sPROXY

An interesting article written by Renaud Bidou, Deny All's CTO, was published today by 01 net. Entreprises. In this paper, Renaud describes the evolution of cross-site scripting (XSS) attacks and how this technique is used more and more by hackers to abuse Internet users and collect new slaves for their botnets. Thanks to 01 Net Entreprises for their trust. The article (written in French), can be found here:  http://pro.01net.com/editorial/534784/cross-site-scripting-attention-aux-degats/

‘Most likely’, says the Deny All Research Center

Recent events
In the last few weeks, Sony has been the target of two large-scale cyber attacks, which have impacted close to 100 million users of the Sony Playstation Network and Sony Online Entertainment services. According to the Financial Times, 23 000 credit card numbers were stolen, and other sources point to evidence that some of these are available for sale on underground networks.
 

Probable attack vector
Sony disclosed limited information hinting to the methods used by the attackers. Based on public information available to date, the Deny All Research Center (DARC) is drawing the following conclusions: click to read more (English)
 

Recent Facebooks hacks make wonder how it is possible that such visible and (hopefully) secured web applications can simply be compromised through users credential guess. The point is that intruders no longer exploit technical, but logical vulnerabilities. Allowing a “user” to perform thousands of authentication attempts within a few seconds is nothing related with the quality of the code. It is a lack of detection, for an abnormal behaviour which cannot be that of a human.
In such a case common detection techniques are no longer efficient. Indeed, they mostly rely on so called “patterns” or “signatures” which are to be found or not in specific parts of the request. Pattern matching and all the current variants proved to be pretty much efficient to prevent technical vulnerabilities exploitation, as long as their implementation is appropriate. But in the case of logical breaches there is nothing specific to “sign”, as requests are entirely legitimate from the protocol and application point of view.
Therefore a full range of attacks remains undetectable (and consequently unstoppable) with usual oldies but goodies techniques. Floods which would block an application, crawlers downloading an entire web site and brute-forcers trying to guess passwords get a free ride on the highway to applications.

At some level, security could be enforced by the application itself. Rate-limiting, cookie tracking or capcha mechanisms would efficiently prevent automated tools from acceding the application. But it would also impact users experience, from adding annoying steps in day-to-day site browsing, to complete connection deny for one or another technical reason. Moreover it requires application designers to be up-to-date with current logical attack techniques and efficient mitigation methods; far, so far away from their daily focus.

More info read the article of Renaud Bidou CTO of Deny All.
 

During "les Assises de la Sécurité" 2010, Renaud Bidou has done a conference on "extension of the field of combating" about how now CSO must also protect the web surfers from hackers.

if you want to see this presentation again, click here

With the success of online commerce sites, remote payment is entered in the customs. The rate of fraud made in the settlement of purchases on the Internet, however, remains 15 times higher than that found in the payments face-to-face. The Bank of France, which is charged by law "to ensure the security of means of payment" was then addressed the problem. She asked in 2010 to all banks to improve the security of online payments.

To help banks facing this challenge, Deny All creates : Client sanitization, a module which creates a "protective bubble" around the browser to prevent keyloggers (spyware) and other Trojans which may be present on the client's or employee's workstation from saving the user's data or, for example, compromising a financial transaction.
This option can be used in a number of sectors: banks, ecommerce sites or on-line gaming sites!!

More info, see Press Release or contact us

Deny All begins the year 2010 in terms of innovation with the launch of New Generation WAF: the version 4.0 of its flagship solution rWeb

Deny All, European leader in protecting and accelerating Web, XML and FTP applications, announces the latest version of its security solution for Web applications / XML with many innovations in the filed of security, performances and management.


Two major technological breakthroughs

► A tool dedicated to Web Services :
Most of Web Application Firewall (WAF) protect “classical” layers (HTTP, SMTP…) and therefore the protection of Web Services is disregarded. Today, rWeb is the only solution on the market to offer an integrated module, fully dedicated to Web Services. Very easy to use, it greatly increases the functional coverage compared to the previous version (3.8).

► Safety Web applications extended to the client :
Deny All innovates by extending security to the client, through a new feature in rWeb called Client Sanitization. This provides a "protective bubble" in the browser, avoiding for example keyloggers, spywares and other Trojans to record data from the Internet or compromise a financial transaction.

Vincent Rasneur wird mit dem Plugin DWARF beim Entwickler-Wettbewerb Hex-Rays ausgezeichnet.

Paris, 01. Dezember 2009 – Deny All, führender Anbieter für Web Application Firewalls (WAF), bekommt den Hex-Rays-Entwickler-Award. Vincent Rasneur erhält den Preis von Hex-Rays, Hersteller der Reverse-Engineering-Software IDA,für das Einreichen seines Plugins DWARF. Rasneur ist Mitarbeiter im Deny All Research & Development Team in der Unternehmenszentrale in Paris.

„Da es sich dabei um einen sehr hochkarätigen Wettbewerb handelt, gratulieren wir Vincent ganz besonders zu diesem Erfolg“, sagt Christian D'Orival, Chief Operating Officer bei Deny All.
Auch Hex-Rays ist zufrieden mit den Ergebnissen des ersten Hex-Rays Plugin-Wettbewerbs. „Die eingereichten Programme sind sehr interessant für die IDASoftware.
Sie werden Sicherheitsspezialisten weltweit helfen, Analysezeit einzusparen“,sagt Ilfak Guilfanov, Gründer und CEO von Hex-Rays.

Der zweite Platz ging an Marian Radu von Microsoft mit dem Adobe Flash-Disassembler, auf dem dritten Platz landete Jan Newger mit dem Plugin IDAStealth.

„Wir gratulieren den Siegern herzlich“, so Guilfanov abschließend. „Wir möchtenallen Teilnehmern für ihre Beiträge danken. Viele davon zeigen neue Möglichkeiten für den Einsatz und die Erweiterung von IDA auf.“Weitere Informationen zum Award finden Sie unter http://www.hexrays.com/contest2009/.

Informationen über Deny All gibt es unter: www.denyall.com.
 

IT(ea)-Time Roundtable :

   Backdoor Browser? Von Hinten durch die Brust ins Auge - die Verwundbarkeit der Webapplikationen

Teilnehmer : Mr. Stefan Strobel of Cirosec, Mr. Dr. Bruce Sams of OPTIMAbit GmbH and Mr. Thomas Kohl of Deny All  --> video anschauen

   Web Application Firewall, der schnelle Weg zur High-Level-Security

Sprecher : ”. Mr. Ingmar Ludemann --> video anschauen

The DARC (Deny All Research Center), division of Deny All which focuses on threat analysis and mitigation, performed a technical analysis of the tool and the concept of the attack.
Therefore all Deny All customers can now be protected from this attack and any variant based on the same technique.
This is the first release of a patch for an Apache-based products against this attack.

You can read the Press release.
 

SIC (Seguridad en Informática y Comunicaciones) is, since 1992, the information security and IT systems security widest read magazine in Spain. Directed to CISOs, CIOs and other information security manager profiles, this Ediciones CODA publication serves as a cohesion tool for its professional readers in Spanish.
SIC Laboratory is the magazine section where security hardware/software products and tools are identified, examined, analyzed and evaluated.

In June, our leading product rWeb 3.8 has been evaluated and "the results of the test [for the White List] has led to very satisfactory values of around 98.2%. And the test results have been excellent with the Black List."
 

You can read the Spanish article.