Week 12 summaries and news article
Week 12 summaries
The next grand evolution in the internet is Web Services. While the physical infrastructure, connections, capacity planning has been rolled out, however with much of the data is now created for the web, calls from the websites to backend databases, web services are the new client and server application communication channel of the web. Web services provide a standard means of interoperate between software applications running on a variety of platforms and frameworks. Being that web services are unique in that it internet native, therefore they have great interoperability and extensibility. They are also machine-processable descriptions, thanks to the use of XML.
This evolution of web services paradigm brings new security challenges to organizations that use the Internet, namely how to secure their businesses while conduct everyday business transactions over the web. Moreover, unprotected web services are vulnerable to the following types of attacks, reconnaissance, denial of service, integrity attacks, bypassing of Firewalls, unintended software interactions and immaturity of platform(s).
However, there are counter measures that can help mitigate the risks of web service attacks such as enforce Trust relationships, encrypt transport links, engineer secure components, perform regular tests on components, reconcile WDSL specifications with actual operation, use HTTP proxy filters and finally configuration management.
There are technical solutions which have been developed to deal with web service vulnerabilities such as security Assertion Markup Language (SAML), eXtensible Access Control Markup Language (XACML), XML Signature, XML Key Management Specification (XKMS) and Kerberos.
As more and more organizations grow and extend their IT infrastructure to include XML Web Services as the main services, it will be important to appreciate the security implications and how to mitigate against the vulnerabilities of using XML Web Service message constructs within their web-based applications.
News Article of Interest: Hijacking phones with radio waves, Siri and headphones.
As personal assistants, users use Siri, Google Now and Cortana to make calls, send messages, perform web searches among others. In view of that, a pair of French researchers have conceived an attack to remotely hijack phones with and described the radio wave attack using sent FM radio signals from a laptop to an antenna, which transmits the signals to a nearby voice-command enabled phone with headphones plugged in. In this attack, the headphone cord acts as an antenna, sending commands through the microphone to a digital assistant like Siri.
For more information related to this article, please see the link below: