'Net Features : security

CloudAccess Integrates Identity and Access Management

Michael Garrity — Mon, 29 Apr 2013 16:30:00 GMT

Cloud-based unified security solution provider CloudAccess has recently announced version 3.0 release of its CloudIDM/AM system, featuring seamless, “unique” integration between enterprise identity management and access controls (i.e. single sign-on and access management) from the cloud.

In addition, CloudIDM/AM 3.0 comes with multi-directional password synchronization between the system’s identity management solution, Active Directory and/or Lightweight Director Access Protocol (LDAP), as well as a federated gateway that allows access to an application or website, a dynamic self-service portal and centralized GUI-based workflow automation.

"We've taken the next evolutionary step to integrate the key capabilities of provisioning, multi-factor authentication and role-based workflow management with an advanced single sign on for SaaS and legacy applications and manage it all from the cloud," said Kevin Nikkhoo, CEO of CloudAccess.

Because of a proliferation of SaaS applications, increased complexity with “bring-your-own-deivce” and general user mobility, many organizations these days are suffering from more and more vulnerability gaps. As a result, regulatory agencies have made it a legal requirement to continuously monitor and report on user access. So, straight out of the box, the newly updated CloudIDM/AM system will include the streamlined ability to automate compulsory reporting in a way that satisfies the compliance governance for a variety of agencies, including HIPAA, PCI, FFIEC, NIST FERC and Sarbanes-Oxley.

Since it is a cloud-deployed SaaS solution, CloudIDM/AM 3.0 doesn’t require any hardware or software to install, and it will integrate with other scalable security solutions, like SIEM and log management systems. Plus, the whole suite can be monitored in real time from a single dashboard.

CloudIDM/AM 3.0 is currently available for direct sale, or through various reseller channels.

Mitigating DDoS Attacks

Pete Prestipino — Fri, 26 Apr 2013 08:04:00 GMT

Prolexic has released a video visualization of how it mitigated a 160 Gbps, 120 million packets-per-second distributed denial of service attack which occurred earlier in the month against one of its clients.

Viewers can see how Prolexic routes malicious traffic through its scrubbing centers and sorts it by type of attack – be it on the infrastructure or at the application layer. The video shows how the DDoS mitigation service uses blocking signatures through automated mitigation gear and in real-time by engineers at the company.

WordPress Under Attack

Pete Prestipino — Mon, 15 Apr 2013 19:15:00 GMT

Internet professionals using Wordpress have been under attack for the last few weeks but only now is it being widely reported.

Numerous security experts have issued warnings recently about the botnet, a brute-force password-guessing attack against sites that are powered by the popular blogging and content management system and the providers that host those sites.

What makes the broader attack so malicious is that infected sites are seeded with backdoors that let the attackers control the site remotely. The compromised sites are then forced to launch password-guessing attacks against other sites running Wordpress. Scary.

According to Web site security firm Incapsula, those behind the attack are scanning the Web for WordPress installations, and attempting to log in to the administrative console at these sites using a list of commonly-used username and password combinations.

Web hosting provider HostGator last week suggested that the problem has grown to include more than 90,000 compromised sites.

Cloudflare CEO Matthew Prince last week said in a blog post that the tactics employed in this attack were similar to those used in the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of cyber attacks against US financial institutions.

If you're a Wordpress user, make sure to change administrative passwords immediately and make sure those password meet the security requirements set forth on the Wordpress site (upper and lowercase letter, at least eight characters long, and includeing special characters.

EyeVerify Ushers In A New Era in Mobile Security

Pete Prestipino — Tue, 26 Feb 2013 16:30:00 GMT

Logging in, signing on and entering passwords or one-time PIN codes are barriers to optimal end-user and enterprise experiences. Existing biometrics solutions do not solve this problem (due mainly to hardware limitations), but there are some interesting technologies emerging which, if you can manage to get past the Minority Report feeling, stand to vastly improve mobile security.

Case in point, mobile identify protection service EyeVerify has announced a beta of its EyePrint Verification System - an impressive replacement for entering passwords on smartphone.

The progam is designed to help application developer participants integrate, test and deploy EyeVerify's mobile authentication solution. The program essentially provides access to the copany's technology which uses built-in cameras with smartphone devices to image and 'pattern match' the unique veins in the white's of user's eyes. The beta includes prototype applications, SDK access, technical and engieering support, along with quality assurance test plans and results.

"We're living in a world where we conduct our lives online and on the go, and yet we're plagued by password sprawl and identity theft and fraud," said Chris Barnett, EyeVerify's EVP of Global Sales and Marketing. "Eyeprinting solves this issue and, unlike other biometric verification offerings, is the first and only reliable mobile security solution that does not require additional hardware to deploy."

Guidelines for Secure Payments

Pete Prestipino — Mon, 11 Feb 2013 18:35:00 GMT

The PCI Security Standards Council (PCI SSC) has released new guidelines to help e-commerce merchants keep their customers' data safe.

The digital security landscape is a complicated one where the roles, risks and responsibilities of involved parties can quickly become muddled. That confusion of course, can lead to stagnation when it comes to finding (and implementing) fixes - on both an individual site and industry level.

“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council.

Over 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.

The guide, which comes at a time when ecommerce fraud is rising, includes an overview of ecommerce and PCI DSS. and outlines common vulnerabilities in ecommerce that merchants should consider when developing or choosing ecommerce software and services.

The guidelines also include best practice recommendations on securing ecommerce environments and a checklist of responsibilities that outlines, when payments are outsourced, which elements of security the merchant and the payments company are responsible for.

“This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”

Site Security for the Holidays

Allison Howen — Wed, 21 Nov 2012 15:30:00 GMT

E-commerce retailers need to prepare their websites for not only an increase in traffic and conversions this holiday season, but also for online fraudsters.

While retailers should always watch out for cybersecurity threats during the holiday season, the growing usage of mobile makes this more important than ever before. This is because the number of transactions that originate from a mobile device has been on an uptick, and retailers who don’t have a system in place to manually accept or reject suspicious transactions increase the risk of fraud.

“Mobile consumers typically store their credit card information in retail accounts, rather than entering the information during each transaction, making online retail account takeovers more profitable, and therefore, more attractive to fraudsters,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “During the holiday season in particular, consumers find it much more convenient to keep credit card information stored online as they make such a high volume of purchases. This is especially risky if consumers use the same email address and password for several websites – doing so initiates a trail of destruction that is equivalent to unlocking every door in the house, easily allowing criminals to hack numerous accounts at once.”

According to cybercrime prevention solutions provider ThreatMetrix, account takeover is among the biggest security threats attributed to the rising usage of mobile. This is because many retailers don’t have a mobile security strategy set in place and are not equipped to efficiently secure a large volume of mobile transactions during Black Friday and Cyber Monday, which could make consumers’ account and credit card credentials vulnerable. Furthermore, retailers should watch out for “clean fraud,” which often passes security screens and appears to be a legitimate transaction, but is really a fraudster who is hiding behind a virtual private network (VPN) – making it difficult for retailers to identify authentic transactions.

“Cybersecurity should be a top priority for retailers this Black Friday, Cyber Monday and the rest of the holiday season,” said Faulkner. “Especially with so many consumers traveling at this time, retailers need to put forth extra effort to assure transactions are originating from authentic networks. The last thing retailers and consumers want is to wake up on Black Friday with a ‘turkey hangover’ and a compromised credit card.”

GlobalSign Alert Service Helps Fight Phishing

Michael Garrity — Wed, 19 Sep 2012 22:00:00 GMT

In order to provide its customers with real-time alerts about their SSL Certificates, which tell them when their websites are compromised and used to support phishing attacks, certification authority GlobalSign has partnered with Internet services provider Netcraft.

The GlobalSign Netcraft Phishing Alert service will first tell GlobalSign when one of its customers’ websites is being used to support phishing attacks, and the company will then immediately notify and advise the customers on remediation steps so they can quickly fix the problem and stop the attack. And, if GlobalSign discovers that a site has specifically created for malicious intent, it will revoke its certificate.

This service, the first of its kind, means customers can maximize their investment in GlobalSign with additional security against these highly prevalent, not to mention persistent, criminal attacks. For a partner, Netcraft was an ideal selection, as it is continually produces an updated phishing feed (one that is currently used by all of the major Web browsers), and it has blocked more than 5 million phishing attacks to date.

Websites are required to have an SSL Certificate to activate the SSL/TLS technology built into a browser or server. Once it’s activated, it will provide an encrypted link between the browser and server to secure transactions or data submission. As SSL trust signals are meant to inspire confidence in users, it can be especially disastrous for consumers and website owners if a site is compromised and used to deploy phishing pages. Luckily for GlobalSign customers, the GlobalSign Netcraft Phishing Alert will significantly reduce their risk of becoming victims of such an attack.

Learn Hacker Language, Decrease Risk

Amberly Dressler — Thu, 30 Aug 2012 15:00:00 GMT

In order to fight the battle of Distributed Denial of Service (DDoS) attacks, at-risk businesses need to be armed with the same tools as the bad guys.

Prolexic Technologies, a DDoS mitigation service provider, announced it has added an extensive glossary of DoS and DDoS terms to its online Knowledge Center, which will help Web workers understand the tools and methods hackers use to target organizations.

"When faced with a DDoS attack, confusion can quickly set in, especially when an organization's key IT personnel are unavailable," said Stuart Scholly, Prolexic's president. "Decision makers typically aren't familiar with these terms, but have to act fast. This glossary provides one more tool to help them promptly assess the situation and take appropriate action to mitigate any damage."

More than 60 common acronyms and technical terms used to describe these attacks are defined in the Glossary of Terms. The need for Web workers to familiarize themselves with these terms is growing, as according to the Prolexic Security Engineering & Response Team, such DDoS attacks increased 10 percent in Q2 2012.

"Malicious hackers already know this stuff," said Scholly. "They know the difference between a Layer 4 and a Layer 7 attack. When businesses and media can speak their language, too, it becomes more difficult to catch a potential target off guard."

To view the free glossary, click here.

ControlScan Merchants Can Rest Easier on PCI Issues

Michael Garrity — Thu, 10 May 2012 17:00:00 GMT

ControlScan, a provider of Payment Card Industry (PCI) compliance and security services for small and medium-sized online businesses, has announced its purchase of cloud-based secure payments solution CRE Secure.

The acquisition will allow ControlScan to considerably reduce the "scope" of PCI.

CRE Secure was already a level-one PCI Data Security Standard (DSS) certified service provider. It gives users a hosted payment page powered by patent-pending HTML cloning technology for a consistent consumer experience, and a secure e-commerce solution for merchants that is PCI-compliant.

By combining an already PCI-compliant object, such as a credit card form, with a merchant’s site template, merchant’s can simplify the compliance process by outsourcing consumer payment data to CRE Secure, putting their website out of the scope of PCI regulations, since it will not actually store, process or transmit cardholder information. This allows them to host their site wherever they want and save a lot of money on those annual PCI scans.

CRE Secure is based on a unified technology that utilizes a single cloud-based system to support a merchant’s payment channels, which includes everything from online, mobile and even mail/telephone orders. E-commerce sites can even take advantage of plug-ins that allow them to connect with their favorite payment processors and existing solutions, to create a seamless, secure customer experience that is light on the merchant’s wallet, too.

All of this is good news for ControlScan and the merchants who use their services, as CRE Secure technology and existing partnerships will now complement ControlScan solutions, opening up new opportunities in the card-not-present (CNP) space. ControlScan also hopes to build upon the current CRE Secure product.

McAfee Plugin for MySQL Audits

Pete Prestipino — Mon, 26 Mar 2012 17:35:00 GMT

Security technology vendor McAfee has released a free open-source plugin for MySQL database users which shows detailed activity from database audits.

The plugin features visibility into database vulnerabilities and supports databases such as Oracle, Sybase, MS-SQL and DB2. The plugin, which is available on gitHub, requires no change to the existing database or network architecture.

“McAfee developed the free database audit plug-in to give the community of MySQL users a means of building enterprise-level database security around their databases,” said Dan Sarel, vice president of Database Security Product Management at McAfee. “When coupled with the McAfee Database Activity Monitoring sensor for MySQL, the data is subject to the same real-time analysis and policy enforcement as the data collected from other supported databases.”

PCI DSS Certification for TransPerfect

Allison Howen — Sun, 04 Dec 2011 20:00:00 GMT

Just in time for the holidays, language services solutions provider TransPerfect has announced PCI DSS certification for making online transactions more secure over multilingual e-commerce sites.

Read more in Website Magazine's E-commerce Express.

Why So Complicated? A Beginner's Guide to PCI Compliance

Michael Garrity — Thu, 17 Nov 2011 17:00:00 GMT

Most people start businesses because they want to do something they’re passionate about, but often they don’t account for all of the necessary red tape. So, it’s likely that when someone creates a website to sell hand-knitted scarves for Labrador retrievers, he or she probably didn’t put a lot of thought into ensuring the site was Payment Card Industry (PCI) compliant.

For starters, many people aren’t entirely familiar with the PCI compliance, and even when they are made aware of it, actually making sense of it all and implementing PCI security standards on one’s website seems like a lot of work that may not be worth the hassle. At its most basic level, however, PCI compliance isn’t that hard to understand; it’s just a matter of organizing and simplifying all of the information and jargon you’re being bombarded with.

Defining the Issue
Let’s take a step back; where does all of this PCI stuff come from? The PCI Security Standards Council was formed in 2006 as a joint effort between five global payment brands – American Express, JCB International, MasterCard Worldwide, Discover Financial Services and Visa Inc. This group then developed the Data Security Standard (DSS), a collection of rigid requirements put in place to “ensure that all companies that process, store or transmit credit card information maintain a secure environment.”

Essentially, any organization or merchant that handles credit, debit or prepaid cards branded by one of the founding companies (and if they’re operating an e-commerce site in 2011 without accepting major cards, they have other issues) is subject to the PCI DSS.

PCI compliant businesses are split into four groups, or “levels,” based on their transaction volume, which is determined by their aggregate number of Visa transactions. Level 1 merchants are those that process over $6 million in Visa transactions a year; Level 2 merchants process between $1 million and $6 million; Level 3 merchants process between $20,000 and $1 million; and Level 4 merchants, which make up most small and medium-sized businesses, process less than $20,000 in Visa transactions year. This last group also includes all non-e-commerce merchants, regardless of acceptance channel, who process up to $1 million transactions a year.

Is it Worth it?
Because PCI compliance isn’t an actual federal law, and it is the payment brands and acquiring banks that are responsible for enforcing it, it can be a little difficult, not to mention intimidating, for a business to become compliant. In fact, to less Web or financially savvy owners, it may seem easiest to just skip this part of the process. Bad idea.

At the very least, complying with PCI Standards is important because it shows consumers that your website is trustworthy. Websites that aren’t willing to go through the process of having their security systems verified by the PCI are suspect, at best, and there is no better way to drive customers away from your business than giving them a reason not to trust you. That being said, it’s important to know that while displaying trust signals from companies like VeriSign or TRUSTe on your site is another great way to inspire confidence in consumers about the security of your site, having these SSL certificates is not the same thing as being PCI compliant, but rather they are complimentary steps that show potential customers that you've taken the precautions necessary to protect their data.

As far as business partnerships go, PCI compliance is also the best way to create a positive reputation with acquirers and payment brands that you’ll need contact with to conduct business.

Perhaps most importantly, however, is that PCI compliance allows you to keep your website secure as tactics for compromising data evolve and become more sophisticated. The PCI Security Standards Council “is constantly working to monitor threats and improve the industry’s means of dealing with them,” meaning the security and integrity of your website will always be protected by the ever-adapting technology of the Council. This not only protects user data, but it also keeps your business safe from potential lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.

Becoming Compliant
The most complicated part of PCI compliance is getting started. Fortunately, the act of being PCI compliant can be boiled down to three steps.

The first thing a business needs to do is assess, which means to inventory its IT assets and business processes for payment card reprocessing then analyzing it for information that could expose cardholder data. This step is in place to spot any possible vulnerabilities in a system. Options for assessing a business include a Self-Assessment Questionnaire (SAQ), which allows merchants and/or service providers to evaluate themselves for PCI compliance, or independent qualified assessors provided by the Council. There are two types of independent assessors: Qualified Security Assessors that follow a strict procedure to determine whether or not a business is PCI compliant, and Approved Scanning Vendors that provide “commercial software tools” that perform vulnerability scans on a business’ systems.

Once any potential vulnerabilities are assessed, the next step is to remediate, which means fixing the technical flaws or unsafe practices that may expose customer data. This includes taking action like “applying patches, fixes, workarounds and changes to unsafe processes and workflow.” After remediating your site for PCI compliance, you should always reassess to make sure that the work you do during the remediation step is in place and operating properly.

Finally, merchants must regularly report to the acquirers and global payment brands that they’re doing business with; these reports are usually quarterly. The types of reports that need to be completed vary depending on the size of a merchant (their “level”) and the requirements of their partners, so each business should discuss with their acquirers to figure out the exact details of what needs to be included in these reports and how they should submit them.

PCI compliance is such an important part of Internet security, for both consumers and website owners, that it cannot just be ignored. However, it’s also understandable that many new business owners and merchants may be tempted to just disregard it because it can seem like a scary task to tackle and the benefits aren’t always obvious. But when you strip away the jargon and look at it from a very basic level, it becomes much more manageable.

Reset Your WordPress Passwords

Pete Prestipino — Wed, 22 Jun 2011 18:05:00 GMT

The same day we published our A to Z Guide to WordPress plugins, the team over at WordPress was suffering from some rather serious security issues.

WordPress noticed “suspicious commits” to popular plugins including AddThis, WPtouch, and W3 Total Cahce which contained “cleverly disguised” backdoors. Noticing that the commits were not from the plugin authors, Wordpress rolled them back (to a previous version), pushed updates to the plugins and has shut down access to the plugin repository.

Wordpress is currently investigating the matter but has decided to force users to reset their passwords on WordPress.org. If you’re a user of the forums, trac or commit to a plugin or theme, now would be a good time to reset your password on the service.

Is WebGL a Security Problem?

Pete Prestipino — Wed, 11 May 2011 19:45:00 GMT

Researchers from Context Information Security have warned that the WebGL standard undermines the security concept practiced by current operating system versions and offers up new attack surfaces. WebGL extends the capability of the JavaScript programming language to allow it to generate interactive 3D graphics within compatible web browsers without requiring plugins.

WebGL, managed by the non-profit Khronos Group, is a context of the canvas HTML element that provides a 3D computer graphics API without the use of plug-ins.[2] The specification was released as version 1.0 on March 3, 2011.

The researchers report that they have been able to elicit a blue screen of death(BSOD) by using targeted overloading of the graphics cards. According to the report, this could allow an attacker to exploit any security vulnerabilities in the graphics card driver to, for example, inject malicious code onto the system. Although Windows 7 and Vista have a mechanism for resetting an overloaded graphics card after about two seconds, the researchers found that this too results in a blue screen of death after a certain number of resets. What this means is that if a graphics card driver contains vulnerabilities, WebGL could allow injection of malicious code onto a system.

The researchers have released an online demo (http://www.contextis.com/resources/blog/webgl/poc/index.html) to illustrate the problem. In the researchers' opinion, WebGL is simply not yet ready for primetime.

The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality.

WordPress 3.1.1 - Recommended Security Update

Pete Prestipino — Sat, 09 Apr 2011 13:30:00 GMT

Popular self-hosted blogging platform WordPress received an update that brings it to version 3.1.1.

This version contains several important security fixes including two relating to the media uploader, an XSS flaw, and one that caused a PHP crash in certain conditions when handling "devilishly devised links in comments."

Keep in mind that failing to upgrade may leave your blog vulnerable to attacks. Current WordPress users should have already received notified about the update in their Dashboard. If not, or if you aren't a user just yet, you can download WordPress 3.1.1 from the official website.

Alongside the security patches come performance improvements, fixes for taxonomy and some permalinks, as well as various things that have been causing plugin compatibility issues.