LRQA Nettitude Blog

eBay is in the headlines once again this week as the online auction site has reportedly been compromised by a cross-site scripting (XSS) attack, in which users were redirected to a spoof site designed to steal their credentials.  This latest attack follows an announcement from the company back in May urging its users to change their passwords after one of its databases containing encrypted passwords and other customer data had been compromised via a “small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network”.

Not your average test

Compromised credentials can render even the best security solutions obsolete, and can lead to often unnoticed security breaches.

Many people are aware of how Cross Site Request Forgery can be used to turn a victim’s browser against a vulnerable application, however vulnerabilities also exist that can turn an application server itself against the infrastructure that it is connected to.

Here at Nettitude, we have been delivering penetration tests for clients for more than a decade.  Over the last 10 years, we have seen the industry mature. Many organisations understand what penetration testing is, and as a consequence, it has become an integral part of many organisations' information security programs. However, more often than not, organisations ask us to focus on the technical aspects of a penetration test and ignore the social aspects. In many instances, we are told that ‘management’ doesn’t want to look at social engineering, and as a consequence, can we provide services that focus on the technology only?

A new year started and why change good habits - or maybe this is a New Year’s resolution? I’m just back from the second New York Metro ISSA Chapter meeting of 2012. Here is my quick wrap-up.