Flexispy Ltd – A Seychelles based company, just launched an iPhone version of their flagship product intended to facilitate spying on unsuspecting mobile users.

The company claims its iPhone version of the software supports

• SMS Logging to intercept all incoming and outgoing SMS messages.
• Reviewing Call History & Sent Emails
• GPS Location monitoring
  
• Remote Control using SMS commands
• Monitoring via secretly calling the iPhone and listening in using the iPhone’s Microphone
• Remotely uninstalling the software
• … and more

The company sells five flavors of its software varying in features and prices that start from USD 39.00.

Luckily, the product only works on Jail-Broken iPhones for now. Physical access to install the spying software is also needed. However, once installed FlexiSpy can hide all signs of the phone being jail-broken.  The best defense against FlexiSpy at this time seems to be physical security controls.

According to a recent survey of 30 CEOs and 183 of their top  executives over a six month period by the Ponemon Institute, CEOs & their top executives seem to be at a disconnect about security measures and risk exposure at their companies. The survey queried 213 senior executives including chief operating officers, division presidents, and chief information officers about their awareness on data security and threat at their companies.

Among the CEOs surveyed, 53 percent responded the chief information officer is accountable for data protection, while only 25 percent of senior executives sided with that opinion. However, nearly 85 percent of executives felt that a failure to prevent security breaches during their tenure would not jeopardize their job.

Who is responsible for security in your organization

[Source: Business Case for Data Protection - Study of CEO and other C-level Executives, Ounce Labs]

Only 3% of the CEOs responded that they perceived cyber crimes to be the the source of greatest risk to their data security, while the majority of CEOs – 31% – believed stolen or lost laptops and data storage devices to be the greatest risk.

[Source: Business Case for Data Protection - Study of CEO and other C-level Executives, Ounce Labs]

The survey also showed a great gap between measures that should be used versus those that are currently used to measure the effectiveness of data protection efforts. Respondents felt asset protection and reputation management measures should be used more.

The effectiveness of data protection efforts

[Source: Business Case for Data Protection - Study of CEO and other C-level Executives, Ounce Labs]

Over all, the survey concluded that C-level executives understand the need for good data protection measures. Even though they might be driven by regulatory and compliance needs, a rising majority understands the need for data protection practices that address reputation protection and customer trust and loyalty. The complete research report can be downloaded from Ounce Labs – the sponsor for the survey.

One of the most common and dangerous web application vulnerabilities revolve around unsafe SQL (Structured Query Language) handling in applications. SQL injection is a type of security exploit in which the attacker inserts SQL code to a Web form input box to gain access to resources or make changes to data.

Successful SQL injection attempts can cause an attacker to not only steal data from a database, but also modify and/or delete it. Certain SQL Servers may also contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire system and through it, access other systems on the network.

Testing for SQL injection vulnerabilities is often a tedious and labor intensive process. Sqlmap is a powerful tool that aid in this test process. Currently at version 0.7 release candidate 1, sqlmap is a command-line automatic SQL Injection tool developed in python.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to retrieve remote DBMS databases, user names, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

sqlmap implements multiple techniques to attempt and exploit a SQL injection vulnerability. Inferential blind SQL injection, also known as boolean based blind SQL injection, UNION query (inband) SQL injection, also known as full UNION query SQL injection and Batched (stacked) queries support, also known as multiple statements support.

In addition to the common input sources, the tool can also test cookies. Since many applications store their session information using a cookie, this is a common practice during SQL injection attempts — one that most penetration tests often overlook.

Sqlmap excels more at exploiting an identified SQL injection vulnerability than finding it. Even with the high degree of automation, it still takes some time to identify vulnerabilities and requires some knowledge of SQL injection techniques.

Latest version of sqlmap is available at sourceforge. For information on preventing SQL injection vulnerabilities, refer to this cheat sheet.

This week, we have been looking at the open source job board application – jobberbase. Originally derived from the successful Romanian IT job board jobber.ro, the current version (ver 1.6) of this job board package is very flexible and leverages smarty templates for customization. Head over to www.jobberbase.org for a standard jobberbase installation example.

Jobberbase’s main features are:

• Allows job posts with a simple one time e-mail verification
• Allows applying to jobs without requiring an account
• Browse / Search based on type (Full-time / part-time), category (E.g: Programmer) and locations of jobs
• RSS feeds of latest jobs
• Counter indicating # of applicants for each posted job
• Clean and crisp UI
• Admin control panel for maintaining jobs & stats
  Continue reading "Jobberbase – the open source job board reviewed" →