May 30 2015

OWASP Zed Attack Proxy – Integrated Penetration Testing Tool

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as [...] The post OWASP Zed...

Read the full post at darknet.org.uk
May 29 2015

Lack of Prompt Revive Adserver Upgrades Reminder That Basic Web Security Precautions Still Not Being Taken

When it comes to keeping websites secure, what we see is that companies are trying to sell people services of limited to no security value while important security practices go undone in many cases. One of the basic measures that needs to be taken to do that is to keep software running on websites up to date as that prevents known security vulnerabilities from being exploited, unfortunately that often doesn’t happen. In the past we looked at data showing this was true for the likes of Drupal, Joomla, and others. Yesterday, Revive Adserver put out a post showing what versions of their software are in use and they tell a similar story.

About 56 percent of the active installations of Revive Adserver are running either version 3.0.2 or 3.0.5:

Source: http://www.revive-adserver.com/blog/quick-adoption-of-revive-adserver-v3-2-0/

Version 3.0.5 contains two moderate severity security issues that were fixed in versions 3.0.6 and 3.1.0, which were released in December. Versions 3.0.2 contains an additional moderate severity security issue that was fixed version 3.0.5, which was released a year ago. We haven’t seen any major issues when upgrading from these versions so there isn’t any excuse not having done this by now.

If you haven’t been keeping Revive Adserver up to date now you should do that now (if need someone to do that for you, we can take care of that for you). For anyone who still hasn’t upgraded from OpenX you really need to do that now since that has more severe known security vulnerabilities in it at this point and the upgrade to Revive Adserver is relatively easy.

May 29 2015

Report: US tried Stuxnet variant on N. Korean nuke program, failed

It looks like North Korea's "hermit nation" status has paid off in at least one way: the US was unable to infect the systems controlling centrifuges for North Korea's nuclear program, even after using a variant of the Stuxnet virus designed specifically for Korean systems. According to an exclusive report by Reuters, the National Security Agency led an effort in parallel to the one that went after Iran's nuclear program, but the agency failed to get its malware into North Korea's nuclear labs because they were so isolated—both in a geographic and communications sense.

Reuters' Joseph Menn cites an unnamed US intelligence official as saying the same team that developed Stuxnet—which was reportedly a joint US-Israeli development effort called "Olympic Games"—also developed a similar set of malware that would activate itself only when it encountered Korean language settings on the computers it infected.

Like Iran, North Korea used centrifuges obtained from the Pakistani scientist, A.Q. Khan, who led his own country's nuclear weapons effort. The P-2 centrifuges used by Iran were controlled by supervisory control and data acquisition (SCADA) systems from Siemens, with control software running on the Windows operating system. It was believed that North Korea used similar software because of the similarity between the two research efforts, so the STUXNET malware could in theory be used with minor modifications.

Read 3 remaining paragraphs | Comments

May 29 2015

OPC’s New Priorities – Commissioner Therrien Provides an Overview

On May 28, 2015 Daniel Therrien, Canada’s Federal Privacy Commissioner, previewed the OPC’s priorities for attendees of the International Association of Privacy Professionals (IAPP) Canada Privacy Symposium.

These priorities were formed after consulting with public and private stakeholders, academics, consumer groups and the Canadian public. Driven by the vision to increase the control Canadians have over their personal information, Commissioner Therrien laid out his four priorities:

  1. The economics of personal information;
  2. Government surveillance;
  3. Reputation and privacy; and
  4. The body as information.

The OPC will address these priorities through exploration of technological solutions, promoting good privacy governance, and enhancing public education. Other strategies to address these priorities will involve addressing challenges relating to privacy in a borderless world and the way in which these priority issues affect vulnerable groups.

The Economics of Personal Information

This priority focuses on the idea that personal information is a commodity. There is concern that the power relationship between consumers and industries favours the latter and that more regulation is required. The issue of obtaining consent in the online world, and whether that is realistically achievable in the continuously growing age of big data, is a continuing concern.

Government Surveillance

This priority addresses the need to find the right balance between government collection and surveillance of its citizens for national security purposes while respecting its citizen’s privacy rights. Although controversial Bill C-51, the Anti-terrorism Act, may be enacted and come into force, the OPC is expected to be active in ensuring that Bill C-51 will be implemented in accordance with the Privacy Act, and report to Parliament and Canadians of any concerns.

Reputation and Privacy

This priority includes concerns regarding the ramifications to not only the information individuals share online but the information that is collected and categorized about individuals by organizations as they utilize online resources. This priority may be restricted to educating Canadians but may also include taking a significant position on the right to be forgotten.

The Body as Information:

The body as information priority involves the OPC’s efforts to stay ahead of the latest technological advancements and the related privacy concerns, including wearable devices and implants.

Perhaps most striking are not the priorities themselves or the strategies to address them but Commissioner Therrien’s overall approach. In some areas, such as the economics of personal information, Commissioner Therrien has stated that the OPC will conduct broad stakeholder consultations prior to forming guidance. The OPC’s openness and direct engagement with stakeholders across Canada is a welcome theme of his first year as Commissioner.

The OPC is expected to release its strategic report in June that will outline greater detail on the four priorities and upcoming activities it intends to launch.

This post was co-authored by Karl Schober.