From a cybersecurity point of view, the dark web is like a huge marketplace, where sensitive data (personal data, banking data, credentials, etc.) rubs shoulders with cyberattack kits. We find indeed malware sold between $50 and $500 , there would be 15 billion credentials in circulation… How do you know if your corporate data is on the dark web?
After clarifying the terms deep web, dark web and dark net, we will see how to verify if your business data is available on the dark web and what to do if it is.
Web and mobile applications are at the core of most companies’ activities. Whether you’ve already deployed them or that they are still under development, some misconceptions about their security are still present, even though it is a crucial topic to conduct your business in good conditions.
Here are the 9 preconceived ideas that we most often encountered.
WordPress, Joomla, Drupal, Shopify and many more, offer real possibilities for creating sites that are both ergonomic and efficient. However, a negative image is still associated with CMS websites: they would be insecure and easy targets for malicious hackers.
What are the risks of cyberattacks on these sites? What specific elements of CMS are to be monitored?
If you are in charge of a CMS platform, this article will help you to identify the main risks and will provide you with points of vigilance to reinforce the level of security.
Because it combines IT skills with knowledge of human psychology. In fact, a phishing email relies on human psychological drivers to first get the opening of the email and to then push to click.
Technical skills are of course necessary to increase the likelihood of clicks, e.g. to spoof a legitimate sender, to create an interface clone, to forward to malicious domains, etc.
But today, we will look into the psychological drivers that drive action during phishing. We have taken 8 commonly used drivers and associated them with different subjects that can be used as pretexts for phishing.
Your company’s IT security is not only a matter of firewalls and security staff. You, as a non-security person can do a lot to avoid data and sensitive information leakage.
Through our security audit experience we have learned that in most companies the staff unconsciously leaves a big amount of elements that is available on the internet to anyone.
These unknown elements can be of many types, like contact details, credentials, technical information or business data. All of them are “unknown” because they are not part of any process : they have been left unconsciously and without any follow-up. Attackers are fond of this data, which they can use for technical or social engineering attacks.
How can you avoid leaking such precious information? Here are some bad habits that you should definitely get rid of.
1. Using your professional contact details for personal things
The quite recent data leakage on Ashley Madison confirmed what we already knew: many people use they professional address (email) to register on websites. Probably because some of them don’t want to receive notifications on their personal emails (and risking direct exposure with their spouse).
Websites often get hacked, which leads to information disclosure such as the entire list of users’ logins and passwords. And many people tend to use the same passwords on different websites (including professional ones) because they find it hard to remember many different passwords. So if you use your professional email and same password on different websites, your company is at risk …
But even when the password is not similar or does not get disclosed, using your professional email on a website that get hacked is dangerous. When Ashley Madison got hacked, attackers had the users’ email addresses. Then they used these addresses to send phishing emails about help from lawyers after people’s accounts had been hacked. This relevant pretext led to many people clicking on links or opening attached files … that could compromise their company’s information system.
MALWEAR – (n) a malicious software category causing a failure to dress properly amongst infected individuals. DEVFLAWPER – (n) an individual who develops software, websites or apps but repeatedly adds security flaws into their code. HACKOHOLIC – (n) an individual who surfs the World Wide Web and cannot help from hacking websites.
Some functional aspects of your web platform can reveal many things about its security level.
The security of a website is not limited to the functional aspects, but the level of “functional security” usually matches the level of “technical security”.
As an example, the resilience you put in the user journey is a very critical aspect.
Rather negative signs
Passwords sent by email
Some websites send passwords by email when users create their accounts.
Although quite convenient, this scenario is not recommended, since the password is then visible in the user’s mailbox. If the mailbox is hacked, then the password is not reliable anymore.
Even worse: Some websites frequently send the password to users, for instance in newsletters. Despite the fact that having the password ready to copy/paste can be useful for users who have lost it, this practice is a disaster for 2 reasons:
– The password is accessible in several emails, which increases the risk of credentials theft.
– If the password can technically be sent in clear text, then it means that it is not protected enough in the website’s database. If the website is hacked, then all passwords can be stolen (like in the recent Ashley Madison attack). A properly stored password cannot be decrypted.
Passwords visible in clear text
To be properly secured, passwords must not be visible on the screen when users type them. This prevents prying eyes to steal them!
Although this is becoming quite uncommon these days, some websites still show passwords in clear text to users, for instance in an account settings section or upon login.
This question can sound silly because every cybersecurity flaw is the result of human behavior. Indeed, every security flaw is the result of human work – the work of developers or system engineers.
However, hackers plan and execute attacks on several layers: infrastructure, application, and human. As cybersecurity technical solutions are becoming more and more efficient, the human relationships are a key for penetrating into increasingly secure systems.
Attack surfaces from a hacker’s view
Attacking the IT infrastructure of a company can provide access to many valuable data. A massive attack can even shutdown a network, which results in very heavy loss for the target. Having to face these risks, cybersecurity experts have first invested most of their efforts in securing servers and network architectures.
This has resulted in hackers looking for more vulnerable entry doors, such as web applications.
Business logic flaws remain a type of little-known vulnerability in IT-Security. They are not errors in the logical reasoning, but flaws related to the working of a web application. They are different from technical vulnerabilities, which directly relate to code, implementation or configuration errors.
We regularly find logic flaws during penetration tests, on all types of applications. We find them most frequently on e-commerce sites and SaaS software.
Google’s mobile operating system Android is open, mostly, and can be distributed by many actors within the global Android ecosystem.
For the best, but also for the worst.
For the best, first
Openness brings many possibilities in terms personalization and led to a diversity of mobile devices.
Today’s Android ecosystem counts hundreds of manufacturers, even if only a few of them count for more than 80% of devices.
On top of manufacturers, carriers also bring they touch of personalization to devices they sell.
This openness is for sure part of the reasons why Android is a success and why today (April 2015) more than 63% of mobile devices are running Android (iOS is now at 20.84%) according to statcounter.com
Then, for the worse
When dealing with security updates on applications, Android does not seem to be better of worse than iOS in the way it allows developers to push updated versions of their apps to app stores.
However, when it comes to operating system vulnerabilities, the update process if not really simple and prompt.
Let’s take the example of a flaw that is discovered by a security researcher or by Google itself. Google usually fixes the vulnerability within days or weeks and makes the update available in the AOSP (Android Open Source Project) repository. But the end-user device is not updated at this point. How much time does it take for devices to be updated?