[Owasp-ireland] "More Than 500K Websites Hit By New Form Of SQL Injection In '08"

Brian Honan brian.honan at bhconsulting.ie
Sun Mar 1 18:02:06 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As someone who has been lobbying for mandatory reporting I would caution
though that this will not be the silver bullet to our lack of statistics.  

Firstly we have to ensure that any laws introduced into these area are
balanced and thought out properly.  Badly thought our laws will be worse
than no laws at all.  My thoughts on mandatory breach disclosure (for what
they are worth<g>) are available in an article I wrote for the Law Gazette
(http://url.ie/197y page 20).

I also echo Richard's concerns that no-one from the information Security
profession is not involved in the data protection review committee and
voiced those concerns at the recent NITEs seminar.

If we introduce such a law we need to consider what people are obliged to
report, breaches involving personal data, web site defacements, leak of
confidential company data etc.?  We need to be cognisant that any breach is
also a criminal act.  Based on those two issues is it appropriate to report
a crime to the Data Protection Commissioner?

One of the reasons I set up Ireland's first national CSIRT, www.iriss.ie,
was to provide a platform for companies to report breaches in confidence so
others could learn from their mistakes.  Companies can chose to share their
issues anonymously if they so wish.

As Richard highlights in his email the Data Protection review commission is
taking submissions.  This is "up to March" so there may be time for people
to share their thoughts.  I have submitted my proposals to the commission
and would encourage others, whether you support mandatory breach disclosure
or not, to submit your own thoughts.

Regards

Brian


Brian Honan
BH Consulting
Helping You Piece IT Together
T:  +353-1-4404065
M:  +353-868114066
E:  brian.honan at bhconsulting.ie
W:  http://www.bhconsulting.ie
B:  http://www.bhconsulting.ie/securitywatch
S:  bhonan

Supporting Global Security Week http://www.globalsecurityweek.com

This message is for the named person's use only. If you received this
message in error, please immediately delete it and all copies and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender and not of BH Consulting.
BH Consulting is a registered trade name for BH IT Consulting Limited,
Company Registration Number: 393479 with registered offices at Suite B011,
The LINC Centre, Blanchardstown Road North, Dublin 15. 




- -----Original Message-----
From: owasp-ireland-bounces at lists.owasp.org
[mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of Conor Mc Goveran
Sent: Saturday, February 28, 2009 9:37 AM
To: owasp-ireland at lists.owasp.org
Subject: Re: [Owasp-ireland] "More Than 500K Websites Hit By New Form Of SQL
Injection In '08"

Actually it wasn't the report itself I was commenting on, rather the article
on darkreading which was referencing the report. So apologies if it seemed I
was diminishing the report itself. The fact that the article didn't qualify
the source and scope of the data leads you to believe that these are
statistics which are compiled from a large data pool. 
The choice on which areas to concentrate current attention within web
application security is a valuable one. The OWASP top ten list for example
is a good effort in this direction. What would make this approach all the
more valuable would be good quality statistics on a wide data pool that
would help us all understand the nature of the threat environment and
therefore help us to defend our applications. 
I thought the perhaps OWASP as an organisation could consider becoming an
advocate/lobby group to goverenments and the EU for mandatory reporting to
national data comissioners. These data comissioners could anonomously
compile the statistics and publish them at national or EU level. If this
data was available on this scale I think it would greatly help improve the
overall level of threat knowledge. Just my two bits though (1,0).
Regards,
 Conor.


2009/2/27 Eoin <eoin.keary at owasp.org>


	hi,
	 
	Point taken, one thing to remember is that Offer (CTO at breach)
also organises the WSAC incident database.
	http://www.webappsec.org/projects/whid/
	 
	I believe much of the data in the breach report is from the WSAC
(Web application security consortium) database and not procured by breach
themselves.
	Many of the incidents are submitted by individuals.
	Breach have also been big supporters of OWASP but as you say such a
report does have some commercial aspect.
	 
	ek


	 
	2009/2/26 Conor Mc Goveran <conor.mcgoveran at onformonics.com>


		I suppose not to do things in the singular I will make my
second post to the list within an hour or so of my first. Here again as a
community (and here I am talking about the global OWASP community) we have
an opportunity to be volunteers and use our energise in a positive way. This
report is a report on a report from a commercial vendor (Breach) who
collates incident information from 'publically reported' breaches. So we are
talking here about 80% of the 1% of reported breaches that Breach classify
as based on some form of SQL Injection, XSS or hybrid attack, maybe,
perhaps, kind of ....... This is lazy journalism at best.
		
		To better inform our training, education, techniques and
methods of design we need REAL information based on REAL attacks and REAL
incidents. How can we begin to collate this information? I remeber that both
SANS and Security Focus (in conjuction with DShield) made brave efforts to
collate global IDS and firewall logs. Not a great strategy. We recieved
information on patterns and trends which was useful for tuning IDS patterns
to drop false positives but not a lot beyond that.
		
		What is the solution I have some ideas but as a community we
need to decide together. So I am throwing this bone out there. What is the
right way to capture, identify and report on statistical levels of attacks
and breaches so that we a community of web developers can produce secure web
applications now and in the future? Who should collect this information?
Should we lobby our TD's for California style disclosure laws? Should we
collate the information privately as a community? Now that the OWASP is
asking us the community for subscriptions should we demand quality and
timely information ...
		
		Conor.
		
		
		
		2009/2/26 Eoin <eoin.keary at owasp.org> 


			Document can eb founf here:
			 
	
http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncidents
_2008.pdf
			
			
			2009/2/26 davidrook <david.rook at realexpayments.com> 


	
http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=O05
0UZ0A2SBO0QSNDLOSKH0CJUNN2JVN?articleID=214600046
				
				--
				David Rook
				Security Analyst
				Realex Payments
				Enabling thousands of businesses to sell
online.
				
				Realex Payments Dublin:
				Castlecourt, Monkstown Farm, Monkstown, Co
Dublin. Ireland
				t: +353 (0)1 2808559 | f: +353 (0)1 2808538
| www.realexpayments.com <http://www.realexpayments.com/> 
				
				Realex Payments London:
				1 Lyric Square, Hammersmith, London W6 0NB,
United Kingdom.
				t: +44 (0)20 3178 5370 | f: +44 (0)20 7691
7264  | www.realexpayments.co.uk <http://www.realexpayments.co.uk/> 
				
				Realex Payments Paris:
				27 avenue de l'Opéra, 75001 Paris. France.
				t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38
51 51
				
				Visit our other Realex Payments websites:
				www.airlinepayments.com
<http://www.airlinepayments.com/> 
				www.sepa.ie <http://www.sepa.ie/> 
				
				Pay and Shop Limited, trading as Realex
Payments has its registered office at Castlecourt, Monkstown Farm,
Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number
324929.
				This mail and any documents attached are
classified as confidential and are intended for use by the addressee(s) only
unless otherwise indicated. If you are not an intended recipient of this
email, you must not use, disclose, copy, distribute or retain this message
or any part of it. If you have received this email in error, please notify
us immediately and delete all copies of this email from your computer
system(s).
				
				
	
_______________________________________________
				Owasp-ireland mailing list
				Owasp-ireland at lists.owasp.org
	
https://lists.owasp.org/mailman/listinfo/owasp-ireland
				




			-- 
			Eoin Keary CISSP CISA
	
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
			
			OWASP Code Review Guide Lead Author
			OWASP Ireland Chapter Lead
			OWASP Global Committee Member (Industry)
			
			Quis custodiet ipsos custodes
			
			_______________________________________________
			Owasp-ireland mailing list
			Owasp-ireland at lists.owasp.org
	
https://lists.owasp.org/mailman/listinfo/owasp-ireland
			
			




		-- 
		Conor Mc Goveran,
		Managing Director,
		Onformonics Ltd.
		
		Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24,
Ireland. 
		Company Reg: 45503
		VAT: 9682767B
		
		Ph:        +353-14407576
		Mobile:  +353-872038598
		
		_______________________________________________
		Owasp-ireland mailing list
		Owasp-ireland at lists.owasp.org
		https://lists.owasp.org/mailman/listinfo/owasp-ireland
		
		




	-- 
	Eoin Keary CISSP CISA
	https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
	
	OWASP Code Review Guide Lead Author
	OWASP Ireland Chapter Lead
	OWASP Global Committee Member (Industry)
	
	Quis custodiet ipsos custodes
	




- -- 
Conor Mc Goveran,
Managing Director,
Onformonics Ltd.

Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland. 
Company Reg: 45503
VAT: 9682767B

Ph:        +353-14407576
Mobile:  +353-872038598



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: iso-8859-1

wj8DBQFJqxPzi7bwgPG1z30RAiewAKCByahGytfpgLb63cwE2H3AxBXJ4QCdHPAc
Y2KdLHnIRK+lVE1rsHPgPj8=
=wXJT
-----END PGP SIGNATURE-----


More information about the Owasp-ireland mailing list