Web Threats Weekly

Security comes from people, process and technology

Protecting customers and supporters from getting hacked on your websites or other public-facing systems in turn protects your organization. The flip side of that is protecting your internal systems from phishers and hackers so you don’t in turn infect the systems your customers are using.

This week, we look at what Microsoft’s security experts suggest for protecting your web applications and systems.

“When looking at the overall security plan for your organization, “any security strategy comes from the people, process and technology,” says Microsoft Security Team Specialist Mohammad Akif says. “You have to ensure all three are working to a high standard, because hackers will always take the easiest path.”

Since a high number of hacker threats are against the web application layer, PCIS and other industry experts have long suggested developers need to be more aware of security issues.

For web developers, never trust user input, as most security vulnerabilities revolve around the attacker providing malformed data to the server machine. Also, to defend against cross-site scripting, input should be HTML-encoded when it is used as output. This will reduce dangerous HTML tags to more secure escape characters. And use well-tested cryptographic algorithms to protect code.

Looking at basic security for an organization, ensure your firewall, anti-virus, anti-spyware and operating systems are patched and updated.

Email continues to be a challenging vulnerability to close off. Make sure your spam filter is working. Don’t open emails if you suspect they are phishing efforts. Don’t click on links if you realize anything about the message appears to be suspicious. Read the target address and if the e-mail message appears to come from your bank, but the target address is just a meaningless series of numbers, do not click the link.   

Organized criminals may redouble their successful profitable phishing and hacking efforts as the economy suffers. Organizations are not up against high school kids. Now you’re up against Ph.D’s who they’ve recruited. And in a challenging economy, security is an even bigger priority, as no one wants their sales to take a hit from a security breach.

Network and Web Security Blog Link-Fest 

We've had our eye on some very informative and entertaining blog posts and articles great for helping business managers and IT people get a handle on the security landscape. Here are a few of our favorites this week:

EFF launches "Surveillance Self Defense" -- comprehensive guide to blocking govt snooping (Boing Boing) - Examination of a practical, online how-to guide for protecting your private data against government spying. Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying? 

Secure Your Twitter Sessions with https (Micro Persuasion) - Twitter is an increasingly popular social networking tool, but critics have suggested that there are significant security issues that could potentially expose users' private information. This post examines what you can do if you want to use an open wifi connection at an airport and and don't care to risk people sniffing your session.

A Busy Cybersecurity Week in Washington (CNET News Security) - An overview of the great progress that the US federal government is making in turning its attention to the cyber security issues. This includes a bigger security budget, a shiny new report chock full of recommendations and a revised guide for network standards.

Corporate IT Security Breach Apology Letter Template (Pacific Coast Informer Blog) - Call us biased if you like, but we think this post provides an excellent example of how a corporation can communicate what it is doing in the event of a security breach, based on the response of Heartland Payment Systems to its real-life troubles. We expect a great number of organizations will be forced to write letters like this in 2009.

March 4, 2009

Web Threats Weekly is distributed by:

Pacific Coast Information Systems Ltd.

Boonbox, a division of PCIS

Contact PCIS

Toll-free 1.877.744.7558

In this issue:

* Security comes from people, process and technology

* Network and Web Security Blog Link-Fest 

* Hacker Bait 

* Mythbusters Tip #15

* Spam-Alot

Web Threats Weekly helps organizations protect themselves and their customers from known online threats. 

Contact Boonbox

Name

*

Company

*

Phone

*

Email

*

How can we help?

Please tell us how you found out about PCIS

Please Select One - - - - - - - - - - - - - - - - - - - We've done business with PCIS before A PCIS representative contacted meWord of MouthSearch EngineLink on another websiteNews Article or PublicationPrint AdvertisementOther

 Resources Links:

• Get more IT Security Resources
• Register for Online Protection: How To Secure Your Business and Build Consumer Trust (Vancouver Board of Trade)
• Experience and join the discussion about tech trends and IT security on the Pacific Coast Informer Blog
• Become of fan of the Boonbox Facebook fan page

Hacker Bait

The latest Hacker Bait list contains websites of business and social networking sites that have been found to have vulnerabilities that hackers and cyber criminals could exploit. 

This is not a complete list of all vulnerable sites on the Internet, but only represents websites where vulnerabilities were found within the past 90 days.

These are only the latest additions to an ever-growing club of sites found to be insecure according to various public sources and online tools used in the web security industry.

If you would like more information on our data and why these sites are listed here, please contact PCIS

Hacker Bait Sites With Vulnerabilities Discovered in Past 90 Days

Mythbusters Tip #15

“Sneaky hackers who attack your organization from the outside are the most dangerous threat.”

While the vast majority of attacks against a network or web applications come from outside, studies show that some of the most devastating attacks come from within. 

Most employees may not understand security, so part of the danger comes from honest errors. The flip side is the disgruntled employee with access to systems who can do deliberate sabotage. Companies need to develop procedures to mitigate the risk of an internal threat, such as a rigorous hiring procedure, security training and an appropriate level of monitoring.

Mythbusters Myths 1 to 14

Spam-Alot

Spammers are linking to blogs, profiles and other pages on these trusted sites to give victims a false sense of security that the links can be followed safely. These sites may not have been hacked, but following the spam links to these sites and clicking on links shown there can result in harm to your computer.

If you would like more information on our data and why these sites are listed here, please contact PCIS

Spam-Alot Websites Exploited Since Feb. 26, 2009

Boonbox and Pacific Coast Information Systems Ltd.

Boonbox is a division of Pacific Coast Information Systems Ltd., specializing in products for web security, network security, password management and data backup.

PCIS is a Vancouver-based company which provides strategic consulting, application development, technology solutions and managed services to companies and government organizations throughout North America.

HOW TO SUBSCRIBE/UNSUBSCRIBE

SUBSCRIBE: To subscribe to Web Threats Weekly, send a blank email message with subject line "SUBSCRIBE" to informer@pcis.com

UNSUBSCRIBE: If you do not wish to receive future issues of Web Threats Weekly, send a blank email with subject line "UNSUBSCRIBE" to:informer@pcis.com and we will promptly remove you from our distribution list.

WE WANT YOUR FEEDBACK

Our purpose for providing this free service is to keep our clients and business contacts informed of technology developments. This information can help them resolve common problems and achieve their full potential by strengthening their business processes and infrastructure. Your input is important to us and we welcome your ideas for new features and how we can continue to improve our service to you. Send your comments and suggestions to informer@pcis.com or contact us directly at 604.844.7558