Looking at Good Application Security – It’s Not Just about Penetration Testing

(An updated article from article Tek-Tips, originally published in 2010: http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/)

In 2013, there is still a growing reliance on penetration testing to identify all the flaws in the security of systems and applications. This is a flawed approach. While penetration testing is important and we believe a must-do for all new systems and applications being rolled out, if this is all you are doing, you really need to assess your whole security framework and systems development lifecycle. Penetration testing is just an assurance assessment – just one component of how an application should be reviewed/audited/tested by companies. Continue reading →

LinkedIn reassures users that their information is secure

Professional social networking site LinkedIn has moved to assure users that their information is secure, following a highly-publicised security breach earlier this month.

“By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorised website,” wrote LinkedIn director Vicente Silveira, in a blog post dated June 9.

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime.”

Silveira pointed out that no usernames were paired with the leaked passwords, and claimed that he has received no reports of accounts being breached as yet.

He also claimed that LinkedIn recently upgraded its security protocols. Stored passwords are now hashed and salted in order to provide an extra layer of protection, a commonly recognised best-practice in the security industry.

Following the breach, many experts criticised the LinkedIn team for not taking more care in guarding user information.

LinkedIn has responded by pointing out that all compromised passwords were deactivated immediately and that all users whose information was put at risk have been contacted.

However Andrew Conway, from security website CloudMark, is reporting that four per cent of affected LinkedIn users incorrectly marked that email as spam, and did not take heed of the instructions it contained.

Even minor security breaches can have a major impact on a business’s reputation. Customers expect complete security when operating in the online environment and it is the responsibility of the company to ensure its private information is safe.

Penetration testing is often a good way to fully evaluate the security protocols that your business has in place, by finding any potential backdoors and access points before they are exploited by cyber criminals.

Blogger Vincenzo Cosenza recently released his world map of social network popularity, and found LinkedIn to be the second most popular online networking option in Australia, behind only Facebook.

Lastfm investigating user password security issue

Music website Lastfm is currently investigating a potential security breach, according to a blog post released June 7.

The news follows yesterday’s report of a major hacking incident on professional social networking site Linkedin, which saw a reported six million user passwords stolen.

Lastfm has requested that all users currently registered with the site change their password immediately, to a different log-in than they use on other websites.

Businesses with concerns over the risk of unwanted access to confidential information should consider penetration testing.

This is a means of determining weaknesses in security protocols, and provides a complete analysis of the systems and applications that may need improvement.

Through this evaluation, businesses can take the necessary steps to insure information is secure and private, and greatly reduce the risk of cybercrime.

Lastfm allows users to build a music profile which provides information and recommendations based on listening habits. Both a free service and an advertisement-free subscriber’s service are available.

“We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously,” wrote the Lastfm team.

“We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this.”

Hackers leak confidential Linkedin passwords

Professional social networking website Linkedin.com is investigating a security breach that may have seen upwards of six million passwords compromised.

Linkedin president Vicente Silveira confirmed the incident in a blog post dated June 6, and informed affected users that they would receive an email with instructions on how to reset their passwords, followed by a further email explaining the situation.

Compromised passwords will no longer work, while non-affected users will be able to continue using the site with their current login details.

Over 160 million people use Linkedin to create business contacts, find jobs and upload resumes. Users must be accepted as contacts before they can view another person's private details.

Linkedin is yet to release official numbers, but UK Web security company Sophos is reporting 6,458,020 hashed passwords were uploaded to a Russian online forum.

While the relative usernames to those passwords were not posted, it is likely that the hacker has access to those as well.

Security breaches like this can be a major blow to business, compromising secure information and damaging client confidence.

Red cell assessments are one way to review security measures, by simulating an external attack on secure company information.

A red cell team consists of highly trained professionals, adept at using both standard and experimental methods of cyber penetration.

They can attempt to access secure information already stored on a business database, or they can seek out a faux-document that has been planted beforehand. Either way, information remains secure and confidential and there is minimal risk of downtime or productivity loss.

After the assessment is complete, a full debriefing provides clients with an evaluation of their security processes and allows them to take the necessary steps to prevent a legitimate attack.

Linkedin has apologised to users for any inconvenience caused and emphasised that it takes client security seriously.