Monthly Archives: March 2016

Beating Back Web-based Attacks

While the specifics of how most cyber attacks on companies are committed may not interest some, security professionals do not have that luxury.

What’s striking is that in addition to maintaining a broad view of the myriad ways in which an enterprise can be compromised, IT professionals also need an in-depth knowledge of each attack vector. In his new Webinar, When Applications Attack!, security expert Ryan Hendricks surveys the top 10 vulnerabilities facing companies today according to the Open Web Application Security Project but also rolls up his sleeves and starts coding in order to show webinar participants in vivid details how the attacks are carried out.

Using OWASP’s free, web-based penetration testing application Mutillidae to illustrate his point, Hendricks shows just how easy it is for hackers to gain access to corporate data via what OWASP regards as the top threat today, SQL injection.

SQL injection involves attacking a database by directly communicating with the server. “Normally a web application passes information over to a SQL database,” Hendricks says. “However, if there is no filtering done, a hacker can communicate directly with the database on the back end and then insert, change or remove any of the data in that database.”

Using a test web site available on Mutillidae, Hendricks demonstrated how login screens are especially susceptible to SQL injection. His first step was to attempt to login with a fictitious name and password. The goal was to purposely cause the site to generate an error message from which he could decipher information about the security settings in place on the database server. From there, Hendricks copied and pasted the SQL command contained in the error message into text editor, altered the script relating to how the site handles usernames and passwords, and reinserted the altered text via the login screen. He was immediately granted access to the test site as an administrator. “Using SQL injection you can bypass authentication completely on the login screen,” he says.

The comment sections on blogs are another potential source of infection, Hendricks says. Using a common technique known as persistent cross-site scripting, an attacker can execute malicious scripts on legitimate websites by inserting them as comments. This type of attack is especially pernicious because it is executed by the user’s own browser.

Another technique known as cross-site request forgery exploits people’s tendency to trust requests generated by Web sites they are on as well as their tendency to have multiple browser tabs open at once. If a user is already logged into a legitimate server, somebody can send a malicious link from another tab hoping to trick you into submitting information to a compromised web application. “Because you already have that trust established between you and that server that’s what makes cross-site request forgery work,” Hendricks says. “If you are going to be banking or doing anything that is secure, it’s not a good idea to have 15 tabs open in your browser clicking on all types of links because that’s when you expose yourself to this.”

Much as he advises individual users to apply a healthy dose of caution in order to avoid Web-based attacks, Hendricks says there is some low-hanging fruit for IT security professionals as well. In addition to making sure that your users are only installing trusted software and add-ons to browsers, security professionals need to make sure that all the input to your company’s web site is filtered for malicious, executable code on both the client and server side. “Never trust input from the user,” he says.

 

About the Author

Kenealy resizedBill Kenealy is a copywriter and blogger specializing in enterprise technologies. A graduate of the University of Kansas with a degree in journalism, Bill has 15 years of experience reporting on business and IT. Bill recently relocated to the Twin Cities and enjoys travel and exploring his new home state with his wife. He enjoys reading, PC gaming and watching football by himself.

Apple’s Spat With Feds Clarifies Importance of Understanding Encryption

Leaving aside the legal and philosophical aspects of the debate, Apple’s protracted, public fight with the FBI and the Justice Department over a court order to unlock an iPhone 5C belonging to a terrorist is notable for the amount of attention it has focused on the somewhat arcane issue of encryption.

Given this, one thing that has struck me is that while approaching ubiquity, encryption technologies are not well understood, even by those who are conversant in many other aspects of technology. Indeed, despite the widespread acknowledgment in companies regarding the need to safeguard data, encryption is regarded by many as a subject matter best left to a subset of math-crazed cryptographers, intelligence agencies, IT security professionals and cyber criminals.

Those seeking a broad overview of encryption technologies and how they work, should take note of upcoming LNO courses from cybersecurity expert Rafiq Wayani. As part of a larger course on IT security, Wayani, an experienced systems architect and software engineer, discusses the history and merits of five of the most common encryption protocols in use today.

Wayani notes that all encryption schemes are essentially reliant on algorithms to convert electronic data into a form that that is unreadable for users who lack the proper key or password. The similarities end there.

Numbers on computer screen. Macro photography with visible pixels and shallow depth of field.For example, one widely used encryption algorithm Triple DES (data encryption standard) uses key sizes of 56, 112, or 168 bits and is symmetric, which means that the same key can be used for both encrypting and decrypting data. Conversely, another widely used standard, RSA, is asymmetric and relies upon the difficulty of factoring the product of two large prime numbers in order to keep data secure.

AES (advanced encryption standard) was developed by the National Institute of Standards and Technology and uses keys of 128, 192 or 256 bits in length. 256-bit encryption is, for now, largely considered impervious to all attacks, Wayani says. Indeed, FBI officials say that they are unable to access the iPhone 5C used by Syed Farook, one of two terrorists who killed 14 people at a party in San Bernardino, California, due to Apple’s use of 256-bit AES encryption.
“Experts believe that AES will eventually be hailed as the de facto standard for encrypting data in the private sector,” Wayani notes in the course.

Irrespective of Apple’s legal fate in the case, it is clear that is the use of encryption, and the need for companies to educate their employees about it, will not abate. Just this week Google released data indicating that encryption now shields 77% of the global requests sent to its data centers, up from 52% at the end of 2013.

While the complex mathematical equations behind encryption methods are likely to remain inscrutable to most, there may be no better time to afford people in your organization the training they need to gain a deeper understanding of the practical applications of encryption.

 

About the Author

Kenealy resizedBill Kenealy is a copywriter and blogger specializing in enterprise technologies. A graduate of the University of Kansas with a degree in journalism, Bill has 15 years of experience reporting on business and IT. Bill recently relocated to the Twin Cities and enjoys travel and exploring his new home state with his wife. He enjoys reading, PC gaming and watching football by himself.

Why Microsoft Word Training is a Wise Decision

Given the wide array of new and complex technologies in the modern workplace, dedicated training for Microsoft Word might seem at first blush somewhat superfluous. Word is, after all, among the most venerable and commonplace of software applications. What’s to learn?

Yet, those taking Word for granted are likely missing the marked evolution of program from a simple, electronic word processor to a comprehensive communications platform, notes Leeanne McManus, Chief Learning & Talent Officer, ikuw Solutions, Inc. Employees content to just scratch the surface and not delve into the advanced functionalities added to Word in recent versions may be unwittingly costing themselves time and effort by manually performing tasks that could easily be automated.

Leeanne resized

Leeanne McManus

“Some people will say ‘I’ve had this program for 15 years, why would I need more training?’” McManus says. “They don’t understand the lost productivity and missed chances for collaboration when you are manually doing things.”

According to McManus, the need for Word training is now especially pronounced as Microsoft has looked to reshape Word in recent releases in order to account for larger trends in technology such as cloud computing, appification and mobility. For example, recent versions of Word feature a flat design ascetic, a purposeful decision made to accommodate people using their fingers to navigate the program on devices such as phones and tablets. Nonetheless, this decision may have unintentionally led to confusion for longtime desktop users, she notes. “One of The biggest pain points for people accustomed to older versions of Word was getting used to the flatness,” she says. “If you came from anything before Word 2007, the new versions such Word 2013 of Word 2016 are going to seem completely foreign. Other than the basic functionality, you may as well have been using WordPerfect.”

In addition to just figuring out where they moved everything, Word training is also becoming essential as the program shifts to the cloud and becomes more tightly integrated with a variety of Microsoft collaboration and desktop products including Sharepoint, OneNote and Outlook. Given the overlapping functionality and the common design language of these programs, an employee efficient on Word will have a head start understanding these programs and how they interrelate. “Word has gone from being a program to being a platform,” she says.

Indeed, given the program’s ubiquity in the office place, training employees to get the most out of Word may prove an effective icebreaker for getting them to better leverage all the technologies your enterprise has to offer. “Some people are by nature afraid to explore,” McManus says. “They are terribly afraid they will break something or cause World War 3. It’s just software.”

 

About the Author

Kenealy resizedBill Kenealy is a copywriter and blogger specializing in enterprise technologies. A graduate of the University of Kansas with a degree in journalism, Bill has 15 years of experience reporting on business and IT. Bill recently relocated to the Twin Cities and enjoys travel and exploring his new home state with his wife. He enjoys reading, PC gaming and watching football by himself.