Our blog is moving to Trustwave.com!

In case you missed it, on March 18, we announced that Cenzic has joined the Trustwave family. The acquisition brings together Cenzic’s dynamic application security testing technologies with Trustwave’s cloud-based application, database and network penetration testing and scanning services. The combination will create one of the industry’s broadest, integrated security testing platforms designed to help businesses rapidly identify and address security weaknesses, thereby significantly helping to reduce threats and risks.

Trustwave Chairman and CEO Robert J. McCullen commented on the vision and rationale behind the acquisition:

“This acquisition brings together two security leaders who understand the power automation brings to managing the aggressive and evasive threats we’re seeing today. Cenzic’s highly automated and scalable security testing platform supercharges our ability to deliver integrated testing across a high volume of applications. This acquisition marks another milestone in Trustwave’s strategy to deliver comprehensive, automated and integrated security, compliance and threat intelligence solutions to the industry-all delivered through the cloud.”

You can read the full news release here.

Now that we’re part of the larger Trustwave family, we’ll be blogging at two new locations, but still providing you with the same great insight you’ve come to expect from the original blog. Here is where you can find us now:

  • Trustwave Blog – it features news and insights, tips and tricks and other perspectives around a broad range of information security topics, including application security testing.
  • Trustwave SpiderLabs Blog – it features research and technical analysis from the SpiderLabs team, Trustwave’s elite team of ethical hackers, investigators and researchers.

Another great way to engage us is to follow Trustwave’s social media accounts: @Trustwave on Twitter, on LinkedIn and on Facebook. I encourage you to check them out.

 

National Cyber Security Awareness Month 2013 Focuses on Shared Responsibility

October is National Cyber Security Awareness Month. Throughout the month leaders across industry, government and educational institutions are joining with the National Cyber Security Alliance to highlight the need to “create a safe, secure, and resilient cyber environment.”

Cenzic is a proud champion of National Cyber Security Awareness Month 2013.

Cenzic is a proud champion of National Cyber Security Awareness Month 2013.

“Shared Responsibility” is the theme for this year’s activities. It is up to all of us to make the internet safer and more secure for everyone.

According to Internet World Stats nearly 2.5 billion people, or 34% of all people on earth are connected to the Internet (source). Consumers and businesses enjoy and profit from the convenience from banking from smartphones, shopping from tablets, emailing relatives and connecting with global communities. More people and more applications continue to enrich the online world every day.

As with all large communities, most are decent, ethical and law-abiding contributors. A few, however, are not. Criminals and other bad actors continue to hack into secure networks and obtain corporate or personal information. The risk of cyber threats requires everyone to become more educated on how to protect themselves and others.

Get Involved in National Cyber Security Awareness Month 2013

Here are a few valuable resources to access during National Cyber Security Awareness Month 2013:

Please take advantage of these great materials!

Cenzic Researchers Uncover iOS7 Backdoor Vulnerability that Enables Pretenders to Act on a Users’ Behalf – Even When iPhones are Locked

A major flaw in SIRI enables unauthorized users to send email, post to Facebook and Twitter, and send messages

By Tyler Rorabaugh, VP of Engineering, Cenzic

Imagine someone stealing your iPhone and — without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you.

Impossible? Not with the Apple’s new iOS 7, which many users are installing this week. Researchers on my team here at Cenzic have discovered that a security flaw in SIRI, Apple’s voice-activated personal assistant, will allow any user to bypass controls on a locked iPhone and take action on the user’s behalf. Our Security Engineers, Abhishek Rahirikar and Michael Yuen, found the vulnerability in the past 24 hours and report that the weakness is directly within SIRI and compromises iOS 7’s ability to control common tasks that should be based on permissions.

Video: iOS7 Backdoor in Action

In this YouTube video (http://youtu.be/DVpPsUhKz9s ), Rahirikar and Yuen demonstrate their ability to use the SIRI function on my iPhone to make a Facebook posting on my page and update my status – all while using my locked iPhone running iOS 7.

The SIRI flaw can be used to operate many other iPhone functions that would normally require user permissions, even when the iPhone is locked. Among the operations that our researchers were able to accomplish on a locked iPhone include the ability to:

  • Call any phone
  • Send messages using iPhone owner’s identity
  • Send email using iPhone owner’s identity – This could enable phishing attacks
  • View calling history – Exposes information on recent calls and calling partners
  • View limited contacts – Enables attackers to discover details on specific, known contacts
  • Discover personal information of contacts with common, easily-guessed names
  • Post on Twitter
  • Post on Facebook
  • Get addresses saved in Apple Maps

Some of these functions were found to be accessible on older iPhones as well, including those using iOS 6.  Cenzic’s researchers confirmed that iOS 6 users can also use SIRI to post on Twitter and Facebook on your behalf, provided both accounts are set up and SIRI is enabled. Twitter and Facebook posting is possible only when Twitter and Facebook accounts are configured at: Settings -> Facebook as well as Setting->Twitter.

This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if Siri is enabled. A user might need to disable SIRI completely to stop this.

Cenzic encourages all iPhone users to be aware of these flaws, and never hand over their iPhones to untrusted individuals. In the wrong hands, your iPhone could lead to compromise of your identity, even when it is locked and protected by a password. Cenzic also calls on Apple to look into these vulnerabilities and remediate them as soon as possible. A patch is sorely needed, not only in iOS7 but in older versions. On a broader scale, Cenzic encourages all enterprises to do careful scanning of all new applications introduced to the organization, particularly mobile applications, which have frequently been found to be vulnerable to attack.


*** Abhishek Rahirikar and Michael Yuen, Security Engineers at Cenzic, contributed to this blog post, given their research findings.***

 

Cenzic Wins Silver Stevie Award for Best Mobile App Security Solution in 2013 American Business Awards

Cenzic Earns Silver Stevie Award for Best Mobile App Security Solution

Cenzic Mobile Honored with Silver Stevie Award

We are thrilled to announce that our mobile application security solution was presented with the Silver Stevie Award in the Best Mobile App Security Solution category in The 11th Annual American Business Awards last Monday.

The American Business Awards are the nation’s premier business awards program, where more than 3,200 nominations from organizations of all sizes and in virtually every industry were submitted this year for consideration in a wide range of categories.

The explosion of mobile applications poses a new set of challenges for enterprises blurring the attack perimeter for the organization. Voted best mobile application security solution, Cenzic’s Mobile Service ensures that enterprise mobile apps are continuously secured through all levels of the application lifecycle. By scanning and analyzing mobile applications, it detects vulnerabilities in critical areas, including input validation authentication mechanisms, session security, encryption usage and policy compliance.

Cenzic is truly honored to have been awarded the Silver Stevie Award for best mobile app security solution in the coveted American Business Awards. Visit the Steve Award Website  for more details on The American Business Awards and the lists of winners who were announced on September 16.

Cenzic Nominated a Finalist in Two Categories in the 2013 Golden Bridge Awards

GB Award logoWe are excited to announce that Cenzic has been selected as a finalist in the Annual 2013 Golden Bridge Awards under two separate nominations – for Best Managed Security Service under the IT and Security Innovations category, as well as Best Overall Company of the Year.

The Golden Bridge Awards are an annual industry and peers recognition program honoring Best Companies of all types and sizes for Best Products, Innovations, Management and Teams, Women in Business and the Professions, and PR and Marketing Campaigns from all over the world.

 

Cenzic Managed Cloud is a fully managed service where Cenzic’s security experts utilize the industry-leading security platform and proven methodologies to provide worry-free application security. Powered by Hailstorm, the managed service offers a range of cloud, mobile and web application assessments remotely – no software, no hardware and no installation needed. Recently, Cenzic announced an expansion to its Managed Services for Enterprise Application Security. The advanced enterprise-class managed service offering includes four levels of service including a special compliance-ready assessment available for all types of organizations. Without any software or hardware to deploy or in-house resources needed, this managed service allows organizations to focus on growing their business while reducing their operational and overhead costs.

Winners of the Golden Bridge Awards will be announced September 30, 2013 in San Francisco.

You can see the complete list of finalists here.

Content Security Policy – another stab at Cross-Site Scripting

There’s nothing worse than being all talk and no action when it comes to securing your data from petty hackers. Take Cross-Site scripting (XSS), for instance. We keep talking and warning about XSS – that it’s one of the most common vulnerabilities, that even a 10-year-old could do it, and worse, that it doesn’t take rocket science to prevent it. And yet it’s still here, and it’s still a problem.

We are not at a loss for methods in preventing XSS or other injection attacks. In the end, it really does boil down to the developing process and putting best practices in place – which is easier said than done. That being said, additional solutions and coding practices continue to roll out as injection attacks continue to be a problem, and one that is less talked about but gaining momentum is Content Security Policy, or CSP.

For those who are not familiar, Content Security Policy (CSP) is a new HTTP header which acts as an added security net for Web applications, helping prevent and report various content injection attacks including the notorious Cross-Site Scripting. CSP works by enabling Web application developers to inform browsers which content should be loaded, and from where it is expected to load it. By specifying which domains the browser should consider to be valid sources, CSP makes it possible for developers to restrict the external content depending on the policy of its headers, ultimately reducing and/or eliminating XSS attacks.

Currently, major browsers such as Firefox, Chrome and Safari support CSP, with partial support from Internet Explorer – and it won’t be long before other browsers hop on the CSP bandwagon too. With the growing awareness and importance of the policy, Cenzic is adding a CSP component to its suite of SmartAttacks.

Just as users get anti-virus updates for their desktop, Cenzic provides updates for Web applications known as SmartAttacks, which simulate a hacker trying to compromise or cripple your application with the objective of finding vulnerabilities. This new CSP SmartAttack acts as an observer – without injecting anything, it verifies the Content Security Policy set by your Web apps by scanning the headers and reporting any that are insecure or altogether lacking.

It gets to a point where we need to stop talking and we need to start acting. The remedies are out there, and the tools to help find them are too. So let’s take another stab at preventing Cross-Site scripting, shall we?