanger Malware: What's Next?

<br> <div style="border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 24px; margin-bottom: 0.5em; margin-top: 0.5em; padding: 0px;"> <span style="background-color: white;">The Federal Bureau of Investigation estimates around 64,000 computers in the U.S. infected with the DNSChanger Trojan may have Internet connectivity problems Monday. This particularly nasty piece of malware first surfaced in 2007 and is able to reroute a PC's Web traffic without knowledge of the user. DNSChanger achieved this by manipulating the Domain Name System (DNS) routing service for infected computers.</span></div>

DNSChanger Malware: What's Next?

The Federal Bureau of Investigation estimates around 64,000 computers in the U.S. infected with the DNSChanger Trojan may have Internet connectivity problems Monday. This particularly nasty piece of …

Read more »