Updates and Professional Training continuous on IT Security for E-Commerce, Websites and portals, WEB Applications, Webs and Systems exposed to the Internet.
Everything is explained in a simple language and pocket size, for those who wants the maximum in the shortest possible!


powered by ISGroup: Information Security Group

Security risks for E-commerce

Posted by on 12:40 am in Training | Comments Off on Security risks for E-commerce

Security risks for E-commerce

According to a recent report published by the eCommerce B2c School of management of the Politecnico of Milano, the E-commerce Italian sector, despite an increase in turnover, has not yet reached its full potential. One of the factors that contribute to the stopping of the expansion is the distrust of the clients in regards to the security of transactions. Concerns in part based- since the sites of E-commerce, if not protected are vulnerable to risks that are very concrete. E-Commerce compromise = Users leaving, lost investments and unforeseen expenses. What happens if your site is a victim of a computer attack? The producers of browsers and the search engines have created certain alliances for identifying infected sites and protect the users: The search engines, like Google, can remove the infected sites – actual or suspected – from results from searching or downgrade it temporary. The site under attack can be blocked by the browser like Firefox or Chrome (The typical red boxes with the message under that something is not right) When you attempt to visualize a page that is infected the virus can bring up warning messages, with obvious consequences: Who buy on a site that triggers the antivirus? Another possibility is that phishing sites are created (Copies famous sites that are false), who try to steal personal and sensitive data. In the case of a computer attack, the damage can be enormous not only in terms of credibility and trust with customers: the practical consequences ranging from theft of data and e-mail addresses appropriation of credit card numbers (which is why it is always best not to store). And you, how prepared and what technologies do you use to protect your business from these...

read more

OWASP 2004 Commentary

Posted by on 11:44 pm in Training | Comments Off on OWASP 2004 Commentary

See what Experts said in 2003, just before the first version of OWASP Top Ten was going to be released. Has something changed? Well.. Not really! That’s why EasyAudit WEB is a great solution to check the existence of web application vulnerabilities like Cross Site Scripting, SQL Injection and Command Execution. With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. But there is help in the form of consensus lists of vulnerabilities and defenses. The Open Web Application Security Project has produced a similar list of the 10 most critical Web application and databases security vulnerabilities and the most effective ways to address them. Application vulnerabilities are often neglected, but they are as important to deal with as network issues. If every company eliminated these common vulnerabilities, their work wouldn’t be done, but they, and the Internet, would be significantly safer. J. Howard Beales, III, Director of the Federal Trade Commission’s Bureau of Consumer Protection, before the Information Technology Association of America’s Internet Policy Committee, Friday, December 12, 2003 Misconfiguration, inattention, and flawed software can spell disaster on the Internet. One of the primary areas of vulnerability is through WWW connections. By design, WWW services are intended to be open and accepting, and usually act as an interface to valuable resources. As such, it is critical that these services be secured. But with hundreds of potential vulnerabilities it can be overly daunting to decide where to start applying defensive measures. The OWASP Top 10 provides a consensus view of the most significant and likely vulnerabilities in custom WWW applications. Organizations should use it to focus their efforts, giving them confidence they are addressing those areas that will have the most impact on securing their applications. Eugene H. Spafford, Professor of Computer Sciences, Purdue University and Executive Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS) This ‘Ten-Most-Wanting’ List acutely scratches at the tip of an enormous iceberg. The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense. Dr. Peter G. Neumann, Principal Scientist, SRI International Computer Science Lab, Moderator of the ACM Risks Forum, Author of Computer-Related Risks This list is an important development for consumers and vendors alike. It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations. Steven M. Christey, Principal Information Security Engineer and CVE Editor, Mitre The OWASP Top Ten shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations. The root cause of these risks is not flawed software, but software development processes that pay little or no attention to security. The most effective first step towards creating a security-aware culture in your organization is immediately adopting the Top Ten as a minimum standard for web application security. Jeffrey R. Williams, Aspect Security CEO and OWASP Top Ten Project Leader There is no silver bullet for web security despite what some technology companies...

read more

5 Myths of IT security

Posted by on 10:06 pm in Training | Comments Off on 5 Myths of IT security

5 Myths of IT security

In the world of Information Security myths exist that influence senior executives, business managers and sometimes the same industry professionals, causing misunderstandings and exaggerations about the threats to computer systems and technologies used to combat them. Many of these myths exist because people tend to overreact and emotional in unfamiliar situations, rather than make an objective analysis. The result is overstate the problem by relying on the first solution that is proposed or worse underestimate the risks, thinking thus to avoid additional charges. Myth #1 – It will not happen to me Believing that your company will never be subject to security problems. Many times this statement is said by someone who does not want to spend (or rather, invest), hoping that the risk does not materialize. Instead it is good that when a problem is recognized, or even suggested, there is a phase of risk analysis and, if appropriate are given the resources necessary to mitigate or resolve completely. Other times the opposite happens: you go too far in assessing the impact of the vulnerability. The best thing is to use a framework of metrics to give an objective value to the risk of vulnerability. Myth #2 – All risks can be quantified In companies there is the misconception that everything can have a number attached to it. There is the illusion that the security manager’s manager can get the budget they need only if justified by an Excel spreadsheet. We must instead help the upper echelons to understand what can and can not be quantified, and obtain the necessary budget to implement a strong architecture based security checks. Myth #3 – We have physical security or SSL so your data is safe More simply: If we have anti-virus and firewall, we’re safe! This is not true. Often this conception is inculcated by outside vendors who try to sell their products and link all their peculiarities. buying products and appliances, will not make you magically safe! And even in the event that the product is “good” we want to ensure that it is properly configured and works to its full potential? In fact, safety will be developed as architecture starting from the risk assessment, taking into account what you’re protecting, so as to implement the correct controls. This allows you to not be distracted by non-essential elements to security. Myth #4 – Use strong passwords reduces the risks It is not true. The passwords are not effective, and the whole scheme has huge gaps. It ‘s just an obsolete historical precedent in which business can cling. Passwords are not sufficient, since cracking is not the only way to jump the firewall. there is also sniffing and the reuse of credentials between systems with different levels of security. Finding a valid alternative to passwords is difficult, and not always authenticate to two or more factors can be easily implemented. Meanwhile, companies can advise employees not to use passwords to work, and perform periodic checks on the strength of passwords. Myth #5 – Buy one device security, will solve all the problems We have just been informed of a new product, that solves the 95% of problems, easy to install and costs as one of many server that we have in the company. Maybe As we have said before, we...

read more

Find the vulnerabilities before attackers exploit them

Posted by on 12:08 am in Training | Comments Off on Find the vulnerabilities before attackers exploit them

Find the vulnerabilities before attackers exploit them

In today’s age of rapidly expanding internet technology, the opportunity to exploit new sources of revenue has increased manifold, but so has the risk of getting attacked by unwanted cyber elements. With more than 300 million computer systems connected world-wide, web site security has become quite a major concern for everyone. If the websecurity of a business is compromised, it can have some serious repercussions for the company’s credibility, reputation, survivability and competitiveness. Owing to several kinds of internal and external threats to the web site security of a business, it has become mandatory for companies to go for vulnerability scanning. This is a proactive approach which helps identify the weak or vulnerable links within a network so as to determine where and how a given system can be threatened. Malicious hackers are present all over the web, and waiting for a single opportunity to breach the web site security of a company. Vulnerability scanning has gained such utmost importance in recent times because most of the companies have gone paperless, and a major part of the information is stored and transferred through web servers. In case the web site security of a company is compromised, it not only stands to lose all its critical corporate data and trade secrets but may also face compliance issues on account of customer identity thefts. Hence, it has become all the more essential for a business to cover its weak areas way before the attackers can exploit them. When it comes to the question of websecurity, no one can beat the expertise and effectiveness of EasyAudit. As the ultimate solution, EasyAudit will help you verify the IT security of your company. This kind of regular web site security check will not only help you gain an edge over your competitors but will also act as a quality indicator for your clients. You can get a Web Application Penetration Test performed on your network at a very low price. Besides having the comfort of knowing that your web site security does not face any potential risks, you will also get free consultations and 24/7 technical support service with EasyAudit. The vulnerability scanning test performed by us will not only help you identify the weaknesses in your websecurity but will also suggest remedies for the same. All the operations performed by us are minimally invasive and will not weigh much on your pocket. Web site security has become a much-talked-about area for every business owner. No one wants to be in a position where any outside entity can see their inside information. Hence, the best you can do is to provide quality service to your clients and leave the websecurity task in the hands of...

read more

Take care of those vulnerabilities

Posted by on 12:30 am in Training | Comments Off on Take care of those vulnerabilities

It is an inevitable fact about the internet: the more the network expands the more vicious and creative hackers become in their preying of vulnerable sites. One of the most effective ways of preventing hackers from exploiting a website’s vulnerabilities is to identify those vulnerabilities beforehand. Identifying and correcting these weaknesses as soon as possible is an important part of web site security. A vulnerability is a weakness in a computer program through which an attacker can reduce a system’s information assurance. Often when a vulnerability is first discovered, there is a certain amount of time before websecurity is able to correct it. This period is known as the window of vulnerability. Being certain about web site security is to is to reduce this window of vulnerability or to eliminate it altogether. This is where EasyAudit comes in. EasyAudit is the verification of IT security for companies. Our manual web application penetration test and automated vulnerability scanning will help your web site security identify weaknesses before they are exploited by attackers. EasyAudit’s verification of websecurity will authenticate your website’s security and will discourage would be attackers. E-commerce site owners can rest easy when they know that EasyAudit is taking care of the web site security of their site. EasyAudit offers free consultations on websecurity, an affordable price, professional service, and 24/7 technical support. We are timely and we will verify your web site security in minimal time, compared to traditional consultancy. Our vulnerability scanning will identify most likely to be exploited weakness in your website and provide you with solutions for these weaknesses. Operations performed by EasyAudit are minimally invasive, and do not cost too much in the overall budgetary scheme. As an added bonus, websites with their websecurity verified by EasyAudit will have the EasyAudit logo displayed on their site so as to discourage attackers and show the customers your commitment to security. Web site security is a tricky subject in this day and age. No one ever knows what kind of tricks hackers may come up with next or what kind of systems attackers may target on a given day. Websecurity is an essential part of any e-commerce site, and it is imperative that each website receive its own vulnerability scanning. Therefore, let EasyAudit take care of your web site security. In the long run, your safety online will truly help you expand your line of business. EasyAudit is here to take care of your...

read more

Website Security – Vital Thing for Online Businesses

Posted by on 12:19 am in Training | Comments Off on Website Security – Vital Thing for Online Businesses

Website Security – Vital Thing for Online Businesses

If you want to have a popular website, it’s important that you take care of its security. If people feel unsafe visiting your website, they are not going to visit it more often and the traffic at your website is not going to increase. So, to make sure that your website becomes popular, you have to make it secure. If you don’t pay that much attention to the security of your website, it can harm the reputation of your business as well. Let’s suppose that you are running an online business of selling goods and to buy something from your website, the visitors need to submit their credit card details. Now, if your website gets hacked, those details would go to the hacker and he would make inappropriate use of that. And that would affect your name and business in a negative way. The second problem that the visitors face on a malware affected website or a hacked website for that matter is that they find it hard to handle. The pop-ups appear every second on such websites and the users get frustrated by that. They can’t just waste all their time getting rid of such pop-ups. They would like to visit some other similar kind of website instead. Also, if Google finds out that your website is malware affected and the viruses are getting spread because of it, you are going to be in trouble. Google’s policies are pretty strict these days. They block a website straightaway away if they find that it’s not fully secure. So, websecurity should be the priority for the website owners. If you don’t know how to make your website totally secure, you don’t need to worry about it. All you need to do is to contact us at www.easyaudit.org. We will provide you top quality website assessment services. We will ensure that your website is not affected by any sort of malware around the web and also, doesn’t get hacked easily. With EasyAudit you get both vulnerability scanning of the website and manual web application penetration testing at a great price. If you give us a chance to serve you, you will find the traffic of your website increasing every day because we will make your website user friendly by protecting it from suspicious attacks. The users wouldn’t have to deal with any pop-ups when they visit the website. We provide our web site security services at affordable prices. So, even if your budget is not that high, you can come to us and we will find a solution for you. What are you waiting? Order EasyAudit...

read more

Stories of ordinary insecurity: Clickjacking, Pharming and Phishing

Posted by on 7:29 pm in Training | Comments Off on Stories of ordinary insecurity: Clickjacking, Pharming and Phishing

Stories of ordinary insecurity: Clickjacking, Pharming and Phishing

Clickjacking: when a click hides the scam Marco is a great football fan. Each day he reads the news about his favorite team on different sites, from the official ones to the less known ones. Probably it is the time of the day he loves the most, but will it be forever? During one of his voyages in the web, Mark has been attracted by a link that showed a sensational news regarding his team. He clicks on it, being euphoric and nothing happens. “It’s a problem with the site” he thinks. But no. A few days later Marco receives an email with a picture of himself in pajamas and with a message below: “I ​​have so many pictures like this, I can spy on you, but if you pay me I will stop doing it.” (Clickjacking attacks may allow access to the web cam and microphone by changing the settings of the software Adobe Flash) Wikipedia says: During a normal web browsing, the user clicks with the mouse pointer on an object (such as a link), but in reality its click is redirected, unbeknownst to him, on another object. Typically the vulnerability exploits Javascript or Iframe. Pharming: original site or web page created ad hoc? Joseph spends many hours in front of the pc, especially on social networks. He likes to share links, look at photos of friends, comment on his favorite singer’s fan page and chat with his partner. Too bad that Joseph is only 14 years old and he is a bit naive. While being on the internet your browser opens a page that looks like the Facebook home page, but it’s not the real Facebook. Joseph enters his data and logs in and suddenly the hacker gets to own his nickname and password and enters in his profile, creates embarrassing situations… Wikipedia says: Pharming is defined as a cracking technique, used to gain access to personal and confidential information, for various purposes. Thanks to this technique, the user is deceived and led to unknowingly reveal his sensitive data, such as account number, username, password, credit card number etc.. Fishing: as fish bait to trap the users John works as a nurse in the hospital of his city. His dream has always been to help people, to cure, support them in times of need. His days are so intense that, back home after grueling hours of work, he just wants to lie down on the bed and check his e-mail in peace. One evening he gets an email from the Post:” We are checking the account security of our customers, please enter here your access data, we will check if your account is safe.” He is tired, he is not thinking straight, he does not understand what serious fraud he is heading himself to. He inserts his data and his account fades in no time. Wikipedia says: It is an illegal activity that uses a social engineering technique: by sending random e-mail messages that copy the site graphics of a bank or a post office, a broker tries to get the victim’s password to access his current account password that authorizes payments on his credit card. In conclusion Marco will have to install an updated browser not fall into the same scam. It’s important to remember:...

read more

Hacker White Hat VS Black Hat VS Grey Hat

Posted by on 11:30 pm in Training | Comments Off on Hacker White Hat VS Black Hat VS Grey Hat

Hacker White Hat VS Black Hat VS Grey Hat

The Hackers have become mythological figures of our time. We saw them hack in front of a PC in spy movies, intent to steal secret information and sensible data. We hear the news stations talking about it, just look back at the cases of Wikileaks and Anonymous. In the majority of the cases they are presented like out laws. But do we know really who they are and what the hackers do? There are three main figures of hackers, who called in the jargon of information security are respectively: White Hat, Black Hat and Grey Hat. In short, The good, The bad, and the middle way between the previous ones. Today we also talk also about ethical hacker: a professional who is able to penetrate informational systems using the same instruments and techniques of Black Hat hackers, but in a controlled way and within a set of professional services well coded (there are nearly fifteen years of literature on the subject, as there is always someone who suddenly claims themselves an expert). Hackers are not created equal: White Hat – Are the hackers that are hired by agencies and companies, to find out their own vulnerability that way at the end they can make their own changes. Black Hat – Are the bad ones of the situation, those who attack computer systems with the intent to steal information, create problems, and make money in an illegal way. In a nutshell, everything from which a company needs to protect itself. Grey Hat – They are the middle way between the white and black. They attack informational systems without notice, and communicate to the companies their vulnerability. Sometimes they ask to be paid for the work they did. The White Hat have to also be great speakers with being able to report back technical details of what they discovered when they were testing the system. These three categories of hackers are united by the same goal: The curiosity of knowing, the battle of infiltrating an informational system, and the personal satisfaction of knowing they were able to break through. Hackers come from a very complex sub culture, and to understand it to its fullest you must read many documents, some all the way back to the 80’s on ethics, on the liberty of information, and many other principles. The attackers of today don’t go for the thin, many times they don’t know the origin of the subculture they say they belong to, for lack of interest or ignorance. They don’t hold back on using every technique and instrument they have for violating systems and make profits. For this it is a strategic move to use true professionals that are active in the field of research and not plain “workers” of an industry that, whether we like it or not, we must increasingly rely on. EasyAudit is provided by an organization specialized in penetration tests, which employs experts with proven skills that can really help companies protect corporate networks and web systems. The all certified with the stamp EasyAudit Checked, a guarantee for your...

read more

Vulnerable information systems? Penetration testing is the answer

Posted by on 9:48 pm in Training | Comments Off on Vulnerable information systems? Penetration testing is the answer

Vulnerable information systems? Penetration testing is the answer

It’s science: a weak immune system , bacteria or malicious viruses can trigger diseases that weaken the human body. So we try to support a healthy diet and do regular check-ups to make sure that everything is normal. A computer system is not very different from us in this regard. Vulnerability tests Cyber ​​attacks are becoming more frequent, so it’s good to periodically test the vulnerability through penetration tests. Why? Answers may vary: Finding weaknesses in infrastructure, applications and between people in order to develop appropriate controls. Ensuring that properly functioning security measures have been implemented, as this provides an assurance to the senior management. Testing your applications at risk. You have to take into account that those who develop the software can make mistakes and create unsafe application. Identifying new bugs in existing software and creating patches and updates to fix them. It’s good to know that even new updates may cause new bugs. The penetration test looks for vulnerabilities, it tests them and uses them to access the system. Most of the times, the test is over when it reaches this goal. A dangerous habit, since there could be other vulnerabilities that have not been assessed yet. The vulnerability tests may also generate false positive result , a symptom that some existing control might not work properly. The attack doesn’t always come from outside Do not forget that the attacks could take place in a different way, not involving external protections. With social engineering, you can get direct access to internal structures. So the company should also protect against violations, intrusions and threats from within, such not properly trained staff and disloyal employees. In addition, it would be good to perform the tests in different areas (office, wifi network for consultants, the DMZ , etc..) so as to create the right security configurations in every area and in every possible scenario. Whenever a new infrastructure or application is installed or updated, vulnerability and penetration tests must be carried out immediately to make sure your system is protected and that the change has not introduced a new flaw. Do you have an e-commerce or a company website ? Do you operate a corporate network that needs to be protected from external attacks? With EasyAudit, you can identify vulnerabilities to which you are exposed, and reassure your customers with the EasyAudit Checked...

read more