Web Threats Weekly

Week of January 21, 2009

Protecting Your Organization And Mitigating Risk Of Getting Hacked

While presenting at the 11th West Coast Security Forum, we reminded the audience that a recent poll showed 65 per cent of website developers didn't know what it meant to program a site using "secure code". That explains to a large degree why web threats are getting more numerous and more potentially dangerous to your organizations every year.

Of course, we're not the only ones sounding the alarm. Curvine Web Solutions President Jason Shindler knows firsthand what we're talking about, and says organizations need to ensure their webmasters and developers have a good understanding of web threats, particularly the increasingly common threat of SQL injection. "When a web programmer makes a mistake, it can allow a malicious user to delete or change content in the database of a website," Shindler explains.

We've discovered from talking with our clients that many programmers are not even aware of the problem of SQL injection. This is particularly common in cases where the programmers were self-taught. Once hackers get into the database, the organization can face serious consequences, possibly even going out of business.

Help Beat The Hackers In 2009. Here's How You Can Help

* PCIS is producing webinars in 2009 to help organizations better understand how to identify and prevent web vulnerabilities. If there's a topic you'd like us to address in our webinars, please let us know and we can put it into our webinar series.

* Let us know about how your organization is helping keep your website visitors safe and your online safety tips could be featured in the next Web Threats Weekly!

* Call us if your organization needs help understanding how to close off vulnerabilities to SQL injection and other hacker threats.

Beat the hackers in 2009. Contact PCIS.

Web Threats Tips Of The Week

* Ensure you engage developers who are trained in current security techniques and conduct reviews of new web applications before they are put into production.

* To ensure your application security remains current, conduct regular security assessments. This will address any new methods or technologies that have become available to exploit your websites. If you do not have in-house staff to maintain regular security policies, then arrange for a qualified third party to conduct these assessments on your behalf.

* Develop an actionable plan for network and web application security. If you have not recently done a full audit of your web application environments, plan to do so. Information discovered in the assessments will assist your technology group in addressing vulnerabilities and making your business more secure.

* Generate a patch management report showing patch status on all machines, operating systems and applications and follow up to ensure your systems are patched against the latest threats.

Web Threats Weekly is distributed by:

* Pacific Coast Information Systems Ltd.

* Boonbox, a division of PCIS

* Contact PCIS

Toll-free 1.877.744.7558

In this issue:

* Protecting Your Organization and Mitigating Risk of Getting Hacked

* Help Beat The Hackers In 2009. Here's How You Can Help

* Web Threats Tips Of The Week

* Hacker Bait

* Mythbusters Tip #9

* Spam-Alot

Web Threats Weekly helps organizations protect themselves and their customers from known online threats.

Resources Links

* Online Protection: How To Secure Your Business and Build Consumer Trust (Vancouver Board of Trade)

* Five Web Security Tips for Business (Computer Dealer
News)

* PCIS / Boonbox IT Security Resources Page

* Subscribe/Unsubscribe Instructions below

Hacker Bait

The latest Hacker Bait list contains many famous websites, including some sites of major-league baseball league teams that have been found to have vulnerabilities that hackers and cyber criminals could exploit.

Keep in mind that this is not a complete list of all vulnerable sites on the Internet, but only represents websites where vulnerabilities were found within the past 90 days.

These are only the latest additions to an ever-growing club of sites found to be insecure according to various public sources and online tools used in the web security industry.

If you would like more information on our data and why these sites are listed here, please contact PCIS

Hacker Bait Sites With Vulnerabilities Discovered in Past 90 Days

Parishilton.com

www.cartoys.com

www.godaddy.com

www.cia.gov

www.nsa.gov

www.bestbuy.com

tech.groups.yahoo.com

www.paris-sorbonne.fr

wiki.nasa.gov

investor.visa.com

toronto.bluejays.mlb.com

seattle.mariners.mlb.com

losangeles.dodgers.mlb.com

texas.rangers.mlb.com

tampabay.rays.mlb.com

oakland.athletics.mlb.com

newyork.yankees.mlb.com

milwaukee.brewers.mlb.com

florida.marlins.mlb.com

houston.astros.mlb.com

Mythbusters Tip #9

“Our website uses SSL encryption, so it can't be hacked.”

This myth is perpetuated by a misunderstanding. If your site uses SSL, that means information sent to the site is encrypted. But using SSL does not ensure information remains protected or encrypted once it is on the site. It doesn't stop hackers from penetrating a website's database.

As a comparison, imagine that a courier is riding on a secure train by himself from one train station to the next. But on arriving at his destination, the courier deposits his secret information in a train station locker that could potentially be opened by a cunning thief.

If you visit a site that has been hacked, SSL only ensures that your computer systems will be hacked in a highly secure manner.

Spam-Alot

Spammers are linking to blogs, profiles and other pages on these trusted sites to give victims a false sense of security that the links can be followed safely. These sites may not have been hacked, but following the spam links to these sites and clicking on links shown there can result in harm to your computer.

If you would like more information on our data and why these sites are listed here, please contact PCIS

Spam-Alot Websites Exploited Since Jan. 15, 2009

liner-innovation.com

instanthosting.net

msn.com

freeproblem.com

concordia.com.ar

myway.com

Boonbox and Pacific Coast Information Systems Ltd.

Boonbox is a division of Pacific Coast Information Systems Ltd., specializing in products for web security, network security, password management and data backup.

PCIS is a Vancouver-based company which provides strategic consulting, application development, technology solutions and managed services to companies and government organizations throughout North America.

HOW TO SUBSCRIBE/UNSUBSCRIBE

SUBSCRIBE: To subscribe to Web Threats Weekly, send a blank email message with subject line "SUBSCRIBE" to informer@pcis.com

UNSUBSCRIBE: If you do not wish to receive future issues of Web Threats Weekly, send a blank email with subject line "UNSUBSCRIBE" to:informer@pcis.com and we will promptly remove you from our distribution list.

WE WANT YOUR FEEDBACK

Our purpose for providing this free service is to keep our clients and business contacts informed of technology developments. This information can help them resolve common problems and achieve their full potential by strengthening their business processes and infrastructure. Your input is important to us and we welcome your ideas for new features and how we can continue to improve our service to you. Send your comments and suggestions to informer@pcis.com or contact us directly at 604.844.7558