NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

Beware the Cyber Shoplifters warns NTA Monitor

As the recession starts to bite, the threat from 'cyber shoplifting' will increase for online retailers, warns leading IT security consultancy, NTA Monitor.

The majority of online retailers use a payment provider to process payments by simply verifying the card details and checking against the billing address rather than the entire transaction. NTA has found that by manipulating form variables on an online retail site or on the back-end payment gateway, cyber shoplifters may change the amount debited from their account or change the currency with which goods are purchased, both resulting in paying less for the items in their shopping basket.

The payment provider will just take the amount logged on the card against purchases made and the online retailer is left to pick up the difference.

Of those retailers who sell online, 85 per cent have experienced internet fraud in the year to April 08 and 64 per cent said internet fraud had increased*. Roy Hills, technical director at NTA Monitor comments: "As a PCI DSS Council Approved Scanning Vendor, we know only too well the serious situations that a company with significant security vulnerabilities can find itself in. Internet fraud is on the increase and 'cyber shrinkage' looks set to get worse in the lead up to Christmas unless retailers get their shop in order."

NTA Monitor has three wise tips for online retailers over the Christmas season:

Put procedures in place to check items against the amount paid and currency before they are dispatched. Anything sent by the browser should not be trusted and should, therefore, be verified before the item is dispatched and with all user data being received by the server validated on the server side.
Perform input validation on all client input using character white lists to limit common problems such as XSS & SQL injection.
Prevention is better than cure, so perform high level testing of online applications to identify weaknesses within the 'business logic' in addition to regular PCI and OWASP testing.

*British Retail Consortium's (BRC) Retail Crime Survey 2008

This article was first released on: 1st December 2008