Smart Security Shop

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 31 July 2009

Dev Tools for Security Testing

Posted on 05:22 by Unknown
I have been realizing that even the development tools can be good for initial security testing !!
Let me explain what I mean by this.

For instance, I have been working on a highly sensitive application (in defense sector) and this is a supposedly a Thick Client application. Developed using Windows Forms and the latest technologies of Messaging, this application can be tested for security by the development tool like Visual Studio features itself.

Most of the security testing include Data Validation checks. Input Validation, Output Validation, SQL Injection, etc are few checks related to data validation. These checks can be done using the Visual Studio IDE itself where the values for the application can be changed and checked if the application passes the validation check.

Simple Steps in a Typical Scenario:
1. My dev teams says they have performed the validation both at the client-side and server-side code to ensure application security. However, this needs to be checked.
2. So, if I pass valid values at the application client side, debug the application at server-side to change the values passed to check if the server-side validation actually fires the validation, my job is done.
3. Why would I choose such a method? because typically other than application sending request over HTTP, it is "really" tough to intercept the request sent from the client machine to the server and modify the request parameters for security mis-use cases.

IMO, close to 60% security checks could be easily done by using the dev tools debug features itself and it proves really useful if the application sends requests in non-HTTP protocol.
Read More
Posted in Application Security, Development Tools, Security Tools | No comments

Thursday, 23 July 2009

Botnet Attack Details from Kaspersky

Posted on 23:31 by Unknown
One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The story was picked up by Computer Weekly which did a good summary of it.

The financial “highlights” of the ill-gotten gains from botnets (From Computer Weekly):

• Hiring a botnet for DDoS attacks costs from $50 to thousands of dollars for a continuous 24-hour attack.
• Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.
• Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.
• A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.
• Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.
• User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.
• Phishers pay $1,000 to $2,000 a month for access to fast flux botnets.
• Spam to optimize a search engine ranking is about $300 per month.
• Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.

And what makes this all possible? There are tens of millions of PCs available to botnet operators because of bad computer security on machines in homes and bad security practices by the people who use them.

Computer Weekly story: “Kaspersky reveals price list for botnet attacks”

Original white paper here. “The economics of Botnets”
Read More
Posted in Botnets | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Registrations for OWASP Mumbai Meet [31st July 15:00hrs]
    Hi All, Everyone is welcome to join us at our next chapter meet to be held on Monday , 31 st of July. Registrations for the eve...
  • Free Web Proxy List
    A web proxy is becoming more and more important in todays internet. Schools and Companys tend to block sites pretty quickly nowadays, especi...
  • How do you use RSA for both authentication and secrecy?
    RSA is based upon public key/private key concept. For authentication one can encrypt the hash (MD5/SHA) of the data with a private key. This...
  • Does the code use MapPath?
    Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ...
  • New Rogue Security Product: Smart Antivirus 2009
    Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008 Smart Antivirus 2009 Home page Typical fake/Scare ...
  • Impersonation without Windows Authentication
    How to Impersonate the Original Caller without Windows Authentication When using non-windows authentication like Certificate Authentication ...
  • Firefox popups
    Firefox popups Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see oc...
  • Spam - It also impacts the environment
    McAfee has released The Carbon Footprint of Email Spam Report . The study looks at the global energy expended to create, store, view, and fi...
  • Botnet Attack Details from Kaspersky
    One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The st...
  • Can Security be incorporated in the Computer Science & IT courses?
    Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT softwa...

Categories

  • Account Lockout
  • Anti-XSS
  • Antivirus
  • Application Security
  • AppSec Conference
  • ASP.NET
  • Attacks
  • Authentication
  • Banks
  • Botnets
  • Break
  • Broadband
  • Browsers
  • Change Management
  • Citibank
  • Clear Text Secrets
  • Computer Performance
  • Computer Security
  • Credit Card
  • Cyber Security
  • Cyber Terrorism and Economy
  • Data Validation
  • Database Security
  • Defragmentation
  • Design
  • Developer Training
  • Development Tools
  • DSS
  • eCrime
  • Education
  • Encryption
  • Ettercap
  • Exchange 2007
  • facebook
  • Frauds
  • Google Hacking
  • Hacking
  • ICICI Bank
  • India Leaders
  • Internet
  • IRCTC
  • Java
  • Legal
  • Live Demo
  • Load Testing
  • Mail Security
  • Malware
  • Mastek
  • Message Security
  • Mobile Security
  • Money Laundering
  • News
  • one time password
  • Online
  • Oracle
  • OWASP
  • PC Errors
  • PCI
  • Performance Testing
  • Phishing
  • Popular Posts
  • Punishment
  • Requirement Engineering
  • Retail
  • Rouge
  • Routers
  • Rugged
  • Security
  • Security Industry
  • Security Management
  • Security Requirements
  • Security Tools
  • Sensitive Data
  • Sniffing
  • Social Networking
  • Software Industry
  • Solutions Community
  • Spams
  • SQL Injection
  • SSL
  • Sudhakar Ram
  • Summer of Code
  • SUN
  • Technology
  • Testing
  • Thick Client Security
  • Third Wave
  • Times of India
  • Typo Squatting
  • UI Security
  • University Programs
  • Virtual Keyboard
  • Virtualization
  • WCF 3.5
  • Web 2.0
  • Web Applications
  • Web Security
  • Web Services
  • WiFi
  • Windows
  • Workshops
  • X.509 Certificates
  • XSS

Blog Archive

  • ►  2011 (5)
    • ►  September (1)
    • ►  July (2)
    • ►  March (2)
  • ►  2010 (5)
    • ►  November (1)
    • ►  June (1)
    • ►  March (1)
    • ►  January (2)
  • ▼  2009 (19)
    • ►  December (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ▼  July (2)
      • Dev Tools for Security Testing
      • Botnet Attack Details from Kaspersky
    • ►  June (2)
    • ►  May (1)
    • ►  April (4)
    • ►  March (2)
    • ►  February (2)
    • ►  January (2)
  • ►  2008 (29)
    • ►  December (7)
    • ►  November (2)
    • ►  September (3)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  April (3)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (29)
    • ►  December (2)
    • ►  November (3)
    • ►  October (11)
    • ►  September (5)
    • ►  August (2)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ►  2006 (36)
    • ►  December (1)
    • ►  November (3)
    • ►  October (6)
    • ►  September (3)
    • ►  August (4)
    • ►  July (3)
    • ►  June (1)
    • ►  May (5)
    • ►  April (2)
    • ►  March (4)
    • ►  February (1)
    • ►  January (3)
  • ►  2005 (20)
    • ►  December (6)
    • ►  November (14)
Powered by Blogger.

About Me

Unknown
View my complete profile