Web App Firewalls Blunt Attacks

Web applications have become attractive targets for hackers because they allow bad actors to maximize the reach of their mischief with a minimum of effort.

That’s what originally attracted the Internet underworld to programs like Windows and Adobe Acrobat, and it’s what continues to attract them to Java. A vulnerability in one of those programs can be exploited in millions of machines because those programs are so popular.

In the same way, flaws in popular Web platforms can be used to infect millions of websites with malware or malicious links. It’s a problem common not only to content systems — WordPress and Joomla, for example — but also to programming languages like Java and PHP.

“They have vulnerabilities that need to be fixed, and they’re out there everywhere so they’re easy to target,” NSS Labs Research Director Chris Morales told TechNewsWorld.

Firewalls for Web Apps

One way to blunt attacks leveraging flaws in Web apps is with a Web Application Firewall. Typically deployed as a net appliance, WAFs are a relatively new technology.

“They’re geared toward Web apps and not network-based attacks,” Mat Gangwer, an information security analyst with Rook Consulting, told TechNewsWorld. “A WAF gives you more functionality and control over the requests going to and from them.”

As in any firewall, effectiveness can vary from one product to another.

“Generally, though, every WAF is going to have functionality to detect attacks on widespread Web applications,” Daniel Peck, a research scientist with Barracuda Networks, told TechNewsWorld.

“If a firewall administrator puts the time in to locking down and precisely protecting the app it’s in front of, it can be very secure,” he continued.

WAFs are best used to stop an attack and alert a developer to a problem so it can be fixed.

“It’s a good fail-safe midway,” Peck said, “but eventually, if someone beats on it hard enough, they’re likely to find some way around it, unless the WAF is incredibly well-tuned.”

Junk Mail for Junkers

If you live in Florida, Texas or California, chances are you’re receiving more mobile spam than if you live in most other states, according to an analysis released by Cloudmark last week.

Of the top 25 area codes that are mobile spam magnets, four are in the Sunshine State (954, 786, 305 and 904), four in Texas (214, 210, 512 and 817) and six in California (310, 415, 408, 510, 714 and 818).

The Florida spam is concentrated in the southern part of the state, Cloudmark’s Tom Landesman noted in a company blog, and primarily comes from outfits looking for junk cars.

“The messages have been flooding mobile phones for over a year now,” Landesman wrote. “The senders, looking to tow off junk vehicles, are relatively locked in to their immediate area. After a certain distance, potential leads are no longer economically viable due to the cost of towing.”

Banking scams appear to be a favorite of SMS spammers. Every phishing message sent to area code 210 (Greater San Antonio), for example, claimed to be from Generations Federal Credit Union, which is based in that Texas city.

From the Mouths of Babes

North Carolina was a hotbed for another SMS banking scam, Cloudmark noted. Those junk messages pretended to be from smiONE, a provider of prepaid payment cards.

However, the state’s most densely populated city, Charlotte — ironically a center for banking activity on the East Coast — was spared from the smiONE campaigns. All of it was directed at less densely populated area codes 828, 910 and 919.

Why concentrate on those area codes? Apparently the phishers were looking to take food out of the mouths of babes. In North Carolina, you see, smiONE makes a prepaid debit card that’s used for child support payments.

Data Breach Diary

  • Sept. 7. ICS Collection Services, based in Chicago, in compliance with federal and state law, discloses that information on 1,344 patient claims were viewed by an unauthorized party due to glitch at the debt collector’s website.
  • Sept. 9. University of South Florida reveals it is investigating a custodial employee connected with a data breach that compromised personal data of 140 patients at Tampa General Hospital being treated by USF physicians.
  • Sept. 10. Kaiser Permanente begins notifying patients that data containing personal information belonging to them was accidentally emailed to a person outside the company. The recipient of the data did not view it, Kaiser said, and the information has been deleted from the recipient’s system.
  • Sept. 11. Symantec and Ponemon Institute report that the average cost of data breaches to business has declined over the last year. The average cost to a company was US$188 per customer, compared to $194 last year. Average total cost to a business declined to $5.4 million from $5.5 million last year. The researchers also saw a drop of 13 percent in the number of consumers who said they’d bolt from a company that notified them their personal data had been compromised.
  • Sept. 11. Natural Provisions, a natural foods store in Williston, Vt., cuts deal with state attorney general to spend $15,000 to upgrade its computer system in response to complaints that it failed to promptly notify customers of a data breach last year.
  • Sept. 12. Vodaphone Germany reveals that personal information for more than 2 million mobile customers was stolen from its systems. Information stolen included customer names, addresses, bank account numbers and birth dates.
  • Sept. 12. David Patton, executive director of the Utah Department of Health, tells state legislative committee that no cases of identity theft have been linked to a data breach at his agency last year that compromised personal information on some 780,000 people serviced by the department.

Upcoming Security Events

  • Sept. 16-18. eCrime 2013. Argonaut Hotel, 495 Jefferson Street, San Francisco. Sponsored by Anti-Phishing Work Group. Registration: $475.
  • Sept. 17. Cyber Security Think Tank. 10 a.m-3 p.m. ET. Live panel discussion sponsored Dell SecureWorks. Free.
  • Sept. 17. The Size and Shape of Online Piracy. 9 a.m.-10:30 a.m. Room 485, Russell Senate Office Building, Constitution Ave. NE and 1st Street NE, Washington, D.C. Sponsored by The Information Technology & Innovation Foundation. Free with registration.
  • Sept. 18-20. Gartner Security & Risk Management Summit 2013. London. Registration: 2,325 euros + VAT; government, 1,800 euros + VAT.
  • Sept. 19. Better Security Without the Risk. 1 p.m. ET. Webinar sponsored by WatchGuard. Free with registration.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
  • Sept. 25. Cyber Sticks and Carrots: How the NIST Cybersecurity Framework, Incentives, and the SAFETY Act Affect You. 12 noon-2 p.m. ET. Offices of Venable, 575 7th Street, NW Washington, D.C. Presentation with former Deputy Secretary of Homeland Security Jane Holl Lute. Free with registration.
  • Sept. 25. Cyber Security Summit 2013. Hilton, New York City. Admission: $199; government, $99.
  • Sept. 30-Oct. 4. INTEROP 2013. Javits Center, New York City. Registration: all access pass, US$3,099 (Mon.-Fri.); conference pass, $2,199 (Wed.-Fri.); Mac & iOS IT, $1,899 (Mon.-Tue.)
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
  • Oct. 2.Visa Global Security Summit — Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
  • Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early Bird, $395 (July 5-Aug. 31); $625 (Sept. 1 and after).
  • Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: $495; government, free; academic faculty, $295; student, $55.
  • Oct. 9. Induction Ceremonies at Cyber Security Hall of Fame for James Bidzos, David Bell, Eugene Spafford, James Anderson and Willis H. Ware. 6 p.m.-10 p.m. Hilton Baltimore, 401 W. Pratt Street, Baltimore. Dinner Admission (Black Tie Optional): $250.
  • Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate/495 euros + VAT one day pass; Discount from July 27 -Sept. 27, 995 euros + VAT delegate/595 euros + VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one day pass; On site from Oct. 28-31, 1,295 euros + VAT.
  • Nov. 6. FedCyber.com Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels