пʼятниця, 19 грудня 2014 р.

Wearables: Top Security Risks and Preventive Measures

All-consuming passion for wearables should go hand in hand with enhanced security. Find out what the top wearables security risks are and how to mitigate them to keep your gadget safe and sound.

By Nazar Tymoshyk and Stanislav Breslavskyi
They say, with great power comes great responsibility. Judging from today’s all-consuming passion for wearables and their seemingly endless functionalities, this rule should be applied – first and foremost – with regard to wearables security. Unfortunately, you are not the only one to take advantage of the data collected by the smart devices. To combat attackers’ activity, it is important to know that wearables risk zone covers three components:
1.       Wearable device itself
2.       Device you transmit data to (e.g., smartphone)
3.       Cloud
So what are the top wearables security risks and what may be the result of careless behavior with data?
Invading Privacy: Targeted Advertising
Have you ever had a feeling you are being watched after that last Hunkemöller collection ad popped out in sidebars on Facebook, or after EasyJet sent you a special offer to Mallorca? Apparently today, marketing specialists inspect their target audience by the principle Sting was singing about: every step you take, every click you make – they’ll be watching you. Customization as a trend is harmless itself, but at some point stalking your web-activity may result into unhealthy invading of privacy or usage of the data collected against you.
Spying, Robbing, Housebreaking
Checking in via Foursquare may be more dangerous than you think and poses serious wearables risk. For burglars and robbers, your location may serve as a green light to break into your house. A perfect example is a recent viral Internet-story about Keri McCullen who shared her excitement about going to a concert and came back home only to find out she was robbed.
The recent iCloud nude photo leaks scandal proved that private information may be a weapon for blackmailing or public deprivation. Attackers do not necessarily need your photos – due to self-tracking, anything you post or do may be used against you.
Health Damages
Barnaby Jack's experiment shown that through attacking healthcare devices, such as pacemakers and insulin pumps, it is possible to increase the voltage of the pacemaker or tenfold the insulin doze and kill a person.
Ten Easy Steps to Mitigate Wearables Security Risks
No panic: treating your wearable and the data it tracks with due attention and care, you may easily mitigate potential threats. Here are some basic preventive steps to enforce your wearable security:
1.       Keep the very wearable device protected.
2.       Ensure account safety and cloud synchronization security with reliable password recovery security questions and two-factor authenticationmodules.
3.       Use multiple passwords for different systems, as well as change them once in a while.
4.       Lock your screen and encrypt your data.
5.       Be suspicious about the websites and services that request too much information.
6.       Switch off Bluetooth when it is not used.
7.       Always carefully read Privacy & Security Policy.
8.       Install your OS or app updates right after they become available.
9.       Don’t be overly fanatic about check-ins.
10.   Trust, but verify.
No matter how reliable your service provider or gadget seems, don’t forget about these easy preventive measures to mitigate security risks and keep your gadget safe and sound.

четвер, 4 грудня 2014 р.

четвер, 16 жовтня 2014 р.

Ура, новий Security Hole #14

Ура-Ура-Ура. Ми знову повертаємось після маленької відпустки і організовуємо Security Hole. 3 реально цікаві спікери. 3 реально круті теми. Не проФтикайте!

Транляція на нашому каналі http://www.ustream.tv/channel/security-hole 

четвер, 9 жовтня 2014 р.

середа, 8 жовтня 2014 р.

Public Lecture

Провели зустріч з студентами кафеди ЗІ. Розказали чим ж то ми займаємось. Цікавий досвід. 

SSL Pinning

Часто запитують як засекюрити свою аплікацію після того як ми її розковиряли.
Тут доступно описано чому важливий SSL Pinning.

понеділок, 6 жовтня 2014 р.

понеділок, 11 серпня 2014 р.

Three Pillars to Build Security Into Your SDLC

In today’s technology environment, the issue is no longer if your business is vulnerable to cyber security threats or may someday be attacked; the issue is ‘When?’ and, ‘Will you be prepared?’ The widespread use of cloud computing, SaaS and smart devices leave businesses of all types and scales more vulnerable than ever to attacks on their information systems. A company's financial security, intellectual property and level of trust are at risk. Everything can be lost as the result of a successful attack.

Security can’t be an afterthought or adjunct task in the software development process. The legitimacy of the threat necessitates the need to tightly integrate security into the software development lifecycle (SDLC). Identifying security issues at the end of a development is too late.

When you incorporate security into your SDLC, you create applications that are secure by design, not by chance or circumstance.

In particular, security in continuous integration (CI) environments can be challenging. The goal of CI is to provide rapid feedback on disparate code changes, allowing developers to correct errors as soon as possible by identifying functional defects introduced into the larger code base. In this environment, integrated security testing is needed to provide developers a real-time threat assessment of all changes they’ve made, regardless of their operational success in the larger code base. Without integrated security testing, there’s a risk of re-engineering solutions multiple times to address security threats detected long after functional solutions are accepted. That wastes valuable time, money, energy and effort.

Following are three pillars to build security into a continuous integration development environment, creating applications capable of standing up to any security threat:

1. Leverage Interactive Application Security Testing (IAST)

IAST combines into a single solution the techniques and benefits of static and dynamic application security testing, increasing the overall accuracy of testing by running continuous, automated malicious traffic against applications under development, while monitoring the applications in runtime. IAST monitors information from inside the application under test, including runtime requests, data and control flows, libraries and connections to create a comprehensive testing environment simulating real-world attacks. This includes context awareness, allowing organizations to prioritize different risk threats, as opposed to prioritizing differing vulnerabilities without the ability to assess their impact on data in the event of an attack.

Unlike other test methodologies, IAST pinpoints real vulnerabilities with no false positives and gives immediate, focused code remediation. [LINK: http://www.marketwatch.com/story/interactive-application-security-testing-iast-named-by-gartner-analysts-in-top-10-technologies-for-information-security-in-2014-2014-07-01].

IAST is the future of security testing and should me a mainstay of SDLC environments.

2. Choose the Right Tool for the Job

There are a variety of tools available in the marketplace capable of providing utility in an integrated security SDLC environment. As with all choices, some solutions may prove inadequate or an overkill to the task at hand. A good motto to follow when evaluating testing environments is, “Just because you can, doesn’t mean you should.” In other words, security testing requires the right tool for the job at hand, not any tool that can serve a level of purpose.

Thoughtfully marry your security testing solution with the type of software, language, methodology and budget matching your environment. Select security tools capable of automated testing, purpose-built to integrate with the continually evolving code base inherent to the CI software development process.

The right tools are needed to create the level of testing required to assure security of the application under development. This isn’t an area you want to skimp on or misalign.

3. Involve Your Security Analyst

Although security is everyone’s responsibility, it’s wise to have someone responsible to continuously oversee all security testing efforts. Security analysts should be used to verify and coordinate all test results, investigate suspicions of false positives and negatives, explain security defects to developers and educate quality assurance staff on ways to detect business logic defects.

Having a security analyst on your team throughout the SDLC process raises the importance of application security and provides a voice on the team that won’t compromise security for operational or functional abilities. As security shouldn’t be an afterthought in development, it shouldn’t be an afterthought in responsibility.


Cyber attacks are a real and growing threat to business and individuals that we need to prepare to quickly detect and thwart. One of the best defenses against a cyber attack is to develop applications within an integrated security environment. In this environment, security is part of the software development process, as opposed to a parallel or after-action activity. 

A big part of preparedness is selecting the right methodology. IAST is the latest approach to application security testing that provides continuous, real-time feedback on simulated cyber attacks. This is especially valuable in CI environments where disparate code changes are rapidly introduced for testing within a larger code set.

Beyond the testing environment, the tools and testing configurations you employ need to match your unique situation. While more than one testing solution may provide a level of functionality, security is too important an issue to use anything less than ideal support systems.

Last, but not least, security analysts should be an integral part of your development team. Their uncompromising voice for security underscores their importance in the development process and keeps security a top priority within your team.

The safe assumption is that your business will be under attack at some point in the future and catastrophic financial, intellectual property and customer losses may be the result of not being properly prepared. The issue developers need to address is how well they are prepared to withstand an attack, and that begins with measures taken in the software development process.

четвер, 10 липня 2014 р.

Security Test Case Suite

Пропонуємо вашій увазі типовий список для перевірки при виконанні пентесту аплікації.
Список доступний тут: http://goo.gl/xNJyae

Security Hole #11 - Підсумки

Вчора відбувся черговий Security Hole, який відвідали більше 25 слухачів. Присутніми були як працівники SoftServe так і інших компаній: Symphony Solutions, Epam, Perfectial, Remit, Conscensia.
Доповідачі Юрій Білик та Ігор Беляєв поділилися своїми дослідженнями в інформаційній безпеці, пов'язаними з темами: регулярні вирази, криптографія та конкурентна розвідка. Найцікавіша практична частина полягала в застосуванні прийомів конкурентної розвідки і учасники з захопленням виконували завдання.

Security Hole #12 - Lockpiking Authentication - OWASP Lviv - SoftServe

пʼятниця, 4 липня 2014 р.

Security Hole #11 - Буде цікаво!

Цього разу нас будуть вчити Юрій Блик і Ігор Беляєв. Буде дійсно цікаво!

СЕРЕДА, 9 липня, 19:00, Федьковича 60А, кімната 4004, СофтСерв офіс №4.

P.S.Для тих хто не зможе прийти фізично буде доступна жива трансляція на нашому каналі:

Де тренувати знання в тестуванні (публікація Б)

Where to train your QA engineers in Security for FREE?

With rapid increase of web applications in the internet the question about their security becomes more and more critical. It is difficult to learn and practice Web application security. Not everyone who is dealing with security testing has environment with web applications like online computer store or online banks that can be used to scan for vulnerabilities. Additionally, security professionals has the need to test tools against environment with known vulnerabilities to ensure that they are working properly. All this activities have to be done on legal environment without breaking the law. And this is one of the main stoppers in training process.
Security communities in all over the world took this facts into account and prepared a lot of great stuff, online environments, vulnerable applications that can run locally to learn and practice Web application security.
Security Compass prepared free online course based on TOP 10 Web application vulnerabilities for 2013 year according to Open Web Application Security Project (OWASP). This course is available on their web site. The easiest step-by-step guideline for students is available on Computer Security Student website.
OWASP Mutillidae II Project provides free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. It has several tasks on each vulnerability from OWASP TOP 10 list. Currently the 2.0.7 version of Mutillidae is available.
OWASP WebGoat project prepared by OWASP Community was designed to teach web application security lessons. It is easy to run and practice. Students are able to login application with different accounts, get description on each lesson and if needed obtain lessons solutions. The difference with previous project is that it contains lessons dedicated not only to break security but also to fix vulnerabilities providing secure code.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. This project is very similar to Mutillidae as here you have no concrete tasks to solve but you have scripts with common vulnerabilities:
·         Brute Force
·         Command Execution
·         CSRF
·         File Inclusion
·         SQL Injection
·         SQL Injection (Blind)
·         Upload
·         XSS reflected
·         XSS stored
The newest version is 1.0.8
A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz Web Application Exploits and Defenses provides platform that can be accessed online or installed locally. Here are tasks for both black box and white-box testing. This codelab shows how to exploit existing web application vulnerabilities and how to defend against these attacks.
OWASP prepared The Broken Web Applications (BWA) Project that produces a Virtual Machine running a variety of applications. Some of them were described earlier:
·         OWASP WebGoat (Java)
·         OWASP WebGoat.NET (ASP.NET)
·         OWASP ESAPI Java SwingSet Interactive (Java)
·         OWASP Mutillidae II (PHP)
·         OWASP RailsGoat (Ruby on Rails)
·         OWASP Bricks (PHP)
·         Damn Vulnerable Web Application (PHP)
·         Ghost (PHP)
·         Magical Code Injection Rainbow (PHP)
And many more. Resources are located here.
There are online vulnerable Web sites from Acunetix, which are used by the company to show their demo test:
·         testasp.vulnweb.com/
·         testaspnet.vulnweb.com/
·         testphp.vulnweb.com/
 To train XSS attacks specialists interested in security can use following sites:
·         html5sec.org/xssme.php
·         xssme.html5sec.org/
·         xss-game.appspot.com/
Challenges available there vary from easy level to non-trivial tasks.
Capture The Flag (CTF) security competitions probably are the most interesting for security specialists. Tasks are available online and don’t need additional software. And there is clear goal – get the flag. One of the projects is Hack This Site with set of challenges. Another CTF project from Enigma Group also has set of missions that are available here. Here security specialists and enthusiasts can try their skills competing with other teams.
These resources are available for free and cover a lot of fundamental aspects that security testers need. Of course, that is not full list of resources for practicing Web application security but it is more than enough to full your time with interesting activity.

Security Certifications

Our clients often ask us about our certificates. Here is short list:
Security Certifications: Certified Ethical Hacker (EC-Council), HP Fortify Security Technical Specialist, CIW WebSecurity Specialist, Cisco SMB Security Specialist, Zyxel Security Specialist

вівторок, 27 травня 2014 р.

Website Security – How to Prevent Breaches...

Website Security Risks

In my experience as a Security Consultant, I`ve witnessed numerous cases when lack of proper web server support and maintenance resulted in a company`s website being hacked and exploited by attackers. Unfortunately, it is not a rare case when businesses invest into website development only or store all their websites (as well as mail servers) on a single dedicated machine without an established and safe backup process. Additionally, if a company lacks a comprehensive security strategy and prefers to overlook a well-known security principle of “better safe than sorry”, a website administrator may not be ready for real-time attacks, which might result in website being down and sensitive data compromised.

Sure, skimping on server and website maintenance, regular security check-ups and trainings will save you money in the short run. However, in the long run it`ll save you more if you invest into a secure server hosting provider and proper software architecture instead.

A simple truth is, it doesn`t matter which framework you selected for website development a couple of years ago – Joomla, Wordpress, ASP .NET or Java. As the time flows, they all need to be patched for discovered vulnerabilities and require regular security check-ups. The frameworks provide a fast and cheap way to create great websites, so businesses (even the large brands such as Barnes & Noble, Citibank or Peugeot) continue using them despite of the security risks presented by possible vulnerabilities, but what`s important – they should specifically focus (and many large brands do) on proper website security and maintenance.

Secure Software Development: Levels of Responsibility

Owning an internet website is similar to owning a car – you pay to get it work smoothly, ride fast, look impressive and help you earn money. Just like with a car, you need to properly maintain your website:

·         Check for vendor notifications about updates and patches or withdraws (‘change oil & tires’)
·         Buy an insurance to protect yourself against risks.

In a company, website security starts with a developer, who should write a secure code. Then, a Quality Assurance expert tests the code for bugs and possible vulnerabilities. Next, a DevOps expert`s task is to automate build processes, patch application and server software, monitor performance and log files. At the next stage, a Security expert should review the results with security in mind. Then, there is a CIO.

Any mid-size or large company would have a person responsible for IT, who`s typically known as the CIO (Chief Information Officer). At times, this role could be combined with the CTO and even the CEO. Anyway, this person is responsible for decisions on IT support and website operations, as well as for preventing website security breaches as it is the IT staff that should support the company`s servers. A part of this process is designing backups and recovery plans for after-the-incident cases. Continuing with the car analogy, it’s similar to ensuring your backup wheel is functional in case of emergency.

When your IT engineers (or your software development vendor) develop software, your CTO/CIO should define where to deploy it (on separate servers on Amazon or special containers vs. all sites in single server) and how it should operate and be protected. Otherwise, your should ask your internal (or vendor`s) security consultants to design and implement a proper security strategy.

Six Simple Tips to Ensure Website Security:

1.     Educate your organization. Tell your employees that Security experts need to ensure that application is secure in code and design. Explain that DevOps experts are needed to implement monitoring and patch management as well as secure support of your server and software. Security often goes hand in hand with DevOps, Architecture assessment and Business analysis – and vice versa.
2.      Don’t put all eggs in one basket. Do not store all websites on a single server. It is architecturally wrong and could negatively affect websites performance.
3.      Patch your web apps and web server. Regardless of what framework you use, it`s important to remember that none is a safe haven for your website. All of them have some vulnerabilities, which will have to be addressed.
4.      Engage DevOps and/or security service provider. Your websites need regular check-ups for the code and server security review & assessment. If you don`t have such experts internally, address security vendors and ask them to help you establish a comprehensive security strategy and develop a plan for regular security check-ups. 
5.     If you`re outsourcing your website development, make sure that security is part of the deal. Discuss the security maintenance and check-up possibilities with your vendor. For long-term strategic partnerships, you might want to consider a shared responsibility model.
6.     The greedy pay twice. Don’t skimp and don`t cut corners on security, especially so if you`re responsible for protecting sensitive data of your website users. Security is a significant part of quality service and customer satisfaction.

вівторок, 8 квітня 2014 р.

VMI - draft

Today all enterprise security systems are client-server based and managed from central location. All cloud instances with security agent (Symantec, Forefront, Kaspersky) installed inside OS could be deactivated by qualified attacker. This leave cloud instance unmanaged and without any acting protection. Imagine situation if 100500 Amazon Windows instances (or all Azure instances with open 3389 port) will be affected by virus through 0-day RDP vulnerability. Should you stop all these instances for maintenance and to stop infection? Who will responsible to manage process of clean up all these OSs? Is it possible to centrally stop this infection in my cloud? We will uncover how Virtual Machine Introspection (VMI) can help to stop new threats and change cloud security management approach.
Today Clouds are mostly built based on different types of virtualization. Security of applications benefit from virtualization by running in isolated virtual machines (VMs) and building smaller trusted computing bases (TCBs).
Cloud providers also faced following security challenges:
·         Prove security hygiene of provider infrastructure to third parties
·         Auditability, certification process, risk analysis methodologies, compliance.
·         Trusted cloud computing technologies provide cryptographic evidence.
But how else virtualization is used today to enhance security? Virtual machine Introspection - open new horizons for private and public cloud security that soon will totally change understanding of managing software in the cloud.
Main problem of all modern security management and monitoring system is - Stealthy and Tamper resistance. The problem of Agent based monitoring and protection is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker.
By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.
VMI provide following benefits from security perspective:
1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
2. No host agents required –guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).
VMI - is like X-ray view of all VM states in you private Cloud, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement. VMI use the capabilities of hypervisor to supervise VM behavior.
Virtual Machine Introspection (VMI) can be positioned as out of the box VM management that allows to apply the monitoring of all hosted virtual machines, has many applications in areas such as security and systems.
From Cloud provider prospective let’s use following terms against host server and guest OS (cloud instance):
Inspection– host server virtualization system (VMM) can examine entire state of the guest system (memory, devices, storage, executed commands etc)
Interposition–VMM can interrupt guest code at any time (stop loading malicious payload and stop loading virus body into the memory)
This approach of controlling virtual operating systems also can be used to protect the operating system on hypervisor level, which is the newest approach in designing systems to protect information in enterprise systems.
What can be monitored?
·         All user input
·         Malware on FS and in memory
·         Network Traffic
·         File activity and integrity
·         User access and activity
Other applicable areas where VMI can be very useful:
·         Malware analysis
·         Cloud SIEM
·         VM IPS/IDS
·         VM Forcing
·         Policies
·         VM Honeypot
·         Cloud Firewall
·         VM Patch management
·         Invisible system logging
·         Rootkit prevention
VMI for Cloud management
·         Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.
·         Automated security classification and enforcement for new or cloned VMs

·         Automated VM compliance assessment based on multiple VM attributes;