June 16, 2021

Qualys Launches IronBee Web Application Firewall

Qualys Inc. has announced IronBee, a new web application firewall (WAF) during the RSA Conference USA 2011. This new WAF will be created under an open source license and aims to produce a web application firewall sensor that is secure, high-performing, portable and freely available – even for commercial use.

Web application firewalls differ from traditional firewalls in that they are specifically designed to protects web servers (and web applications) from attacks. A WAF sits between the web application users (and their browsers) and the web server. It analyses the HTTP traffic (including SOAP, XML-RPC etc) and determines if the server is under attack. As such a WAF can protect the web server from Cross Site Scripting (XSS) attacks, SQL injection attacks, session hijacking and so on.

The key to this new project is community. Ivan Ristic, the project architect who previously worked on ModSecurity (an open source web application firewall engine for Apache), said on his blog that the focus is “on community-building first, code second. To that end, not only is the project open source, but it uses the Apache 2 license and does not require copyright assignments from contributors.”

The official web site is www.ironbee.com and there is a white paper here.

Google to Offer Two Step Login for all Google Accounts

As more and more of us become dependant on our online accounts, Google is taking the lead in offering enhanced security for all Google accounts. If you use Gmail, Blogger, Picasa Web Albums or Google Docs you most likely have a Google account. If that account is compromised then all your emails, private albums and documents become exposed and worse your attacker can use your account for fraudulent and/or nuisance activities.

Most, if not all, online banking services offer a two step verification process where, along with a username and password, a second authentication token is required to successfully login. This token is normaly in the form of a 4 or 6 digit number which is either sent to your mobile phone (via SMS) or generated by some kind of dedicated hardware device (for example a card reader which is used in conjunction with your bank card). Once your username and password are entered along with the code you can access the system. The idea is that if your username and password become compromised the hacker can’t access your account as they have no way of generating or receiving the secondary code.

Google are now to start offering the same service for all Google accounts. Once you enable 2-step verification, you’ll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device.

Google has posted a blog entry about this new functionality here and there is additional help here.

Bohu Trojan is Designed to Disable Cloud-Based Antivirus

A recent blog entry from the Microsoft Malware Protection Center details information about a new malware (called Win32/Bohu.A) which is specifically designed to disable and mislead cloud-based antivirus software.

Cloud-based antivirus software differs from traditional antivirus software in that the antivirus client (running on the PC) sends important threat data to a server for backend analysis, and subsequently receives further detection and removal instruction.

The Bohu Trojan originates in China where there is a predominate use of cloud-based antivirus software. Once a Windows based machine is infected the malware installs different network level filters to disrupt and block the antivirus client accessing the backend antivirus services on the Internet.

As well as writing random data at the end of its key payload components to avoid hash-based detection, Bohu also installs a Windows Sockets service provider interface (SPI) filter to block the antivirus network traffic as well as a Network Driver Interface Specification (NDIS) filter. The NDIS filter then stops the antivirus client from uploading data to the server by looking for the server addresses in the data packets.

Network Box Whitepaper: Guide to Cloud Security

Cloud computing offer some great opportunities in security, particularly in email and web security. It has huge impacts in the cost of business operation and IT infrastructure.

However, it is important to remember that it is difficult to provide complete network security purely from the cloud. Network Box has released a short whitepaper to guide users and professionals in cloud security.

Download Network Box: Guide to Cloud Security here.