Imperva Data Security Blog

Hackers Target Local Governments

2012-02-08T00:00:00-08:00

This is an interesting piece. The SC DMV is suffering from constant attacks--90 attacks since the beginning of the year. The DMV contacted the FBI, since most of the hackers are attacking from foreign countries. The FBI's local cyber-security squad is assisting the DMV to make sure everything possible is being done to protect the DMV database, which contains not only drivers' names and addresses but also Social Security numbers and copies of birth certificates. Why is this happening? Possibilities include: Foreign government gathering citizen information. Though possible, it doesn't seem as likely. It's not necessarily a foreign government, but...

Stopping Fraud: Getting Rid of the Man in Your Browser

2012-02-07T14:00:00-08:00

As attacks on customers expand beyond banking and popular retail applications, organizations cannot sit on the sidelines and expect the average consumer to avoid infection and mitigate attacks on their own. Fraud is a key--and evolving--challenge facing security teams today. In order to thwart the impact of client-side attacks, such as man-in-the-browser, businesses must take charge of securing the interaction with their clients. This webinar will: Highlight tactics organizations can deploy to dramatically reduce incidents of fraud. Provide a high-level, technical overview of client-side attacks and demonstrate how man-in-the-browser attacks operate. Reveal two techniques that can be used by a...

Syrian President's Password: 12345

2012-02-07T05:48:22-08:00

In an interview, the Syrian president Assad claims that the 'American psyche can be easily manipulated.' Not as easy to manipulate as his email password, however: Some 78 inboxes of Assad's aides and advisers were hacked and the password that some used was "12345". Among those whose email was exposed were the Minister of Presidential Affairs Mansour Fadlallah Azzam and Assad's media adviser, Bouthaina Shaaban. As one of our blog readers noted, "I have the same combination on my luggage."

VeriSign Breached

2012-02-02T08:32:00-08:00

Amazing story from Reuters. Note how the breach was reported: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The article speculates that penetrating SSL certificates may have been a key target of the attack. Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer certificates, which Web browsers look for when...

SQL Injection Part II: Seeing A Blind SQL Injection

2012-02-02T08:15:12-08:00

We started a blog series in January on SQL injection. Today, Groundhog Day, the groundhog predicted a longer winter full of SQL injection so now is a fitting time to post Part II of our series. Today's post was authored by Tal Be'ery (who is not pictured below). TinKode, a famous hacker, has reportedly been caught. TinKode was talented and best known for his mastery of the black art of Blind SQL injection. (The term Blind SQL injection was coined by Imperva CTO Amichai Shulman almost a decade ago.) Using Blind SQL injection, TinKode was able to hack many sites,...

The FBI's Social Media Monitoring

2012-02-01T06:27:21-08:00

The FBI has issued an RFI for social media monitoring. It's a long document, but here's the bottom line: This shouldn't surprise anyone. The use of social media as a communications and recruitment platform has made this a necessity.

Facebook Bug Hunting

2012-01-30T00:00:00-08:00

BusinessWeek is running a great article on bug hunting by companies such as Facebook, Google and more. One of the featured bug hunters is Imperva's Tal Be'ery. Here's Tal's account of finding that particular problem with Facebook and how it was reported. On the 29th of July, Imperva's ADC team was exploring the login mechanisms of several prominent web applications including Facebook. We were hoping to learn about the adoption of advanced security mechanisms, but you can imagine how surprised we were when we found out that Facebook's registration process was performed over HTTP with no encryption at all –...

Massive Virus Hits Android

2012-01-28T07:11:17-08:00

According to this article: a bug by the name of Android.Counterclank has infected between 1 million and 5 million Android users as of this afternoon. This incident points out the problem of having a decentralized distribution system. In other words, anyone can disseminate Android applications anywhere--including virus writers. Without a middleman to ensure consumers can trust the applications being downloaded, expect these type of incidents to grow and continue. In March 2011, IDC predicted that “Android is poised to take over as the leading Smartphone operating system in 2011 after racing into the number 2 position in 2010.” Not surprisingly,...

How Time Warner Profits from Anonymous

2012-01-27T07:27:08-08:00

This is entertaining. The gist: [Anonymous'] disguise is earning big bucks for a major media conglomerate. Warner Brothers, the Time Warner subsidiary who produced the movie, owns the rights to the Guy Fawkes mask – and they earn royalties on every sale. (Obligatory disclaimer: Time Warner is also TIME’s parent company, so in an extremely roundabout way, we’re also profiting from this.) While Time Warner hasn’t released any data related to their earnings from the masks, it’s safe to say that the hundreds of thousands of Guy Fawkes masks sold each year helps to bring sure profit to the company.

Anatomy of Business Logic Attacks

2012-01-26T06:39:04-08:00

Today we published our second Web Application Attack Report (WAAR). The full version is available here (no reg required). Last report we described the most common attacks against applications which included SQL injection, Local File Inclusion, Cross Site Scripting and Directory Traversal. This time we added Business Logic Attacks. Here's an excerpt from our WAAR detailing the nature of attack. Business Logic Attacks A Business Logic Attack (BLA) is an attack which targets the logic of a business application. “traditional”, technical, application attacks contain malformed requests. On the other hand, business logic attacks include legitimate input values. This lack of...