Direct Links
english
deutsch

FileBox Login
Offene Stellen / Jobs
 

Compass illuminates credit card fraud-scandal

August 21, 2009;

A computer hacker from Miami (USA) is said to have committed credit card fraud on a grand scale. The PINs of more than 130 million credit cards have been affected by this. According to the latest findings the crackers made use of so-called SQL-Injection weaknesses to install spyware. So far, this is the biggest data theft affair. The techniques were so cunning and ingenious that the attacks could be disguised and the protective mechanisms of the damaged enterprises could be bypassed.

SQL-Injection is the infiltration of somebody's own commands into an SQL database via the browser. According to OWASP (Open Web Application Security Project) a very common vulnerability, which could be prevented by "secure programming". With this method, user entries must be sufficiently checked and validated, so that the attacker will not be able to modify the database queries from outside. In Java this is guaranteed through the use of "prepared statements" and with Oracle it is done by "stored procedures".

If it is not possible to gain access to the source code for the implementation of "secure programming" or if the manufacturer has not provided a patch for the problem, the application of a preceding Web Application Firewall, also called WAF, is sensible. This one is - similar to a traditional firewall - capable of analysing the data packets in web requests as well as to detect respectively prevent attacks.

Improving security skills and preventing attacks with Compass courses

In order to provide the customers with detailed technical instructions for the prevention of such incidents, Compass offers, apart from hack & learn events, seminars or online trainings with SQL Injection examples. These are available on the security portal www.hacking-lab.com . In a hands-on laboratory, the participants become acquainted with e.g. the OWASP TOP 10 web security gaps and learn adequate countermeasures.

Contents of the web security course of Compass

- OWASP Top 10-security gaps
- Authentication attacks
- Session fixation attacks
- Session prediction attacks
- Cookie security
- Cross Site Scripting
- Cross Site Tracing
- Cross Site Request Forgery
- Second Order Injection
- Simple and advanced SQL Injection
- URL Redirection Attacks
- Authorization Bypass Attacks
- Application Logging/Forensics
- XML Injection, XPath Injection
- JSON Hijacking
- Click Jacking/Surf Jacking

Links:
 

News

Compass invites to the Security Event 2010
6/7/10 - On Thursday, September 09, 2010 Compass Security AG organise their annual "Compass Event". For this seminar the ICT security service provider invites customers and other interested persons to the auditorium of the HSR University of Applied Sciences in Rapperswil / Switzerland. From 08:30 to 17:00 the participants benefit from the latest findings and experiences about ITC security in the frame of presentations, Live-Hacking demonstrations and speeches. A red-hot topic is brought up by Nicolas Seriot in his guest speech "iPhone-Hacking".

New at Compass: "FileBox" as an Appliance
5/25/10 - Compass Security AG have further developed their Web based transfer solution "File Box" and launched an appliance. Companies keep thus complete control of their data as the appliance is located on their own premises. The multitenant solution addresses mainly target groups who are dependent on a safe data transfer with customers or business partners, such as banks, insurance companies, chartered accountants, trustees, lawyers or medical doctors.

Hacking-Lab Remote: Rent a Professional IT Security Lab
4/13/10 - For imparting knowledge on IT security topics such as the OWASP TOP 10, OSSTMM and other attacking respectively defence measures in a practical way, high schools and companies no longer need to invest in their own security lab. Using the Hacking-Lab of Compass Security AG users have access via Internet to an interactive lab environment. The ICT security service provider makes students and employees more familiar with current cyber threats, attacking strategies and defence measures.

Evening event of ISSS on "Cyber Crime in Switzerland"
2/23/10 - Ivan Bütler, Compass managing director, is organizing the "1st ISSS St Gall conference" together with Dr. Lukas Ruf. On Thursday, April 29, 2010, interested people are meeting in order to gain an up-to-date overview in the field of computer crime an to become familiar with the developments.

Compass hacks live at CeBIT
2/22/10 - Marco Di Filippo, Regional Director Germany of Compass Security AG takes on the role of the hacker at CeBIT and puts modern technologies to the test. On the CeBIT platforms of the media partner Network Computing and of the anti virus specialist Avira he is going to x-ray data centers and mobile devices such as iPhone, Blackberry, etc. regarding their safety compliance.