WebApp Sec mailing list archives
New Whitepaper - "Continuing Business with Malware Infected Customers"
From: "WebAppSec" <webappsec () technicalinfo net>
Date: Mon, 3 Nov 2008 10:29:37 -0500
Hi List, I figured I'd try sharing a new paper I completed and posted to my site yesterday. The paper is based off some of the work I've been discussing at various conferences recently in relation to the man-in-the-browser attack vectors, and their effect on financial Web applications - in particular, consumer online banking. Titled "Continuing Business with Malware Infected Customers" looks at the threat from the perspective of "with so many infected computers out there, and the number not likely to go down, what sort of things can you build in to your Web application to make it more resilient to man-in-the-browser attack vectors?". As I'm sure most of the list already knows, the man-in-the-browser vector is particularly insidious and defeats just about all the current protection technologies out there - largely because it's such a convenient vector for social engineering. Anyhow, this paper is designed to help Web developers take a closer look at their transactional Web applications and provide various levels of best practice advice on helping to mitigate the threat. In addition, I'm aiming to raise business awareness of the fact that they will increasingly just have to assume that a sizable percentage of their customer base is probably infected - and develop protection strategies accordingly. The paper can be found at:: http://www.technicalinfo.net/papers/MalwareInfectedCustomers.html Cheers, Gunter The intro/abstract for the paper... Continuing Business with Malware Infected Customers - Best Practices and the Security Ergonomics of Web Application Design for Compromised Customer Hosts Today's media is full of statistics and stories detailing how the Internet has become an increasingly dangerous place for all concerned. Figures of tens of millions and hundreds of millions of bot-infected computers are regularly discussed, along with approximations that between one-quarter and one-third of all home computer systems are already infected with some form of malware. With a conservative estimate of 1.4 billion computers browsing the Internet on a daily basis (mid-2008 figures), that could equate to upwards of 420 million computers that can't be trusted - and the numbers could be higher as criminals increasingly target Web browser technologies with malicious Web content - infecting hundreds of millions more along the way. Despite these kinds of warnings and their backing statistics, online businesses have yet to fully grasp the significance of the threat. Most of the advice about dealing with the problem has focused on attempting to correct the client-side infection and yet, despite the education campaigns and ubiquity of desktop anti-virus solutions, the number of infected computers has continued to rise. The problem facing online businesses going forward is, if upwards of one-third of their customers are likely to be using computers infected with malware to conduct business transactions with them, how should they continue to do business with an infected customer base? This paper discusses many of the best practices businesses can adopt for their Web application design and back-office support processes in order to minimize this growing threat, along with helping to reduce several of the risks posed with continuing to do business customers likely to be operating infected computers. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- A Question of Quality Yousef Syed (Nov 02)
- Re: A Question of Quality Robert Hajime Lanning (Nov 02)
- Re: A Question of Quality Daniƫl W. Crompton (Nov 04)
- Re: A Question of Quality Alexander Bermudez (Dec 01)
- New Whitepaper - "Continuing Business with Malware Infected Customers" WebAppSec (Nov 03)
- Message not available
- Re: A Question of Quality Yousef Syed (Nov 04)
- Re: A Question of Quality Robert Hajime Lanning (Nov 02)