Hot topics and industry buzzwords come and go, but there are certain aspects of information security that, with time, have become essential. Many considered Web 2.0 to be just a wave of weird project names and mostly useless services. However, with time, some small websites became huge and big software players started offering their own web apps. Here we are a decade later, and we can't even imagine using the Internet without accessing many of these services. For today's Internet, web application security is not only important, it's essential, and that's why we decided to cover it in this issue. Mirko Zorz Editor in Chief Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] News: Zeljka Zorz, Managing Editor - [email protected] Marketing: Berislav Kucan, Director of Operations - [email protected] Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. Copyright (IN)SECURE Magazine 2013. www.insecuremag.com Exploring attacks against PHP The PHP SuperGlobal parameters are gaining applications popularity within the hacking community because they incorporate multiple security problems into an advanced web threat that can break application logic, compromise servers, and result in fraudulent transactions and data theft. In one month, Imperva’s research team noted an average of 144 attacks per application that contained attack vectors related to SuperGlobal parameters. Furthermore, researchers witnessed attack campaigns lasting more than five months with request burst floods of up to 90 hits per minute on a single application. Imperva released its September Hacker Intelligence Initiative report which presents an Imperva researchers observed that attackers in-depth view of recent attacks against PHP are capable of mounting complex attacks and applications. The report also finds that packaging them into simple-to-use tools. hackers are increasingly capable of However, while an impressive demonstration packaging higher levels of sophistication into of attack strength, the PHP method has simpler scripts, and identifies PHP pitfalls. An application security solution that SuperGlobals as a prime target that yields a can detect and mitigate a single stage of the high return on investment. attack can render the entire attack useless. www.insecuremag.com 5 NSA's quest to subvert encryption, cryptographic keys, but they also, among install backdoors other things: Journalists from the • Secured the collaboration - either voluntary NYT and ProPublica or legally forced - from US and foreign have joined efforts Internet and telecom companies to gain the and have published needed access to the communications they the most explosive wanted to review before they were encrypted. article to date Alternatively, when neither of those two dealing with approaches worked, they would steal the revelations about companies' encryption keys or secretly alter NSA spying efforts. their products to contain a backdoor only known to the NSA. Backed by the documents shared by NSA whistleblower Edward Snowden, they state • Hacked into computers / endpoints before that the US National Security agency has the messages were encrypted. actively and for years now concentrated on thwarting or subverting encryption efforts via a • Influenced the US National Institute of number of ways, and that their endeavors Standards and Technology (NIST) and the have largely been successful. International Organization for Standardization to adopt an encryption standard that has been "The agency has circumvented or cracked made by the NSA to include a weakness much of the encryption, or digital scrambling, known only to them. that guards global commerce and banking systems, protects sensitive data like trade All these things were, of course, done in secrets and medical records, and secrecy. "The full extent of the NSA’s automatically secures the e-mails, Web decoding capabilities is known only to a searches, Internet chats and phone calls of limited group of top analysts from the so- Americans and others around the world, the called Five Eyes: the N.S.A. and its documents show," they claim. counterparts in Britain, Canada, Australia and New Zealand," the reporters shared. "Many users assume — or have been assured by Internet companies — that their "The NSA has turned the fabric of the internet data is safe from prying eyes, including those into a vast surveillance platform, but they are of the government, and the NSA wants to not magical. They're limited by the same keep it that way. The agency treats its recent economic realities as the rest of us, and our successes in deciphering protected best defense is to make surveillance of us as information as among its most closely expensive as possible," Bruce Schneier guarded secrets, restricted to those cleared pointed out. "Trust the math. Encryption is for a highly classified program code-named your friend. Use it well, and do your best to Bullrun." ensure that nothing can compromise it. That's how you can remain secure even in the face They pointed out that after the NSA lost the of the NSA." very public dispute in 1994 about whether it should be allowed to fit a backdoor into all It's interesting to note that both the NYT and encryption, they decided they won't going to ProPublica have been asked by US be stymied by this setback and opted to intelligence officials not to publish this last simply continued their efforts - this time in article, saying that "it might prompt foreign secret. targets to switch to new forms of encryption or communications that would be harder to They did not concentrate on breaking collect or read." encryption as much as making its use irrelevant. They did start using faster and However, both publications have declined to faster supercomputers for breaking comply with that request. www.insecuremag.com 6 New discovery will allow large-scale hacker that "taps" an optical fiber will be quantum cryptography networks detected. At the same time, it could become the first prevailing technology to harness the Researchers from Toshiba peculiar laws of quantum physics. have discovered a method to build quantum However, major obstacles still have to be cryptography overcome in order to make quantum communication networks cryptography viable for widespread use, with a far greater scale than particularly regarding the number of users ever before. It will allow than can be connected to a single network. quantum cryptography to be Up until now, implementing a quantum used beyond its current niche applications, for cryptography network has required an example as part of the Smart Community elaborate photon detector for each additional Networks that will manage and control energy user. generation and consumption in the future. The Toshiba team has discovered a technique Quantum cryptography shows great potential to allow many users to share a single detector to revolutionize the way sensitive data is and thereby greatly reduce the complexity of protected. It can be used to distribute secret the network. The breakthrough means that digital keys with a security that is not with current technology, it would be possible vulnerable to advances in computing, for 64 users to connect to a single detector in mathematics or engineering, and means any a Quantum Access Network. Barracuda WAF now on Windows deploy the same strong protection in the cloud Azure or on premise. The Barracuda Web Application Firewall has blocked over 11 billion real world attacks since 2007. Organizations using the Barracuda Web Application Firewall get a strong security platform that performs deep inspection of all Web traffic, enabling it to provide a wide range of attack prevention capabilities at both the network and application layers. These include SQL injections, XSS attacks, session tampering and buffer overflows as well as volumetric and application-based DDoS protection. An Intel study, “What’s Holding Back the Cloud,” (May 2012), reported that 87 percent As a full proxy, the Barracuda Web Application of the IT professionals surveyed were Firewall blocks or cloaks attacks, while concerned about security and data protection preventing outbound data leaks of information and 28 percent have experienced a public such as credit card or Social Security cloud–related security breach, an increase numbers. In addition, the Barracuda Web over the number of breaches experienced in Application Firewall mitigates broken access their traditional IT security infrastructure. control to applications by preventing cookie tampering and corruption of an application’s With the new cloud edition of the Barracuda access control system. With the most flexible Web Application Firewall range of deployment options that span (www.barracuda.com/WAF) that can be hardware, virtual and cloud, the Barracuda deployed on Microsoft Azure Web Application Firewall provides a complete (www.barracuda.com/WAFonAzure), security solution for all of your applications in organizations now have the flexibility to any environment. www.insecuremag.com 7 61% of IT pros don’t report security culture necessary to security programs risks to executives effective across the organization. Key findings from the survey include: • 61 percent said they don’t communicate security risk with senior executives or only communicate