The Mykonos Web Application Security Blog

Black Hat Webinar Featuring Mykonos Software

Edward Roberts — Thu, 31 May 2012 15:43:50 +0000

Recently we sponsored an interesting Webinar with Black Hat titled ‘A Journey into the Privacy and Security Risks of a Cloud Computing Service’. Speakers were Marco Balduzzi and David Koretz, Mykonos Software, a Juniper Networks company, VP and GM.

Throughout you’ll learn about some cutting edge security research about the risks around deploying cloud services.

Cloud services such as Amazon’s EC2 and IBM SmartCloud allow users to create and share virtual images (AMIs) with other users. In addition to these user-shared images, the cloud providers also provide AMIs that have been preconfigured with popular software such as open source databases and web servers.

This talk explores both the privacy and the security risks associated with renting and using public AMIs from cloud computing providers. We will present SatanCloud, our automated system that we used to analyze and test over 5,000 server images provided by Amazon in its four data centers of US, Europe and Asia. From our analysis, we discovered that both the users and the providers of public AMIs are vulnerable to security risks such as data leakage, unauthorized access, malware infections, and loss of sensitive information. All our findings have been acknowledged by the Amazon’s Web Services Security Team that has already taken steps to properly address them.

To watch the webinar click here.

Marco Balduzzi’s slides are available here.

Mykonos Software’s slides are available here.

Mykonos Software Acquired by Juniper Networks

Edward Roberts — Wed, 22 Feb 2012 14:16:09 +0000

Today, we are proud to announce that Mykonos Software was acquired by Juniper Networks.

We are excited to join the Juniper Networks family and believe that the cultures and mission of both organizations are strongly aligned. Both of us share the vision of transforming the security industry and changing the ROI of hacking by making it costly, time consuming and tedious for attackers. Juniper’s strong history of technology execution combined with Mykonos Software’s innovative Web security product ideally positions us to deliver an end-to-end security portfolio that provides an always protected environment across devices, applications, the network and the cloud.

Our CEO, David Koretz said it best: “We believe the combination of Mykonos’ groundbreaking technology and Juniper’s proven expertise in developing and productizing some of the industry’s most disruptive innovations, will deliver clear advantages for customers that reduce security risk and lower total cost of ownership. We are excited about the opportunity to leverage Juniper’s world-class organization and market-leading product portfolio to deliver tightly integrated, proactive web application security to customers.

Since our company was founded in 2009, we have been acknowledged as an industry innovator bringing to market our intrusion deception product – the Mykonos Web Security – to help solve the problem of hackers on website and web applications.

This acquisition will help bring this solution to a wider market and Mykonos Software customers and partners will benefit from Juniper’s scale, expanded product portfolio, strong services capabilities, enhanced go-to-market approach and commitment to customers.

This is an exciting time at Mykonos Software. The RSA Conference is going to be very different next week as we launch as a Juniper Networks Company.

View Press Release

Anonymous Hackers Breach San Francisco Bart Website

Edward Roberts — Mon, 15 Aug 2011 16:46:27 +0000

Anonymous can seemingly attack any website at will, and deface the content, and steal data. Why was Bart attacked? In response to Bart blocking cell phone access last week to prevent a protest at one of their stations. So this hack is an extension of free speech or simple theft and vandalism? Either way, just another example of how easy Web applications are to damage and exploit because they are not protected by any type of security.

Also an interesting quote from anonymous in this article from the SFGate.

BART “stored their members’ information with virtually no security,” the hackers wrote. “Any 8-year-old with an Internet connection could have done what we did to find it. On top of that, none of the info, including the passwords, was encrypted.”

Facebook about to be destroyed?

Edward Roberts — Wed, 10 Aug 2011 23:10:27 +0000

Recent news from anonymous that they plan to destroy Facebook on November 5. If you know the story about Guy Fawkes you understand that he was arrested as part of the Gun powder plot which unsuccessfully tried to blow-up the Houses of Parliament in 1605. So five centuries later are we supposed to equate facebook with a nation’s Government? After all Facebooks population of 700M is larger than most countries.

Lulzsec Disbands

Edward Roberts — Fri, 01 Jul 2011 22:40:20 +0000

It’s been reported that that Lulz Security, who have been responsible for hacks against companies such as Fox.com and AT&T, have called it quits and are disbanding. Despite this news, companies shouldn’t be take too much of a sigh of relief. Instead, they should continue to remain vigilant with regards to security. Though the six member hacking group won’t continue to hack as a collective team, nothing stops its members from hacking individually or joining other groups.

The Hidden Cost of Cybercrime

Edward Roberts — Fri, 10 Jun 2011 19:05:35 +0000

Cybercrime for Sony recently cost them a reported $171M but some costs are hidden and never reported. This CNN article offers a perspective on explaining the hidden impact of Cybercrime.

http://www.cnn.com/2011/BUSINESS/06/06/cybercrime.cost/index.html?&hpt=hp_c2

Sony Hackers Attack National Health Service in UK

Edward Roberts — Thu, 09 Jun 2011 22:06:03 +0000

In what might be viewed as a “grey” hat or “white” hat attack, it looks like the NHS in the UK suffered a breach through Web applications from the same group that attacked Sony.

http://www.guardian.co.uk/society/2011/jun/09/nhs-computers-hacked-lulzsec

Sony Hacked Again?

Edward Roberts — Mon, 06 Jun 2011 18:26:01 +0000

Taking the concept of “kicking someone when they’re down” to a whole new level – hacker collective LulzSec continues their onslaught of Sony and compromises Sony’s systems yet again. This time the booty is details of more than 1 million customers from servers that host Sony Pictures websites.

http://news.yahoo.com/s/nm/20110603/tc_nm/us_sony

Sony Attacked Again

Edward Roberts — Tue, 31 May 2011 22:53:38 +0000

Sony’s woes continue as web properties of Sony’s and their affiliates continue to succumb to attackers. The total body count thus far comes to at least 7; with the last few being Sony’s sites in Canada, Greece, and Thailand.

It would seem that the success of the initial attacks might have encouraged others to try their luck on other Sony web properties. The impetus for this might be that if Sony’s Playstation Network can be that susceptible to an attack, some hackers might wonder what else might be up for grabs. It could very well be that Sony utilized the same approach to application development and thus suffer from the same Achilles’ heel elsewhere, or that they may not have a sufficient security practice in place to thwart attacks. Beyond this, another possible weakness that many organization suffer as a consequence of doing business is that new improvements are often times stacked on top of pre-existing older code, which can be like stacking new bricks on an old house over time, the other portion then to fail under stress and weight of the newer layers. This is further complicated by the fact that employees (i.e., developers) do flow in and out of an organization; so when developers leave, others that fill their place and assume responsibility for their code might not necessarily be aware of existing underlying issues or write code in a consistent or secure manner, which leaves room for weaknesses.

The scary truth is that at the end of the day, Sony is not unique in the issues they face. The challenge is there for almost every company out there for the same reasons above.

Former Hacker Comments on How PSN Attack May Have Gone Down

Edward Roberts — Tue, 17 May 2011 23:27:51 +0000

Mykonos Software’s Chief architect discusses the Sony PlayStation hack with PC World.