Skip to content

Port80 Donating $50,000 in Web Security Software to Secure Schools

Posted: April 9th, 2014 | Filed under: IIS & HTTP

Big data breaches have been in the spotlight recently. You’ve likely heard of the ones happening at big corporations, but what about those happening at schools?

Educational institutions are at risk, and many don’t have the budget to implement proper security. At Port80, we’d like to do our part to help make education more secure. We will be awarding $50,000 worth of web security software to 25-50 educational organizations by September 15.

Does putting a piece of software in place make you automatically secure? Of course not, but for those who have vulnerable systems that cannot be quickly or easily fixed, we’d like to help.

Learn More Apply Now
 

Please pass this message along to anyone you think may qualify. We hope that together we can make education a more secure place.

The Port80 Software Team

No Comments »

Breach Brief: Spec’s Wine, Spirits, & Finer Foods

Posted: April 7th, 2014 | Filed under: IIS & HTTP

Data breaches. They don’t just happen to the retail big boys like Target and Neiman Marcus. They happen to big and small organizations, and every size in between. It was recently revealed that Texas liquor chain Spec’s Wine, Spirits, and Finer Foods fell victim to a serious data breach. Spec’s has 155 locations around Texas, ‘where everything is bigger’… Including the breaches!

Half a Million Victims

According to Spec’s statements, the breach affected fewer than 5% of their total transactions- less than 550,000 customers. While half a million customers is a sizable number of victims, Spec’s may be counting themselves lucky, as the breach only affected 34 smaller neighborhood stores, rather than all of their locations. Information exposed during the breach may include bank routing numbers, as well as payment card or check information.

What Happened

Spec’s problems began on October 31, 2012, when one of their computer systems was compromised. When did the compromise end, you ask? The breach ended as late as March 20. For those counting, that’s nearly 17 months of uninterrupted access to data.

Spec’s spokeswoman Jenifer Sarver told the Houston Chronicle that the breach was, “a very sophisticated attack by a hacker … who went to great lengths to cover their tracks.” Sarver also went on to reveal that, “It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec’s to fully address and fix them.”

What makes this breach newsworthy?

Every breach story is bad in some regard:

  • There are victims whose information is no longer private
  • There are mistakes made by staff
  • There are property/money losses

Some concerning points about this breach and why we think it’s relevant:

  • The breach went on for 17 months
  • The breach was first noticed by banking institutions when suspicious transactions began, not by Spec’s IT team
  • Evidence of breach may have surfaced over a year ago, but no action was taken
  • Resolving this problem after discovery has taken considerable time

What we can learn from this breach

The Spec’s Wine, Spirits, and Finer Foods breach illustrates the need for a strong security posture, no matter the size of an organization.

One security tool that makes monitoring, identifying, and responding to attacks much simpler for small and medium sized organizations is ServerDefender VP. This powerful tool is easy to use and helps protect against more than just a list of known attack signatures.

No Comments »

The Most Comprehensive Web Application Vulnerability Scanner Benchmark Out There

Posted: March 6th, 2014 | Filed under: Web and Application Security | Tags: , , , , , , , ,

Many of customers come to us asking how they can test their web applications for vulnerabilities. For an automated approach, there a numerous web application vulnerability scanners  out there that can help detect vulnerabilities. With so many options, picking the appropriate scanner can be a little bit tricky. Which is most accurate? Which is the most thorough? The answer is rarely clear.

Lucky for us, the folks over at Security Tools Benchmarking recently assembled their yearly list of web scanners, aptly named “The Web Application Vulnerability Scanners Benchmark”. The list is very comprehensive and puts both open source and commercial scanners through a gamut of tests. The assessment looks at twelve different aspects of each tool to assist individuals and organizations in their evaluation of vulnerability scanners.

In total, 63 different web application vulnerability scanners were test (we’d say that’s pretty thorough), with 49 of those being free or open-source projects, and 14 of them being commercial.

The following features were assessed during the evaluation:

  • The ability to detect Reflected XSS and/or SQL Injection and/or Path Traversal/Local File Inclusion/Remote File Inclusion vulnerabilities.
  • The ability to scan multiple URLs at once (using either a crawler/spider feature, URL/Log file parsing feature or a built-in proxy).
  • The ability to control and limit the scan to internal or external host (domain/IP).

You can organize the scanners by commercial or open source and see a quick comparison of each scanner’s features. From there you can dive into a detailed report for individual scanners.

View the full commercial comparison.

View the full open source comparison.

If you’re looking for a scanner, we encourage you to take a look at the comple report and evaluation criteria over at the Security Tool Addict blog. If you have questions about remediating or securing vulnerabilities after your scan, you can always contact Port80 Software for advice.

 

No Comments »

Sochi: A Five-Ring Circus of Web Security Nightmares, or Just Another Day on the Wi-Fi

Posted: February 12th, 2014 | Filed under: IIS & HTTP

 

A lot of people are talking about the web security concerns in Sochi. Have you heard the story about that guy immediately being hacked when booting up a laptop, or how everyone at Sochi will definitely be hacked because of the unsafe the Wi-Fi networks there?

These incidents are not exclusive to Sochi: they are concerns for all open Wi-Fi networks. In fact, you may not be much safer on your local cafe’s public Wi-Fi. That guy sitting in the back corner sipping his latte isn’t working, he’s running WireShark (or another sniffer tool) to steal information about your online banking session. You don’t even need much technical capability to do what he’s doing, just the willingness to perform an illegal activity.

Read the rest of this entry »

No Comments »

Preventing Cross Site Request Forgery Attacks

Posted: February 4th, 2014 | Filed under: IIS & HTTP

What is a Cross Site Request Forgery Attack?

Cross-site request forgery (CSRF or XSRF) is an attack that has been in the OWASP Top 10 since its inception, but is not nearly as talked about as other OWASP lifers like XSS or SQL injection. We’ve decided to give CSRF some needed attention and discuss some ways to mitigate it.

Also known as a “one click attack” or “session riding,” CSRF an exploit very similar to an XSS attack. Rather than an attacker injecting unauthorized code into a website, a cross-site request forgery attack only transmits unauthorized commands from a user that the website or application considers to be authenticated.

Certain websites and applications are at risk: those that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).

Read the rest of this entry »

No Comments »