Skip to content

Port80 Donating $50,000 in Web Security Software to Secure Schools

Posted: April 9th, 2014 | Filed under: IIS & HTTP

Big data breaches have been in the spotlight recently. You’ve likely heard of the ones happening at big corporations, but what about those happening at schools?

Educational institutions are at risk, and many don’t have the budget to implement proper security. At Port80, we’d like to do our part to help make education more secure. We will be awarding $50,000 worth of web security software to 25-50 educational organizations by September 15.

Does putting a piece of software in place make you automatically secure? Of course not, but for those who have vulnerable systems that cannot be quickly or easily fixed, we’d like to help.

Learn More Apply Now
 

Please pass this message along to anyone you think may qualify. We hope that together we can make education a more secure place.

The Port80 Software Team

No Comments »

Breach Brief: Spec’s Wine, Spirits, & Finer Foods

Posted: April 7th, 2014 | Filed under: IIS & HTTP

Data breaches. They don’t just happen to the retail big boys like Target and Neiman Marcus. They happen to big and small organizations, and every size in between. It was recently revealed that Texas liquor chain Spec’s Wine, Spirits, and Finer Foods fell victim to a serious data breach. Spec’s has 155 locations around Texas, ‘where everything is bigger’… Including the breaches!

Half a Million Victims

According to Spec’s statements, the breach affected fewer than 5% of their total transactions- less than 550,000 customers. While half a million customers is a sizable number of victims, Spec’s may be counting themselves lucky, as the breach only affected 34 smaller neighborhood stores, rather than all of their locations. Information exposed during the breach may include bank routing numbers, as well as payment card or check information.

What Happened

Spec’s problems began on October 31, 2012, when one of their computer systems was compromised. When did the compromise end, you ask? The breach ended as late as March 20. For those counting, that’s nearly 17 months of uninterrupted access to data.

Spec’s spokeswoman Jenifer Sarver told the Houston Chronicle that the breach was, “a very sophisticated attack by a hacker … who went to great lengths to cover their tracks.” Sarver also went on to reveal that, “It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec’s to fully address and fix them.”

What makes this breach newsworthy?

Every breach story is bad in some regard:

  • There are victims whose information is no longer private
  • There are mistakes made by staff
  • There are property/money losses

Some concerning points about this breach and why we think it’s relevant:

  • The breach went on for 17 months
  • The breach was first noticed by banking institutions when suspicious transactions began, not by Spec’s IT team
  • Evidence of breach may have surfaced over a year ago, but no action was taken
  • Resolving this problem after discovery has taken considerable time

What we can learn from this breach

The Spec’s Wine, Spirits, and Finer Foods breach illustrates the need for a strong security posture, no matter the size of an organization.

One security tool that makes monitoring, identifying, and responding to attacks much simpler for small and medium sized organizations is ServerDefender VP. This powerful tool is easy to use and helps protect against more than just a list of known attack signatures.

No Comments »

Sochi: A Five-Ring Circus of Web Security Nightmares, or Just Another Day on the Wi-Fi

Posted: February 12th, 2014 | Filed under: IIS & HTTP

 

A lot of people are talking about the web security concerns in Sochi. Have you heard the story about that guy immediately being hacked when booting up a laptop, or how everyone at Sochi will definitely be hacked because of the unsafe the Wi-Fi networks there?

These incidents are not exclusive to Sochi: they are concerns for all open Wi-Fi networks. In fact, you may not be much safer on your local cafe’s public Wi-Fi. That guy sitting in the back corner sipping his latte isn’t working, he’s running WireShark (or another sniffer tool) to steal information about your online banking session. You don’t even need much technical capability to do what he’s doing, just the willingness to perform an illegal activity.

Read the rest of this entry »

No Comments »

Preventing Cross Site Request Forgery Attacks

Posted: February 4th, 2014 | Filed under: IIS & HTTP

What is a Cross Site Request Forgery Attack?

Cross-site request forgery (CSRF or XSRF) is an attack that has been in the OWASP Top 10 since its inception, but is not nearly as talked about as other OWASP lifers like XSS or SQL injection. We’ve decided to give CSRF some needed attention and discuss some ways to mitigate it.

Also known as a “one click attack” or “session riding,” CSRF an exploit very similar to an XSS attack. Rather than an attacker injecting unauthorized code into a website, a cross-site request forgery attack only transmits unauthorized commands from a user that the website or application considers to be authenticated.

Certain websites and applications are at risk: those that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).

Read the rest of this entry »

No Comments »

PCI DSS Version 3.0: New and Important Requirements

Posted: November 27th, 2013 | Filed under: IIS & HTTP

PCI DSS is a set of standards developed by major credit card companies to keep credit card information secure and reduce fraud. The standards apply to any organization that processes, stores, or transmits credit card data. Occasionally, the PCI Security Standards Council will announce updates to the standards, which may require approved companies to make changes to their security hardware, software, and practices. The latest updates (PCI DSS Standards 3.0) were introduced a few months back, but recent documentation has shed a bit more light on you need to do to start preparing for compliance once the new rules come into effect on January 1, 2014.

Read the rest of this entry »

No Comments »