Month: July 2018

Comparison of Application Security Testing Approaches

Overview The following table lists a side-by-side comparison of different application security testing approaches. Additional rating details are available when hovering over each column. In the following, each approach is introduced.
Category Automated Security Testing Manual Security Testing Approach Static Application Security Testing (SAST) / Static Code Analysis Dynamic Application Security Testing (DAST) / Blackbox Tools Whitebox / Code Audit Blackbox / Pentest Taint Analysis Pattern Matching Language Specific (RIPS) Language Generic Code Coverage Early Bug Detection Detect Complex Issues Detect Logical Flaws Result Accuracy Remediation Details Initial Costs Setup Costs Verification Costs Remediation Costs

Privacy in the era of Big Data

Big data creates stories we couldn’t see before; subtle patterns formed from trillions of gigabytes of data sifting through servers and trickling out of algorithms, finally dispensed as neat and clean business metrics.

  • Doug from Seattle is ready to buy a hybrid. Start sending him financing offers.
  • Zeke in NYC is moving. Send coupons for home improvement stores.
  • Sarah in Cincinnati is likely pregnant. Change the content of her shopping ads to include diapers and cribs.

People have decided to lease out their innate desires in exchange for free content. Every click, like, and retweet is stored and aggregated by data behemoths to understand consumer behavior. We certainly don’t like to pay to view a website, so our behavior is tracked and stored in exchange for content.

Is Privacy a Human Right?

The European Union has made their stance clear with the GDPR’s strict rules on consent to data collection. The legal status of privacy is not so clear-cut in the United States.

To start, let’s get the facts straight: the US constitution does not guarantee anyone a right to privacy. It is implicitly granted in the Bill of Rights, including the right to free speech and the protection from unlawful searches and seizures. Privacy has several components to it:

  • Solitude
  • Secrecy
  • Anonymity
  • Individuality

That is, no one can intrude upon your space, force you to talk, reveal your identity, or impersonate you without your permission. Warren and Brandeis summarize it as “the right to be left alone.”

It’s challenging to translate those ideas into law. The GDPR is one of the most innovative attempts at securing these values as human rights, particularly with the “right to be forgotten.”

Is Privacy Necessary?

That entirely depends on your priorities. If you are a security officer trying to prevent threats, privacy is not a concern. If you are selling private consulting services, confidentiality is crucial to your business.

The issue is not black and white. People feel uncomfortable with being observed without their knowledge or express consent.  Free speech is the right to not only form and voice an opinion but also to keep your opinion to yourself. Imagine a world where everyone was forced to express their opinion on command; it would have a good deal more disagreement! The crucial 2nd element of privacy is the right to secrecy. No one should have to speak unless he or she chooses. The 5th amendment asserts this right.

We humans also crave our alone time. Despite an over-saturation of “interaction” provided by social media, people often feel more disconnected and isolated. Look no further than the failure of the open office as evidence for our need for privacy.

What is Digital Privacy?

All that said, what details are you leaking out by reading this post?

Every Internet-enabled device gives clues to its user.

  • Public IP Address – You disclose the IP Address that your current ISP assigns you to access the internet along with your approximate and sometimes accurate city, state, or zip code.
  • Screen Resolution – You disclose what size your screen is.
  • Browser – You disclose what browser you prefer and all of its extensions.
  • Language – You disclose the text you interpret and the languages you likely speak.
  • Operating System – You disclose your preference for Windows, Android, or iOS as your device.
  • Cookies – Your browser stores information based on the websites you visit. Often that information is used to give you targeted ads.

All of this information can be gleaned just by browsing a web page. What’s even more important is your personal information.  Social media accounts and email addresses are highly sought after by marketers. Their invention is recent, and we treat them trivially. Facebook accounts are often public, and we hand out email addresses to strangers all the time.

As you browse the Internet, websites will ask you to interact with their content on social media. These innocent share and comment plugins are tracking you, pushing your behavior back to Google or Facebook to learn your habits and tastes. It’s easy for the website to collect this information and do whatever they wish.

The result of all of this data harvesting is the advertising bonanza you know so well.

Trust or Power

Any question about your data security previously had one answer: trust whoever holds it. Companies and governments collect data, and citizens have little control.  The GDPR now protects European consumer privacy better than ever before. However, government regulation is not the solution to every problem which poses a new challenge for businesses and private citizens in the modern world.

Encryption

The answer to anonymity is already well known in security circles and has become popular in consumer technologies such as HTTPS and VPN apps.  Encryption is a key in keeping data safe. Strong encryption can keep information private for a long time.

Here’s how it works:

Lets say that you want to privately talk to person b.  Then you’d need a way to:

  1. Confirm that person b is person b.
  2. Eliminate the possibility of anyone eavesdropping or changing the content of your conversation.
  3. Confirm to person b that you are who you say you are.

To do all of this encryption algorithms convert text or data into long strings of characters using complicated equations. The goal is to create code that is virtually unbreakable even with ever increasingly more powerful computers. The only way you can receive the message is by having the key. It all sounds very spy vs. spy, but how is this useful?

It turns out people use encryption principles for many useful everyday tasks. Confirming the identity of an individual on the Internet is a crucial responsibility for all online banking and communication. Citizens can get news directly from journalists or eyewitnesses from anywhere in the world without intermediaries tampering with content.

Information that is correctly encrypted can safely protect the privacy of the individual that owns that information.

Big Data and Privacy can coexist

There is at least one ideal solution that organizations can start doing now:  full encryption for all consumer data collected. From the first interaction all the way to analysis, all consumer data is encrypted and protected to the point that the company cannot easily tie data back to an individual. This is, of course, not possible in every sector, however, it’s the best way forward and a goal to which all big data companies should aspire.

Will encrypting all identifiable information limit the benefits of Big Data?  No.  Looking at data at a massive scale is what gives the best insight.  Consumer identities are unnecessary for analysis which is done on the aggregate.

Who’s On My WiFi is a pioneer in this field by developing an anonymous location analytics technology. Our analytics solution provides a detailed analysis of physical spaces and foot traffic, all without any identifying information on the people who are visiting a location.  Businesses can make data-driven decisions, while customers can browse in anonymity. We like to think it’s the best of both worlds.

The post Privacy in the era of Big Data appeared first on WhoFi.

Current spambot attack on freenode (and elsewhere)

Many of you will have noticed that over the last few days there has been an extensive spambot wave on freenode, and on other networks.

The fairly aggressive spambot attacks link to websites that we believe to have been set up to impersonate freenode volunteers, and that we believe to contain offensive and incorrect information intended to defame and libel members of the freenode volunteer team.

Naturally, the matter has been escalated to law enforcement and both the project and the individual volunteers concerned have sought legal advice in connection with the current attack.

TikiWiki 17.1 SQLi: Scan, Verify and Patch in Minutes

Scanning TikiWiki comes with many built-in features. A manual audit of such a huge code base for security issues would require a tremendous amount of time and expertise. The automated security analysis of TikiWiki’s 1.7 million lines of code with RIPS took roughly 14 minutes. Once the scan finished, a vulnerability of type SQL Injection was reported in the user interface.
By selecting the SQL injection category in the RIPS UI, we can see a summary of the affected code lines (top), an issue description (right), and the original code as reference (bottom).
Search Full-Text within 4M+ Books

Search Full-Text within 4M+ Books

Open Library now lets you search inside the text contents of over 4M books!

Search Full-Text within 4M+ Books 2

A Full-Text Search for “thanks for all the fish” on openlibrary.org

What’s Full-Text Search?

Many book websites, like Amazon and Goodreads, give you the ability to search for books by title and author, but they don’t make it easy to find books based on their contents. This type of searching is called “Full-Text Search”.

Try searching for “brewster kahle alexa internet” on Goodreads or Amazon:

Search Full-Text within 4M+ Books 3

A search for “brewster kahle alexa internet” on goodreads

Search Full-Text within 4M+ Books 4

A search for “brewster kahle alexa internet” on amazon books

Have you ever heard a quote and wished you could figure out which book it came from? Open Library full-text search gives readers the ability to locate books which reference any snippet of text like, “Let every thing have its place“:

Search Full-Text within 4M+ Books 5

A full-text search on openlibrary.org of “let every thing have its place”

Full-Text Search on Archive.org

I’ve been surprised to learn how many people didn’t know that Archive.org has had full-text search for several years — and its really powerful! In 2016, Giovanni Damiola (@giovannidamiola) led a major overhaul of Internet Archive’s full-text search system and unlocked the ability for users to perform full-text searches across almost 40M unique text documents — from patents, to yearbooks, to open-access research papers.

Search Full-Text within 4M+ Books 6

How to activate Full-Text Search mode on Archive.org

 

Search Full-Text within 4M+ Books 7

Full-Text Search of the quote “let every thing have its place” on Archive.org

Open Library Full-Text Search

When you search across 40M documents, it can be a challenge to find the one you’re looking for. One feature which Open Library has been missing is a way to limit Internet Archive’s full-text search to only include results from books on Open Library. So for the last two years, Open Library has patiently waited to take full advantage of full-text search for its users.

Earlier this week, Gio released an improvement to our full-text search engine which lets us get around this historical limitation — and so we jumped on this opportunity to improve our search on openlibrary.org! With the help of Razzi Abuissa, Open Library volunteer, and Mek, Open Library’s project lead, you can now search inside more than 4M Open Library books.

Try a Full-Text Search

Thanks for all the fish! …Wait, what book was that from again?