Posted by Jason Remillard on Wed, Mar 31, 2010 @ 12:05 PM
As reported in the past few days, a site selling Durex condoms have had a small 'exposure' problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login - simply by changing the order number!
I know that this is a 'simple' mistake, but come on folks.. This isn't 1998 where you wrote apps in MS-access and wrapped a report around it! This is (was?) a fully fledged shopping system, with um...confidential information regarding previous orders (hmmm.....size...color...flavors???)
According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed? What is more interesting to me, is that this problem was found by an unsophisticated user. I mean, he wasn't a cracker, malware engineer or depth-defying trojan writer. He was a customer that said, "Hmm... I wonder".... Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I 
suppose accidental techniques to test services and applications. I'm sure my tester friends have a technical term for this, but it just goes to show that sometimes 'what if' is a testing parameter.
Usually conversations in this context deal with adult-content oriented websites - those are usually the first and most often attacked. Considering this case, things are a little different but no less important - the last thing you want is your customer information all piled up in someone else's control.
On a better note, our facebook group seems to be cooking now, over 170 fans now. Even better, our WordPress Security Plugin is getting great play - over 500 Installs now!
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Sun, Jan 24, 2010 @ 11:55 AM
Malware Infection, Cleanup and Vulnerability Analysis and Consulting Services…
ALERT: TRUE STORY BELOW..
Want to understand how simple it is to secure your site? Sure, we’ll take a real customer example from this week to document the story.
(Names and Certain Elements removed to protect confidentiality)
Context:
Large financial news information site that was recently infected several times. Running an older (but not so old) version of WordPress. Established site, running for years, great following.
Attacks:
Several different approaches, including a desktop infection, which then infected the site. Infections spread internally from there.
Impacts:
Malware was being distributed to its 2000+ unique viewers a day. Due to the depth of the attack, google has reindexed the site with all of the pornographic and male-enhancement site links, meta tags, etc. Effectively, the site (and business) is in bad shape, SEO results are suffering.
The Approach:
Customer signed up for a free scan, which resulted in the 1st metric on the chart below (roughly 1,640 High and Medium Vulnerabilities) – Keep in mind, this is a fairly large site.
The customer took the recommendations and executed some of them (upgrading Wordpress being the first). After contacting our support group, we went through the rest of the report, and summarized the findings, and recommendations.
Luckily the Malware Alert Attack Site! flags have been removed from most browsers..
Conclusion:
As a result, we’re now down to 2 high severity issues, and about 70 medium severity. Direct Malware injections were removed. Now we’re going through the last steps to remove the last stragglers of the infection, (some things are set to reinfect after removal, etc.), and CLOSE THE DOORS on the site.
We’ll wrap up the work in a day or so, and the customer will be free from the existing hacks, and we will be monitoring his site on a daily scan basis (for both vulnerabilities and Malware) for the next few months.
Actual Screenshots from the Reporting Tool @ SiteSecurityMonitor.com
We have summarized the vulnerabilities detected over time (added medium and high priority issues) in order to give you a snapshot of your performance over time
Total Issues: Below are the issues detected on this scan, and the last scan.
| Previous scan ( 2009-11-30 xxxxxx AM ) 
|
|
Latest scan ( 2009-12-03 xxxxxx AM )
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:40 AM
For some light humor!
1) You really enjoy waking up in the morning with your coffee, hitting your homepage, and finding a new page marketing ‘special offers’ for ‘enhancement’ products… You spill your coffee, burn…ouch.
2) You just love getting a hosting bill showing your site had somehow managed to use 4 terabytes of data last month, even though your site is actually just 3 small pages.
3) You appreciate the Friday afternoon calls from 2 of your largest customers, saying that they are switching to your competitor due to some aggressive marketing they’ve received… Hmm, wonder how your competition knew how many kitty trinkets your biggest customer ordered last week?
4) You relish the thought of not being able to send your weekly newsletter to your regular customers, since, for some reason, no emails are getting through and your hosting provider says you sent 1,540,098 emails in the past hour marketing Acai Beans. You sell catnip toys… Interesting.
5) You’ve had approximately 38.56 different people help you with your website, you’ve changed hosters 6 times, and attempted to change the registrar of your domain three times but gave up. You know what they say about too many cooks…
6) That great freeware guest- book system written by a kid in Slovakia with a name you can’t even pronounce you thought was really neat in 2003 is actually still on the site, but you’ve long forgotten about it being there. Google and the scammers didn’t forget though…
7) One of your designers installed a patch for your shopping cart 2 years ago and had problems. After googling for a solution for a few hours with no results they decided to chmod 777 * a few large directories. Voila, it works! And that’s the way it’s been for 2 years now. Lovely.
8 ) You enjoy explaining to your customers how their private information is now front page news, or worse, with their ex-wife’s lawyer!
9) The thought of having the marketing list you paid $10k for last year available to anyone is something you enjoy. Sharing and collaborating, that’s what the net is all about, right?
10) You enjoy negotiating with a faceless individual from somewhere overseas that speaks like this “u will knot get ur d8a bck ever again unlezz u pay $80.000 dollarz.”. It wasn’t just your corporate data, it was your friends and family as well… Ouch.. Get that wire transfer ready.
11) Finally... The end of the pain. Perhaps not. On top of all of the great ‘side effects’ of not scanning your website – You get sued, your family gets sued, and now the ‘authorities’ are looking into your business activities — because — surprise, surprise, there are laws surrounding data protection. Your business is kaput, your staff is leaving in droves, and everything you’ve worked for for years now is gone. You thought you were diligent in picking a hosting provider, team members for the design and development and other folks for the rest of your business. However, when it came to someone offering you a fresh set of eyes on your site, you said no. No, we’re ok. We check. We’re fine. You thought website security scanning was like insurance. Perhaps it is. But we all miss it when we need it. In this case, you need it before you actually really need it. Because, by then, it’s too late.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:38 AM
As reported previously on my thewhir.com blog posting there seems to be a growing debate about the true ‘value’ of the PCI/DSS standard.
Indeed, I’ve been following a rather large thread on linkedin.com as well that is discussing the value of PCI in regards to the recent Network Solutions, Inc. disclosure that they were malwared for several months!
As we continue, it seems that the Heartland CEO feels the same way: we were certified, we thought we were fine, until we learned that being certified doesn’t mean much… Read the full article here: http://www.cso.com.au/article/314712/heartland_ceo_data_breach_qsas_let_us_down
To me, Heartland’s reponse to its issues have been much more responsible than others. In this case, they weren’t happy with things, ‘took it on the road’, spun up trade groups, etc… As compared to others, who just hid under the certified stamp.
Post your responses here, or email me directly. If you are interested, I will support/sponsor a more public and open forum on this topic.