The return of SQL Injection haunts social networking sites

According to CNET News - A man filed a lawsuit against RockYou alleging that social networking site has failed to secure its network and protect customer information resulting in a breach that enabled a hacker to obtain passwords of about 30 million accounts this month.

Data Security Leader, Imperva had notified RockYou on December 4 that it had come to know of a vulnerability of RockYou's network platform from underground hacker forums.

This is not an uncommon attack on a simple and fundamental vulnerability. Yes. You guess it, it's been hit by an exploit commonly known as SQL injection. This attack targets at database information and manipulating the data stored.

You can read more about SQL injection attacks on our previous posts

Find out the Top 10 Database Hacks and how to Stop them in the Complimentary WhitePaper download here.

Source: Elinor Mills, CNET, <http://news.cnet.com/8301-27080_3-10423042-245.html>

Is your WPA Key for Sale?

AirTight Networks (AirTight) warns that like any other password-based authentication system, WPA-PSK (and WPA2-PSK) is vulnerable to a “dictionary attack.”

Dictionary Attack

AirTight further explains that a dictionary attack is a brute force technique in which a hacker uses a dictionary or database of commonly used passwords to guess the WPA encryption key. The problem with this approach is that it might take days or weeks to crack even a moderately strong password with a typical PC.

Check out the WPA Cracker http://www.wpacracker.com/, though made available for white hats to perform vulnerability tests, AirTight warns the possibilities for unethical hackers to perform malicious acts.

Imperva Channel Partners Breakfast!

Our Channel Partners were treated to a sumptuous breakfast, down town at the heart of the business district.

As we launch our first channel partner gathering with Imperva, the intimate event was successfully held as partners were introduced to Imperva, the data security leader and the market potential in Database Security and Web Application Security.

Check out our photo album on facebook for more event coverage!

Thanks to all the partners who have attended this event!

Look out for more interesting events in the coming year 2010!

Have a leak? Chances are, you are not alone.

KPMG released its Data Loss Barometer Report

Some of the findings concluded that:

"More and more people are being tempted to steal vital data from their employer – data that could be used in a crime or passed to competitors"

"...almost 2,300 data loss incidents, that have affected more than 700 million people. But, since the majority of breaches go unreported, this is likely to be just the tip of the iceberg."

According to Edge Zarrella, Global Head of IT Advisory for KPMG

“Financial information and intellectual property is highly valued by an identity fraudster or criminal, so it is encouraging to see banks and other institutions placing greater focus on protecting this data.”

But he warns against complacency and advise these institutions to take a proactive in security.

Another point highlighted was Endpoint Security.

The report suggested that encryption of portable devices and laptops should be a default and basic requirement. But according to research conducted, in 2009, no protection measures were applied to at least 24% of lost or stolen portable devices.

Source: http://www.blogger.com/post-create.g?blogID=6801566246712010103

To find out how you can protect your database, and secure your end point devices though encryption, contact a security expert from ACW Distribution today. enquiry@acw-group.com.sg or call +65 6325 1390

Database Hacking: Client Side Database Protocol Attack

This is an example of a database protocol attack on the client side for Oracle 10i. Using a Hex or Text editor it is possible to modify the SQL login stream on the client side in a way that takes advantage of the Oracle Database User running as DBA. As such, compromising that process - i.e. buffer overflow, allows the injection of code to be used causing anything from a denial of service attack to data modification on the Oracle server side database.

In this case we create a new user, with DBA privileges, using a method that doesn't even require the initial login to be successful."Database Protocol Attack" "Database Hack" Imperva hack "Web application security" "database security"

Source: ImpervaChannel

TalariaX and ACW Distribution @ ICT Expo 2009, Indonesia

TalariaX and ACW Distribution with its local channel partners participated in the ICT EXPO 2009 Jakarta, Indonesia. Held at the Jakarta Convention Centre, we had the chance to meet with the locals and display SMS communication capabilities rendered by the sendQuick line of products.

Want to view more pics? View our facebook album or become a fan today!

Map Out Your 2010 Strategic Plans

Dear Mindjet MindManager users,

Here are five strategic planning templates to get you looking at the big picture and uncovering opportunities in the year ahead!



Strategic Planning Templates…
1) Jumpstart Your Strategic Planning Process
2) Setting ‘SMARTER’ Objectives in 2010
3) Use SWOT Strategy Maps to Build Your Strategy
4) Use this PEST to Perfect Your Planning
5) Understand Change and Uncover Hidden Opportunities

Download all 5 maps (.ZIP) : MindManager Strategy Templates

Need help in organizing your data, managing your tasks, but don't have MindManager yet? Download a free trial here

5 key security trends for 2010

Imperva , predicts five key security trends for 2010:

1. The industrialisation of hacking with clear definition of roles developing within the hacking community forming a supply chain that starkly resembles that of drug cartels. The weapons of choice will be automated tools such as malware distributed via botnets.
   
2. A move from application to data security as cyber-criminals look for new ways to bypass existing security measures and focus on obtaining information.
   
3. Increasing attacks on social network sites where vulnerable and less technically savvy groups are susceptible to phishing attacks and malware.
   
4. An increase in password theft/grabbing attacks as it is perceived that by obtaining credentials for one application - like an email account - these will also apply to other applications such as online banking and Paypal accounts.
   
5. A move from reactive to pro-active security as organisations move from sitting back and waiting to be breached, to actively seeking holes and plugging them.

Imperva will be hosting a webinar on these trends. To register, click here to register:
https://imperva.webex.com/imperva/onstage/g.php?d=794909784&t=a&SourceID=009

To keep yourself updated with the trends in database and web application security, do subscribe yourself to this blog or become a fan of ACW on facebook @ http://www.facebook.com/pages/ACW-Distribution/106366655281

You may download a free whitepaper at here on:

1. Top 10 Database Hacks and How to Stop Them
2. The Business Case for Database Security
3. Understanding Web 2.0

How to Shop Safely Online this Festive Season!

It’s that time of year again. Christmas is just around the corner, the holidays are coming up, and it’s time to shop!

BitDefender, the award-winning provider of innovative anti-malware security solutions, offers up some simple tips to help consumers protect themselves from online scammers this holiday season.

“The holiday season means taking advantage of the many benefits of online shopping like competitive pricing and freebies like zero shipping fees and free gift wrapping,” said Catalin Cosoi, BitDefender’s senior anti-spam researcher. “However, consumers should be extra vigilant in protecting their personal information and their PC in the lead up to Christmas and the New Year.”

Know where you’re shopping and read the fine print. Not every website and online shop is a safe and reputable merchant. The truth is that many online criminals are skilled at crafting very convincing, legitimate-looking online shopping sites. Be very careful who you purchase from.

If the merchant wants more than your name and email address in order to cash in that coupon, beware. A common phishing tactic targeting online shoppers utilises online promotions and sales to entice a consumer to enter personal information in order to receive coupons or other merchandise. While many reputable sites offer coupons or samples, they will never ask for excessive amounts of personal information to redeem them. Most only require a name and email address.

Additionally:

• Always shop from a secure PC with a trusted security suite installed. Most security suites now have anti-spam and anti-phishing features to guard against unwanted threats.
• Try to shop from well-known and trusted sites.
• To avoid hackers who use “typo-squatted” domains to lure unsuspecting consumers into entering their personal information, check that the web address you have entered or landed on has correct spelling.
• Be wary of “great gift” or “special offer” emails and newsletters from websites that you do not subscribe to. They are likely to be fake and should be avoided.
• Check for the presence of security seals on the shopping sites you frequent, in order to help determine their authenticity.
• Make sure that the connection to the website begins with an http:// or https:// header.
• Consider alternative forms of payment, such as Paypal, or add purchase insurance from a reputable third-party to your order.

A security message brought to you by BitDefender.
Choose BitDefender for your security needs today.

To find out how to secure your digital assets ask ACW @ enquiry@acw-group.com.sg or call +65 6325 1390 today!

Do you lock your car but leave the windows rolled down?

We like this from Imperva's Blog:

"...database protection without considering Web applications and other data security variables is like locking your car but leaving the windows rolled down."

Many of us have the perception that security can be viewed as silos, well not in this case.

Segregating data security into databases and web applications and etc is simply tunneled vision.

According to Imperva, data security must be viewed holistically to be effective from an incident prevention, detection, response, and auditing perspective. Effective data security requires integration across the data stack, not just the database.

Source: http://blog.imperva.com/

The Rise Of Application Delivery Solutions

Excerpt from The Forrester Wave™: WAN Optimization, Q4 2009)

WAN optimization appliances play a critical role in the ecosystem of application delivery technologies. Application delivery is the emerging category of devices that not only seek to take data off the wire through compression and de-duplication but also use deep packet inspection to employ traffic intelligence at the application layer — commonly referred to as Layer 7 visibility — to more efficiently deliver data.

This suite of technologies uses a series of techniques such as caching, protocol optimization, compression, traffic management/quality of service (QoS), and error correction in the optimization of WAN performance. None of these techniques alone can solve your WAN headache, but combining all five simultaneously means that you can apply the right optimization to the right application.

Download the Free Report with Complimentary ROI Calculator Here