“We’re not winning. … I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”

That’s a quote from Shawn Henry, the FBI’s top cyber cop who has spent two decades with the bureau, from a recent interview with the Wall Street Journal. And he’s not alone in thinking that there needs to be fairly substantial changes to software and network security.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry’s assessment may sound, “I am actually a little bit gloomier. I think we’ve lost the opening battle [with hackers].” Mr. Lewis said he didn’t believe there was a single secure, unclassified computer network in the U.S.

“There’s a kind of willful desire not to admit how bad things are, both in government and certainly in the private sector, so I could see how [Mr. Henry] would be frustrated,” he added.

Big companies, small start-ups, utility providers, government agencies, no one is safe from hackers and many networks are less secure than organizations think.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said. …

Mr. Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

“We have found their data in the middle of other investigations,” he said. “They are shocked and, in many cases, they’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.”

Mr. Henry said that while many company executives recognize the severity of the problem, many others do not, and that has frustrated him. But even when companies build up their defenses, their systems are still penetrated, he said. “We’ve been playing defense for a long time. …You can only build a fence so high, and what we’ve found is that the offense outpaces the defense, and the offense is better than the defense,” he said.

Read more…

It’s been almost 16 years since Aleph One published his classic article titled Smashing The Stack For Fun And Profit. In it, Aleph One (whose real name is Elias Levy) laid out a template for executing buffer overflow attacks that any computer-savvy hacker could follow. Back then, developers were more naive about writing code with rigorous boundary checking, and most applications written in C and C++ had exploitable buffer overflow vulnerabilities. With the growth of connected applications over the Internet (written in C and C++, of course), hackers and worm writers remotely felled software from giants like Microsoft, Oracle, Sun Microsystems, and others. Buffer overflows became the scary monster security vulnerability of the late 90s and early 2000s, and even today discovering a buffer overflow is the grand discovery of all security exploits – conferring black-belt status on whoever finds one.

Since then, a lot has changed. Both Intel and AMD have made a number of improvements to x86, and modern computer architectures have made it much harder to exploit buffer overflows. In addition, newer compilers and operating systems have added a number of tricks that make exploiting compiled applications more difficult.

One of those techniques is Address Space Layout Randomization, or ASLR. Exploiting a buffer overflow requires knowing the location of certain memory addresses. It used to be that those addresses were predictable for a given application, but newer operating systems can shake them up each time the app loads. It’s like shuffling a deck of cards and then expecting you to figure out which card is the queen of spades on the first try. If you shuffle it the same way every time, I’ll figure it out pretty quick. But if you make your shuffle truly random, then I’m out of luck.

Microsoft will be improving their implementation of ASLR in Windows 8 to make it much harder to predict the location of addresses for an application as well as all the supporting libraries surrounding the application. That means it will be even harder for an attacker to predict addresses, which makes buffer overflows much harder.

Want to learn more? Ars Technica has a great post about how ASLR will be used to improve the security of IE10. Also, check out this article by Paul Makowski about all the things that have changed with computer security since 1996 that make buffer overflows so much harder to exploit.

You can do just about anything online these, so much so that it feels like an inconvenience if you can’t complete a task online. But some things are just best left the old fashioned way.

Take, for example, the act of voting. I’m not talking about voting for American Idol (which you actually can do online now), I’m talking about voting in a major, official election. While paper absentee ballots may seem outdated, voting has proved to fragile and tamper-tempting to be shifted online. We wouldn’t know that though without some good, solid security testing.

A few years ago an e-voting system was created for Washington, D.C. and in 2010 its developers reached out to security testing experts to put the system through its paces. It failed miserably. The story is surfacing again now because the processes and results of the testing were recently officially published. The testers didn’t find some exceptionally complicated flaw only detectable with a lot of out-of-the-box thinking, they were able to completely infiltrate and manipulate the program. There’s The H with some details:

“Within 48 hours of the system going live, we had gained near complete control of the election server”, the researchers wrote in a paper that has now been released. “We successfully changed every vote and revealed almost every secret ballot.” The hack was only discovered after about two business days – and most likely only because the intruders left a visible trail on purpose. …

The security experts investigated common vulnerable points such as login fields, the virtual ballots’ content and file names, and session cookies – and found several exploitable weaknesses. Even the Linux kernel used in the project proved to have a well known vulnerability. They were also able to use the PDFs generated by the system to trick the encryption mechanism, while unsecured surveillance cameras provided additional insights into the infrastructure. While the open source nature of the code made their work somewhat easier, they believe that attackers would have been able to make quick headway even if the system had been proprietary.

Read more…

Guess what? The No. 1 biggest security threat to your website is still SQL injections (not one of those hacker collectives that have been taking down websites left and right recently). SQL injections aren’t anything new – they’ve been on the Open Web Application Security Project‘s list of Top 10 threats since 2004 … when they started compiling the list.

Despite being on the security radar for literally years, injections still make up the vast majority of security issues today. From PCWorld (emphasis added):

SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard.

Speaking at the Infosecurity Europe Press Conference in London last week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. …

In October 2011, for example, attackers planted malicious JavaScript on Microsoft’s ASP.Net platform. This caused the visitor’s browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor’s PC via a number of browser drive-by exploits.

Read more…

Having just finished Steve Jobs biography, and being of the school of gated platforms – at least for my phone, where I don’t want to deal with bugs the way I might in my work laptop (sorry Matt B and the uTest IT team) – I found this concept very interesting.

According to the BI article, “Android Hackers Plan App Store of Banned Apps,” a group of Android Developers are looking to start their own app store for all the banned and rejected apps that didn’t make the cut.  The article includes a quote from the potential founder that, “apps removed from the Market include, one-click root apps, emulators, tether apps, Visual Voicemail apps, and more.”

It sounds great but we already know about the growing number of malware on phone operating systems, the Android especially.  The other alternative for apps is to create mobile-specific landing pages (i.e. HTML5 apps), like Grooveshark (music) and Untappd (beer reviews) have done, making the apps available via your mobile browser.  Since their launch, Untappd has launched a native app for iOS and Android but has not shared details on traffic comparisons.  [It won’t be applicable to most mobile users but we cover some security exploits and common attacks in our Security Testing whitepaper.]

Am I the only one uber-sensitive about the integrity of my phones OS and Apps?  Would you download an app that isn’t scrutinized for security?

You don’t have to be an expert in security testing to understand the importance of a strong password. With hacking incidents at an all-time high, you might assume that users everywhere have taken the appropriate steps to prevent thieves and miscreants from highjacking their accounts, stealing their information and pretty much ruining their lives.

Of course, you assumed wrongly. As Mashable recently pointed out, the most popular password is…wait for it…password! There are some other gems on their list of the 25 Worst Passwords of 2011, but here are the top finishers:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

So if you see a your own password on this list please stop what you’re doing and change it now, because there’s nothing funny about a stupid password….

Read more…

We recently wrote about the need for security testing on medical equipment, but it looks like an even larger virus threat has come to light – on U.S. Predator and Reaper drone weapons systems.

While an unofficial source said they suspect it’s benign, they also added, “But we just don’t know”.  The thought of an attack drone being hacked is a chilling to say the least.  Jalpnik has a nice write-up of some of their historic missions (and the virus) but this seems to reinforce the hypothesis that the United States is entering a “Code War”.

Here’s the crux:

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

For those interested, we have a new whitepaper on Software Security Testing.

Every few weeks, it seems like there’s another major security breach to the website, gaming system or native app of a big global brand.  And that doesn’t even include the hundreds (thousands?) of hacks into the properties of smaller enterprises, SMBs and startups that consumers may (or may not) hear about.

In fact, a few months ago we wrote about The Top Security Hacks of 2011, and referenced that the attacks on Playstation were estimated to have cost Sony $24 billion dollars– nearly 10x their revenue for the same period.

So here’s the point: Would you rather look back and say your company overshot and used too many systems for security testing?  Or get that nauseaus, sinking feeling in your gut when your CIO wakes you at 2:00am and says the company has spent too little?

That’s why– as the cornerstone of uTest’s showstopping announcement yesterday– we announced the launch of uTest Security Testing that leverages the talents of new and existing white hat security professionals within our crowdsourced community.  Since we now offer the first crowdsourced, real-world security testing in the world…there’s a new kid in town to join the collective effort to protect your company, and customers’, private data.

Moreover, we’ve joined forces with industry leader Veracode to provide seamless access to their complementary, cloud-based application security verification services.  Veracode has scalable, policy-driven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis.

As a result, companies will have access to a cost-effective, powerful combination of automated (Veracode) and real-world (uTest) testing that mitigates security risks across the entire software development lifecycle.

We’re thrilled, honored and excited to be partnering with Veracode.  And we’re certain that our joint offering– as a complement to organizations’ in-house security testing– will offer tech executives peace-of-mind at a price with infinitely fewer zeroes than $24,000,000,000.

For those who frequent the uTest website, blog or forums, you may notice a few changes around here. Yes, we had a little work done… nothing major, just going from focusing on one testing service (functional) to a providing whole range of testing services that span the dev lifecycle (functional, security, load, localization and usability testing).

For our customers, this means they can find the testing expertise they need, no matter where they are in their SDLC. And for testers, it means provide more earning opportunities for those individuals with expertise in areas like security testing, performance engineering, or localization validation. Like I said, nothing major. </sarcasm>

In all seriousness, these are exciting times around the halls of uTest. We’ve spent the past 12 months trialing new types of testing services with select beta customers. And now, we’re ready to offer them to any and all companies, on demand. A quick introduction to uTest’s new suite of testing services:

Functional testing services to help ensure your applications function as intended. Our services related to functional testing include exploratory testing, test case execution, test case creation and writing automated test scripts.

Security testing services to help you avoid launching products with common security- and privacy-related vulnerabilities. Our services include tools-based static and dynamic security testing, as well as manual penetration from trusted, white hat security testers.

Load testing services to make sure your app is ready for peak traffic, and that performance won’t degrade under heavy load. Our services include live load, simulated load and a hybrid load offering that combines cloud-based load testing with live testers.

Localization testing to validate that your app is saying what you think it’s saying. Services include translation validation from native speakers who live in-market, as well as full L10N testing that covers content translations, currency, taxes, shipping options and more.

Usability testing to help you launch products that are intuitive, clean and achieve high conversions. Services include surveys-based testing with targeted focus groups (by age, gender, education, hobbies, location, etc) or usability audits from one of our UX experts.

Special thanks to our friends at Stein + Partners for all their help with our rebranding, as well as an epic month of late nights from the amazing uTest crew. And finally, a word of thanks to our testers for their help in this launch, and the dozens of customers who helped us learn so much about each of these new types of testing. If you’d like more info about any of these new services, drop us a note.

We’ve got more on the way in the coming months. We’re not going to rest until we’ve completely reinvented the way testing services are provided in this ever-evolving apps universe.

Have a comment? Want to tell us you hate/love the new look? Drop us a comment and let us have it!

Update: Mike Butcher over at TechCrunch just took this news prime time. Seems we’re not the only ones who recognize the need for better app security testing.

Another month, another stellar guest for our Testing the Limits series. This time, we shoot some questions back-and-forth with testing expert Jim Sivak. Jim has been in the computer technology field for over 35 years, including a recent four-year stint as the Senior QA Manager at McAfee.  His career as a tester began with the Space Shuttle and over the years has encompassed warehouse systems, cyclotrons, radars, operating systems and now security software.  He is a Senior member of the ASQ and is certified as a Software Quality Engineer (CSQE).

In part one of our interview, we get his thoughts on the dangers of ignoring security testing; the false sense of security in mobile apps and devices; the evolution of malware; managing QA expectations; the meaning of SWAG and much more. Be sure to check back tomorrow for Part II.

**************

uTest: We noticed that you recently joined Unidesk after four years at McAfee. First off, what does Unidesk specialize in? And what are you looking forward to most in this new role?

JS: Unidesk is in the Virtual Desktop space. Our product allows companies to utilize virtual desktops that truly have the look, feel and capability of a hardware desktop. Due to our technology, desktop personalizations are easily managed. Virtual Desktops can become the IT department’s best friend in that changes and patches only have to be rolled out to one system, which then gets replicated automatically to every associated desktop.

Because Unidesk is a startup, I have the opportunity to really define the QA processes and goals, determining both the tactical and strategic visions. Being able to drive this work, using new techniques and past experience is really what brings me to my desk every day.

uTest: Your time at McAfee must have given you great insight into the web’s dark underbelly (i.e. security threats). Looking back over the last few years, what’s surprised you the most about the way businesses and consumers deal with security measures?

JS: Great question, Mike. The biggest surprise is the whole ostrich “head in the sand” attitude that exists. The tools and techniques are there, the information is readily available, but security still takes a lower priority until an incident happens.  Just look at the breaches that appear on an almost daily basis.  In the home, how many emails do people open and respond to that say ‘you have a credit card application ready for you”?

uTest: It seems safe to assume that users are more aware of threats on the web, as opposed to mobile? In your view, how does the explosion of mobile apps, social media and third-party integrations affect security?

JS: It is the sheer volume of opportunity for security lapses and breaches with these new avenues that is really frightening.  Just look at the incidents that have happened because someone sent a malicious link to their networked friends unbeknownst to them. Or applications that contain malware that just get downloaded and incorporated on these devices. People just assume that their phone is secure or that their tablet is unhackable. Again, software providers need to take security seriously and not wait until a major incident happens. It all comes down to the fact the users are human and we take a lot for granted.

uTest: Which evolves faster: security threats (viruses, malware, etc.) or the technology used to combat them? Why is this the case and what are the implications for end-users going forward?

JS: Unfortunately, I think that malware is winning.  Although there is research in trying to get ahead of the bad guys, most technology is reactive—the threat exists first and a solution/detection comes after.

uTest: This might seem like a job interview question, but what were some of the biggest testing challenges you faced at McAfee and how were you able to overcome them?

Read more…