The Mykonos Web Application Security BlogStats

Recently we sponsored an interesting Webinar with Black Hat titled ‘A Journey into the Privacy and Security Risks of a Cloud Computing Service’. Speakers were Marco Balduzzi and David Koretz, Mykonos Software, a Juniper Networks company,  VP and GM.

Throughout you’ll learn about some cutting edge security research about the risks around deploying cloud services.

Cloud services such as Amazon’s EC2 and IBM SmartCloud allow users to create and share virtual images (AMIs) with other users. In addition to these user-shared images, the cloud providers also provide AMIs that have been preconfigured with popular software such as open source databases and web servers.

This talk explores both the privacy and the security risks associated with renting and using public AMIs from cloud computing providers. We will present SatanCloud, our automated system that we used to analyze and test over 5,000 server images provided by Amazon in its four data centers of US, Europe and Asia. From our analysis, we discovered that both the users and the providers of public AMIs are vulnerable to security risks such as data leakage, unauthorized access, malware infections, and loss of sensitive information. All our findings have been acknowledged by the Amazon’s Web Services Security Team that has already taken steps to properly address them.

To watch the webinar click here.

Marco Balduzzi’s slides are available here.

Mykonos Software’s slides are available here.

Today, we are proud to announce that Mykonos Software was acquired by Juniper Networks.

We are excited to join the Juniper Networks family and believe that the cultures and mission of both organizations are strongly aligned. Both of us share the vision of transforming the security industry and changing the ROI of hacking by making it costly, time consuming and tedious for attackers. Juniper’s strong history of technology execution combined with Mykonos Software’s innovative Web security product ideally positions us to deliver an end-to-end security portfolio that provides an always protected environment across devices, applications, the network and the cloud.

Our CEO, David Koretz said it best: “We believe the combination of Mykonos’ groundbreaking technology and Juniper’s proven expertise in developing and productizing some of the industry’s most disruptive innovations, will deliver clear advantages for customers that reduce security risk and lower total cost of ownership. We are excited about the opportunity to leverage Juniper’s world-class organization and market-leading product portfolio to deliver tightly integrated, proactive web application security to customers.

Since our company was founded in 2009, we have been acknowledged as an industry innovator bringing to market our intrusion deception product – the Mykonos Web Security – to help solve the problem of hackers on website and web applications.

This acquisition will help bring this solution to a wider market and Mykonos Software customers and partners will benefit from Juniper’s scale, expanded product portfolio, strong services capabilities, enhanced go-to-market approach and commitment to customers.

This is an exciting time at Mykonos Software. The RSA Conference is going to be very different next week as we launch as a Juniper Networks Company.

View Press Release

Recent news from anonymous that they plan to destroy Facebook on November 5. If you know the story about Guy Fawkes you understand that he was arrested as part of the Gun powder plot which unsuccessfully tried to blow-up the Houses of Parliament in 1605. So five centuries later are we supposed to equate facebook with a nation’s Government? After all Facebooks population of 700M is larger than most countries.

It’s been reported that that Lulz Security, who have been responsible for hacks against companies such as Fox.com and AT&T, have called it quits and are disbanding. Despite this news, companies shouldn’t be take too much of a sigh of relief. Instead, they should continue to remain vigilant with regards to security. Though the six member hacking group won’t continue to hack as a collective team, nothing stops its members from hacking individually or joining other groups.

Cybercrime for Sony recently cost them a reported $171M but some costs are hidden and never reported. This CNN article offers a perspective on explaining the hidden impact of Cybercrime.

http://www.cnn.com/2011/BUSINESS/06/06/cybercrime.cost/index.html?&hpt=hp_c2

In what might be viewed as a “grey” hat or “white” hat attack, it looks like the NHS in the UK suffered a breach through Web applications from the same group that attacked Sony.

http://www.guardian.co.uk/society/2011/jun/09/nhs-computers-hacked-lulzsec

Taking the concept of “kicking someone when they’re down” to a whole new level – hacker collective LulzSec continues their onslaught of Sony and compromises Sony’s systems yet again. This time the booty is details of more than 1 million customers from servers that host Sony Pictures websites.

http://news.yahoo.com/s/nm/20110603/tc_nm/us_sony

In recent news, Fox.com was successfully hacked and compromised. The group Lulz Security have claimed credit for the attack.

As a consequence of the attack on Fox.com, more than 250,000 X-Factor potential contestants may have had their personal information compromised. Additionally, as many as 300 Fox Broadcasting employees have fallen victim. Lulz Security have begun releasing the email and passwords of those employees, and have indicated that they will keep leaking of the compromised data every Monday.

http://gawker.com/5800366/database-of-fox-employees-passwords-and-emails-leaked

A second Sony site was shutdown earlier this week, after the company noticed that it was breached. Sony maintains that this is part of the original April attack.

Regardless of whether the this is something that this is the same attack or not, the consequence is clear. The cost of inadequately secured web apps and sites can be extremely detrimental to companies both from a financial and legal perspective.

Thus far, according to the Wall Street Journal, Sony has disclosed that 77 million accounts have been affected in the original April attack. While in the latest discover breached site in May, another 24.6 million accounts were compromised. This brings the total to 100 million customer accounts. Embarrassment is the least of Sony’s worries as it’s been report that suit is being filed against the company by its customers.

Sony should serve as a lesson to many of the importance of securing one’s website from attacks. As the saying goes, “the best defense is a good offense,” which in our opinion underscores the importance of being able to detect and prevent attacks before it happens and not after.

http://online.wsj.com/article/SB10001424052748704436004576299491191920416.html