Week 10: Reading Summaries, In the News, and Question for Class…

Karthik, R.  Burp Suite Guide: Part 1 – Basic Tools, Part 2 – Intruder and repeater tools,  Part 3 – Sequencer, decode and composer. SearchSecurity.techtarget.in.  Karthic’s terse three part guide provides an overview and illustrative screen captures of the free edition of the Java-based Burp Suite web-application security testing platform developed by the firm Portswigger Web Security.  The Burp Suite consists of a number of tools, including: Proxy and Spider introduced in Part 1, Intruder and Repeater described in Part 2, and Sequencer, Decoder and Comparer covered in Part 3.  Proxy enables inspection and modification of intercepted TCP/IP packets (internet traffic) sent between the browser and target application. Spider automates the process of developing a detailed site map of the content and functionality of a target web application.  Intruder helps penetration tester attack, identify, and exploit a rage of web application security vulnerabilities including SQL Injection (SQLi) and Cross-Site Scripting (XSS) attacks on a web page. Repeater enables penetration testers to iteratively probe target web pages by modifying and reissuing (playing back) HTTP requests to analyze vulnerabilities in a web page. Sequencer helps test the randomness/uniqueness, i.e. the quality, of web-application security tokens and their generators.   Missing from the free edition of Burp is Scanner, which seems to combine the functionality of the tools described in Karthic’s guide with tests to detect for many other security issues for $299 per user year.

Distler, D. (2013). Web Application Injection Vulnerabilities, A Web App’s Security Nemesis?, SANS Institute InfoSec Reading Room. This article complements Karthik’s articles with a more details presented in a good overview of two of more commonly exploited injection attack categories of web application vulnerabilities: SQL Injection (SQLi) and XSS.  Distler describes a number of mitigations including: installing a web application firewall (WAF), conducting explicit error checking for all input, conducting web application security scans, and providing developers with secure code writing training.  He balances the mitigations against a number of human “factors inhibiting organizations from remediating vulnerabilities” (including lack of budget, responsibility, and incentives) which are “as significant as… any security flaw.”  He concludes: “A greater understanding of the risks by leadership and developers alike can only lead to increased pressure to allow resources for adequate security to be built and maintained.”

In the News:  “ID Experts Wins $330M Federal Data Breach Recovery Services BPA,” With an initial task order valued at $133.3M and potential to grow over 3-years to $329.8 million, ID Experts is tasked to protect the financial identities of 21.5 million people affected by the cyberattack and breach at the Office of Personnel Management. http://www.govconwire.com/2015/09/id-experts-wins-330m-federal-data-breach-recovery-services-bpa/

Question for Class: Should an informed ITACS student affected by the breach at the Office of Personnel Management who is seeking to sign up for financial identify protection by ID Experts: 1) favor sharing their personal identifying information (including: Name, Address, Email address, Social Security Number, Birth Date and Year) the telephone to sign up, 2) favor use of a web form protected via SSL seeking the same PII, 3) be indifferent between 1 and 2, or 4) fear the risks of both options and choose not sign up for financial identify protection?