Tag Archives: power

How could Web application (in)security affect me?

Nearly 55 percent of all vulnerability disclosures in 2008 affected web applications.

Web applications have become the major hunting grounds for cyber criminals who quite rightly view them as low hanging fruit. Just as building new motorways improves access for traditional burglars and car thieves, web applications’ internet accessibility literally delivers them to the hackers’ doors.

For some time now, cyber crime has simply been another arm of organised crime. And organised crime is pouring a substantial portion of its vast resources into cyber crime … because the return on investment is very high.

Organised crime goes to great lengths to get its hands on any information – and the more confidential it is, the better. Once they’ve hacked into an application, they can either make use of it themselves or sell it on to others. They can also take control of the various resources such as servers and databases that house that information and turn a profit from that as well.

Having gained control of your computing power by exploiting vulnerabilities and adding code to your application, they add your power to their existing haul and create botnets – a global network of robots reporting to their master command-and-control node – which can be directed to attack other organisations, or sold to other criminals who, once they hold enough power, can orchestrate denial of service attacks.

No longer is it enough for these criminals to boast of their hacking prowess; these days it’s all about the money. Given that a properly engineered denial of service attack is powerful enough to bring down pretty much any global multi-national corporation or, in fact, any small country and take them off-line for the duration, this is not about bragging rights, it’s extortion. It is money-motivated from start to finish.

Because all information and all computing power is grist to the mill for the criminals, no company is too small and certainly no company is too big to be targeted. And as the security in large enterprises is often no better than small entities, size is truly no barrier to the criminals.

And no business can afford the consequences of a security breach. At the very least, mismanaging confidential information almost always leads to reputational damage. Reputational damage leads to departure of existing clients as well as difficulty attracting new business – a situation that can go on for many years. There are obvious bottom line implications to those consequences; in the most extreme cases, businesses can go under.

According to IBM’s X-Force 2009 Mid-Year Trend and Risk Report, the predominant risks to web applications are from cross-site scripting, SQL injection and file include vulnerabilities.

Cross-site scripting vulnerabilities occur when web applications do not properly validate user input, thus allowing criminals to embed their own script into a page the user is visiting. This script can steal confidential information or exploit existing vulnerabilities in the users web browser. Cross-site scripting vulnerabilities are typically exploited in phishing attacks by sending users a malicious link to a page in a legitimate domain name via email. The criminals get high returns because users trust the familiar domain name they are visiting and thus trust the links (created by the criminals) therein.

SQL injection vulnerabilities are also about improperly validated user input, but in this case that input includes SQL statements that are executed by a database, giving attackers access to that database to read, delete and modify sensitive information (like credit card data) as well as embedding code into the database allowing attacks against other visitors to the web site.

File-include vulnerabilities occur when the application is forced to execute code from a non-validated remote source, allowing criminals to take over the web application remotely. This category includes some denial-of-service attacks as well as techniques that allow criminals direct access to files, directories, user information and other components of the web application.

Facilitating all these kinds of attacks is the fact that many web sites contain some code to support various features and functions which inadvertently introduces vulnerabilities.

Russian roulette, anyone?

How could Web application (in)security affect me?

Nearly 55 percent of all vulnerability disclosures in 2008 affected web applications.

Web applications have become the major hunting grounds for cyber criminals who quite rightly view them as low hanging fruit. Just as building new motorways improves access for traditional burglars and car thieves, web applications’ internet accessibility literally delivers them to the hackers’ doors.

For some time now, cyber crime has simply been another arm of organised crime. And organised crime is pouring a substantial portion of its vast resources into cyber crime … because the return on investment is very high.

Organised crime goes to great lengths to get its hands on any information – and the more confidential it is, the better. Once they’ve hacked into an application, they can either make use of it themselves or sell it on to others. They can also take control of the various resources such as servers and databases that house that information and turn a profit from that as well.

Having gained control of your computing power by exploiting vulnerabilities and adding code to your application, they add your power to their existing haul and create botnets – a global network of robots reporting to their master command-and-control node – which can be directed to attack other organisations, or sold to other criminals who, once they hold enough power, can orchestrate denial of service attacks.

No longer is it enough for these criminals to boast of their hacking prowess; these days it’s all about the money. Given that a properly engineered denial of service attack is powerful enough to bring down pretty much any global multi-national corporation or, in fact, any small country and take them off-line for the duration, this is not about bragging rights, it’s extortion. It is money-motivated from start to finish.

Because all information and all computing power is grist to the mill for the criminals, no company is too small and certainly no company is too big to be targeted. And as the security in large enterprises is often no better than small entities, size is truly no barrier to the criminals.

And no business can afford the consequences of a security breach. At the very least, mismanaging confidential information almost always leads to reputational damage. Reputational damage leads to departure of existing clients as well as difficulty attracting new business – a situation that can go on for many years. There are obvious bottom line implications to those consequences; in the most extreme cases, businesses can go under.

According to IBM’s X-Force 2009 Mid-Year Trend and Risk Report, the predominant risks to web applications are from cross-site scripting, SQL injection and file include vulnerabilities.

Cross-site scripting vulnerabilities occur when web applications do not properly validate user input, thus allowing criminals to embed their own script into a page the user is visiting. This script can steal confidential information or exploit existing vulnerabilities in the users web browser. Cross-site scripting vulnerabilities are typically exploited in phishing attacks by sending users a malicious link to a page in a legitimate domain name via email. The criminals get high returns because users trust the familiar domain name they are visiting and thus trust the links (created by the criminals) therein.

SQL injection vulnerabilities are also about improperly validated user input, but in this case that input includes SQL statements that are executed by a database, giving attackers access to that database to read, delete and modify sensitive information (like credit card data) as well as embedding code into the database allowing attacks against other visitors to the web site.

File-include vulnerabilities occur when the application is forced to execute code from a non-validated remote source, allowing criminals to take over the web application remotely. This category includes some denial-of-service attacks as well as techniques that allow criminals direct access to files, directories, user information and other components of the web application.

Facilitating all these kinds of attacks is the fact that many web sites contain some code to support various features and functions which inadvertently introduces vulnerabilities.

Russian roulette, anyone?

Radio Controlled Boats (Page 1 of 2)

A radio controlled boat (or RC boat) is a boat controlled remotely with radio control equipment. Electric Sport boats are the most common type of boat amongst casual hobbyists. Hobby quality boat speed generally start at around 20MPH and go up from there, and can be just as fast or faster than their internal combustion counterparts, with the latest in Lithium Polymer and Brushless motor technology. Ready to run speed boats from Aqua Craft, Pro Boat and Offshore Electrics can reach speeds over 40 mph out of the box and with modifications can reach well into the 50-60 mph range. These types of boats are referred to as hobby grade and can be found only at hobby shops and retailers. Toy grade boats which are obtained through mass consumer retailers, are generally much slower and their maximum speeds are usually less than 15MPH. Scale boats are replicas of full size boats. They can be small enough to fit into your hand, or large, trailer transported models weighing hundreds of pounds. More often than not they are a miniaturized version of a prototype, built using plans and/or photos, although there are variants that utilize freelance designs. An offshoot of this style of marine RC’s is radio controlled submarines.

Power boats are typically Fast electric or internal combustion, (ignition engine or glow plug RC engine based) and some are steam powered (conventional type, and also flash steam). (At one time some boats used engines working on the compression ignition principle. These were not diesels in the true sense of the word but the modelling fraternity frequently referred to them as such. A few enthusiasts still operate such engines.) The power is commonly used to rotate a submerged propeller, aircraft propeller or jet which in turn provide the thrust to move the craft. Typically power boats have two controls, rudder, outboard motor or stern drive and throttle control. Powered scale boats will often have additional remote controlled functions to improve realism, e.g. sounding fog horns, rotating radar antennae etc. Some of the more sophisticated powered racing boats may also have additional remote controlled functions. These may include remote mixture control allowing the driver to optimise the fuel/air mixture during a race. Another function occasionally implemented for racing boats using a surface piercing propellor is remote control of depth or angle of thrust. There are three main types of power boat. RTR (ready to run), ARTR (almost ready to run), and kit versions are available. All thoroughbred racing boats are made from kits and the builders add their own gear and radio.

Radio controlled racing boats are designed for maximum speed and maneuverability. Various styles of racing include circuits of different shapes laid out on the water with buoys. The most common courses are the 1/6 mile oval that consists of 330′ straight sections followed by 70′ diameter turns. The International Model Power Boat Association (IMPBA) as well as the North American Model Boat Association (NAMBA) have specific rules and regulations to address the course, race rules, and formats. In addition to oval racing there are straight a way (SAW) racing. This is a contest to see how fast you can make the boat go in a straight line. Timed events are held where the boats need to go through a starting light and an ending light. The speed is calculated by the timed difference from start to stop vs the length between the lights. Again IMPBA and NAMBA rules apply.