Site Crash Could Cost You $10,000+

DDoS attacks will cost you businessIt’s Memorial Day – that means it’s time for sales, travel and activities. It’s also one of the worst possible times for your site to go down – something that is the express goal of a DDoS attack.

Unfortunately, the number of businesses being targeted for cyber attacks is growing, according to a recent survey by Internet-analytics company Neustar. According to the study, more than 300 businesses (across industries such as travel, finance and retail) have experienced an cyberattack. From Mashable:

Ted Swearingen, director of information security operations at Neustar, says the number of cyberattacks and the variety of industries affected have increased dramatically.

“We’ve seen a game change in last two years,” Swearingen told Mashable. “It’s significant. The damage that comes with one of these attacks — the thought of being down for a day, not being able to sell goods or services online is just amazing in terms of monetary cost.”

The costs can indeed be high. 65% of businesses said a site outage would cost them up to $10,000 an hour, 21% said it would run them $50,000 an hour, and 13% of businesses would lose $100,000 every hour if their site went down. …

35% of Neustar’s respondants said they’ve experienced an attack which lasted longer than a day, while 11% said they’ve seen an attack continue for more than a week.

Read the full Mashable article >>>

If your business relies on customers’ expectation of security (such as e-tail or financial sites) or if you face a lot of competition (like in the e-tail and travel industries) you can’t afford to have your site taken down from a monetary or a customer experience/loyalty standpoint.

It’s becoming more and more apparent that any business – no matter how big or small – is a potential target for hackers. Be proactive. Security test your website and apps and be sure you have backup server plans in place so you’re not stuck if your business is targeted. When you’re in the middle of an attack is not the time to start thinking about security.

Essential Guide to Mobile App Testing

Kickstarter and the Importance of Regression Testing

KickstarterKickstarter recently experienced a security bug that made information from 70,00 unpublished projects accessible through the API connected to their homepage. The problem? Kickstarter’s new homepage didn’t play nice with the API. From Kickstarter’s blog:

The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects. No account or financial data was made accessible.

Luckily, the majority of the breached information was accessed by a Wall Street Journal reporter who notified Kickstarter about the issue. While information from 70,000 projects was accessible, only 48 projects were accessed by people other than the reporter.

Now I don’t know Kickstarter’s testing practices, and maybe this was just one of those things that unfortunately slipped through the cracks, but it seems like a prime example of the need for regression testing. When you’re introducing a new element to your site, or software or app it’s extremely important to make sure it doesn’t break any existing components – especially security related aspects. Kickstarter’s lucky personal or financial data wasn’t leaked, but that may not be the case next time. So let this be a lesson on why regression testing is so important!

Essential Guide to Mobile App Testing

How Quickly Should Security Patches Be Released?

Apple PatchThere has been plenty of talk these days about security. The increased use of computers and mobile devices to bank, shop and communicate with friends and family has also increased a user’s vulnerability to cybercriminals. Software updates and patches are critical to keep computers secure, but some companies are having trouble getting those patches released quickly.

Like many others, Apple recently had trouble with an exploited vulnerability, when cybercriminals were exploiting a flaw in Oracle’s java application environment. While Oracle was able to release an update for Window’s and Linux rather quickly, Apple (who handles their own Java updates) took months. There was much disappointment about the delayed response from Apple, and while many chalk this up to the fact that Apple was unprepared, as Mac’s had been virtually impenetrable for years, several others also cite regression testing as a major delay in releasing critical updates and patches. According to Sue Marquette Poremba of Security News Daily:

A quick fix isn’t always a good fix.

 ”Updating software reliably does not only mean fixing the problem,” (Wolfgang Kandek, chief technology officer at Redwood Shores) said, “but also testing whether the fix plays well with other modifications included in the code, plus making sure that it does not break any functions of the software.

Having a fix that works is important, but having the vulnerability on your computer affects how your system runs and who can control it. More often than not, the average computer user has no idea that a risk is there.

Read the full article at >>>

Ask any of the 55,000+ testers at uTest and they can certainly tell you that bug fixes take time. To triage, locate and correct a bug is not an easy process by any means. And more importantly testing to make sure the fix is not going to break other existing features or open the application to additional vulnerabilities is critical.

We’d like to know how you feel about security updates. How long do you think security patches and updates should take?

Essential Guide to Mobile App Testing

Malware Catches Up with Macs

Malware effecting Apple computersFull Disclosure: I used to be one of those Mac users who wasn’t too concerned with malicious links and suspicious emails because, hey, I use a Mac and Macs aren’t that susceptible to malware. … Oh how I miss those days.

Mac malware is on the rise, with an estimated 600,000 computers affected but the Flashback Trojan at the moment and another exploit taking advantage of a security flaw in outdated Microsoft Office for Mac files. Here’s some information on the Flashback Trojan’s effects, from PCMag:

The Java flaw exploited by the so-called Flashback Trojan dates back to February, but Apple did not release a patch until April 3. As a result, approximately 550,000 Macs were infected, according to data released this week from anti-virus vendor Doctor Web.

Doctor Web today provided a few more details about the proliferation of the Flashback Trojan. Almost 350,000 of the affected devices were in the U.S., with about 125,000 in Canada, and 75,000 in Great Britain.

In the U.S., Manhattan-based Macs saw the largest number of traceable infections at about 5,000, followed by Brooklyn, Los Angeles, and Chicago. But the whereabouts of almost 18,000 affected Macs was unknown, Doctor Web said.

In Canada, Toronto was hardest hit (14,000), while Londoners were most-impacted in the U.K. (almost 20,000). For more details, see the map below.

As PCMag’s Security Watch noted yesterday, Mac users did not have to download or even interact with the malware to become infected. Websites exploited a Java flaw that let Flashback.K download itself onto Macs without warning. It then asked users to supply an administrative password, but even without that password, the malware was already installed.

And this is how the Microsoft Office exploit works (from PCWorld):

Continue Reading

Essential Guide to Mobile App Testing

Lessons From the TweetDeck Security-Induced Outage

TweetDeck Taken Offline Because of Security BreachThe recent Tweekdeck issue can teach us two very important lessons: 1. You can’t find all the bugs in-the-lab because there are some issue that will only effect a small, small portion of your user base and those bugs will more often than not only be found in the hands of users, in-the-wild. 2. Security Testing doesn’t just including making sure hackers can’t get into your app. It should also test your app for proper handling of confidentiality, integrity, availability, non-repudiation, authorization and authentication. It’s this last one in particular that caught Tweetdeck off guard. In case you missed the story, here’s a recap from TechCrunch:

Twitter has taken its Tweetdeck app offline after an apparent bug has possibly given some Tweetdeck users access to others’ accounts.

A Sydney, Australia-based Tweetdeck user named Geoff Evason says he discovered today he was somehow able to access hundreds of Twitter and Facebook accounts through Tweetdeck. In an email to TechCrunch, he explained the situation like this:

“I’m a tweetdeck user. A bug has given me access to hundreds of twitter and facebooks account through tweetdeck. I didn’t do anything special to make this happen. I just logged in one day, the account was was slower than normal, and I could post from many more accounts.”

Get more details at TechCrunch >>>

Luckily the person who found this bug, Geoff Evason, wasn’t malicious or a hacker. He could have done cruel things with these twitter accounts and potentially caused even more damage with access to the private information people tend to share on Facebook. Instead, he did a little poking around to prove the bug was valid (like any good tester does) and went about getting the issue addressed and corrected.

The incident was so severe that Twitter (who owns Tweetdeck) took the entire application offline until the issue could be pin pointed and resolved. Kudos to Twitter for treating this as seriously as it did, but the question is, now what? What caused this bug? Was there an update that effected the app? Will Twitter do some comprehensive regression testing to make sure there are no other unnoticed issues? It should probably do some digging to make sure those other facets of security are up to par.

Continue Reading

Essential Guide to Mobile App Testing