Why are web applications attractive targets for hackers?


Malicious hackers are always looking for ways to target businesses, government agencies and individuals, and they have a wide variety of methods and vectors at their disposal to attack their targets. But naturally, they’ll always choose the channel that will enable them to deal the most damage for the least effort, or as the saying goes give them “the biggest bang for the buck.”

In this regard, websites and web applications have proven to be one of the favorite targets for cyber-attack, because they’re easier to hack than, say operating systems or networking hardware such as routers and switches, and they provide lots of opportunities to wreak havoc across a victim’s network. According to SANS institute, web applications account for more than 60% of targets in cyber-attack attempts in the internet, and statistics released by Sophos Labs show that tens of thousands of websites are targeted and hacked every day.

Here are some of the reasons that back this argument and prove that web application security should be taken more seriously. Continue reading


4 security discoveries that should raise the alarm


Few things are as bad as a serious flaw found in the source code of an application at the wrong time. Vulnerabilities in software source code will have damaging impact on the vendor, the service provider and the end user. They incite mistrust and fear and hamper the reputation of developers and publisher. According to a study by Carnegie Mellon University, an approximate 90% of security incidents come from software bugs.

However, it’s both surprising and disappointing to see that developers aren’t putting enough energy in rooting out vulnerabilities from their source code before releasing their software. And I don’t mean small firms and developer studios. I’m talking about the big players as well. Here are four serious flaws found in recent months that definitely could have been discovered and eliminated long before the software went into production and warn us that something has to change in source code reviewing. Continue reading

Where will the encryption battle between FBI and Apple lead to?


If you haven’t heard about the ongoing encryption showdown that has pitted tech giant Apple against the FBI, you’re probably not living on planet Earth. But here’s a quick breakdown: The involved parties are at loggerheads over an iPhone 5c recovered during the investigation of the San Bernardino massacre last December.

FBI is asking Apple to help it break into the phone by developing a special version of its iOS operating system, which would enable the feds to bypass security measures that protect against brute-force attacks. Apple is vehemently denying the request, maintaining that doing so will compromise the security of all iPhones and the privacy of its consumers. Continue reading

A token of gratitude: Prevent replay attacks on your website


Replay attacks, in which attackers intercept and resend network packets that do not belong to them, are extremely dangerous and can in some cases cause serious damage. What makes these kinds of attacks even more noisome is that they can even be staged on encrypted communication channels without gaining access to the decryption keys. Attackers only have to eavesdrop on your line and have a general knowledge of what task a specific set of packets are performing, and by resending those packets or requests, they will be able to disrupt your communications or cause more damaging effects.

In this article, I’ll show you a basic, easy-to-implement method that will prevent replay attacks on your website. It will also have the side benefit of preventing the annoying effects of confused users repeating their last POST request by constantly refreshing their browser at the wrong time. Continue reading

The many ways your password can be stolen or bypassed


As the saying goes, “There’s more than one way to skin a cat.” And this proverb exactly describes the situation with passwords. I’ve already discussed the inherent problems with passwords in a previous blog post, and I listed the possible alternatives to passwords in my latest piece in TechCrunch. In this post, I’ll describe some of tools and tricks hackers use to either steal your password or bypass it. Continue reading

5 scalability challenges for IoT security


No one will argue that IoT security is a serious issue. There are currently several initiatives that are focused on addressing the many privacy and security problems the IoT industry is introducing. However, the hardware, software and environmental diversities in IoT are so enormous that employing the same security solutions we’ve been using on computers and mobile devices is simply not feasible and will not address the multitude of problems we’re facing. Here are some of the challenges we must overcome if we wish to achieve a holistic approach to IoT security. Continue reading