Category

Risks

Category

9 misconceptions_applications_security

Web and mobile applications are at the core of most companies’ activities. Whether you’ve already deployed them or that they are still under development, some misconceptions about their security are still present, even though it is a crucial topic to conduct your business in good conditions.

Here are the 9 preconceived ideas that we most often encountered.

WordPress, Joomla, Drupal, Shopify and many more, offer real possibilities for creating sites that are both ergonomic and efficient. However, a negative image is still associated with CMS websites: they would be insecure and easy targets for malicious hackers.

CMS and security

What are the risks of cyberattacks on these sites? What specific elements of CMS are to be monitored?

If you are in charge of a CMS platform, this article will help you to identify the main risks and will provide you with points of vigilance to reinforce the level of security.

Do you know why phishing is so dangerous?

Because it combines IT skills with knowledge of human psychology. In fact, a phishing email relies on human psychological drivers to first get the opening of the email and to then push to click.

Technical skills are of course necessary to increase the likelihood of clicks, e.g. to spoof a legitimate sender, to create an interface clone, to forward to malicious domains, etc.

But today, we will look into the psychological drivers that drive action during phishing. We have taken 8 commonly used drivers and associated them with different subjects that can be used as pretexts for phishing.

Your company’s IT security is not only a matter of firewalls and security staff. You, as a non-security person can do a lot to avoid data and sensitive information leakage.
Through our security audit experience we have learned that in most companies the staff unconsciously leaves a big amount of elements that is available on the internet to anyone.
These unknown elements can be of many types, like contact details, credentials, technical information or business data. All of them are “unknown” because they are not part of any process : they have been left unconsciously and without any follow-up. Attackers are fond of this data, which they can use for technical or social engineering attacks.

How can you avoid leaking such precious information? Here are some bad habits that you should definitely get rid of.

illustration information secrete

1. Using your professional contact details for personal things

The quite recent data leakage on Ashley Madison confirmed what we already knew: many people use they professional address (email) to register on websites. Probably because some of them don’t want to receive notifications on their personal emails (and risking direct exposure with their spouse).

Websites often get hacked, which leads to information disclosure such as the entire list of users’ logins and passwords. And many people tend to use the same passwords on different websites (including professional ones) because they find it hard to remember many different passwords. So if you use your professional email and same password on different websites, your company is at risk …

But even when the password is not similar or does not get disclosed, using your professional email on a website that get hacked is dangerous. When Ashley Madison got hacked, attackers had the users’ email addresses. Then they used these addresses to send phishing emails about help from lawyers after people’s accounts had been hacked. This relevant pretext led to many people clicking on links or opening attached files … that could compromise their company’s information system.

The darknet is the hidden face of the web. It contains pages which are not indexed by search engines, many of them providing illegal information or services. On the darknet you can find stolen data or sensitive data that could be used for massive cyberattacks. So, could your company’s data be found on the darknet?

Deep web or Dark web?

First, there is a distinction between deep web and dark web (or darknet). The web can be compared to an iceberg:
– some part can be reached by search engines such as Google: the visible web (the tip of the iceberg)
– some part contains a vast amount of non indexed websites: the deep web (the hidden part of the iceberg)
– the most hidden part especially contains pages concerning illegal activities such as mafia, crime or terrorism : the darknet (the bottom of the iceberg)

To access hidden websites, you need to access an anonymous network such as Tor, through a specific browser. The Tor network enables you to access websites which top level domain is .onion.
Surfing on Tor is completely anonymous, which explains why this underground network is used by criminals but also by activists and people living in countries censuring the Internet.

iceberg

MALWEAR – (n) a malicious software category causing a failure to dress properly amongst infected individuals. DEVFLAWPER – (n) an individual who develops software, websites or apps but repeatedly adds security flaws into their code. HACKOHOLIC – (n) an individual who surfs the World Wide Web and cannot help from hacking websites.

Some functional aspects of your web platform can reveal many things about its security level.
The security of a website is not limited to the functional aspects, but the level of “functional security” usually matches the level of “technical security”.

As an example, the resilience you put in the user journey is a very critical aspect.

Rather negative signs

Passwords sent by email

Some websites send passwords by email when users create their accounts.
Although quite convenient, this scenario is not recommended, since the password is then visible in the user’s mailbox. If the mailbox is hacked, then the password is not reliable anymore.

Even worse: Some websites frequently send the password to users, for instance in newsletters. Despite the fact that having the password ready to copy/paste can be useful for users who have lost it, this practice is a disaster for 2 reasons:
– The password is accessible in several emails, which increases the risk of credentials theft.
– If the password can technically be sent in clear text, then it means that it is not protected enough in the website’s database. If the website is hacked, then all passwords can be stolen (like in the recent Ashley Madison attack). A properly stored password cannot be decrypted.

Passwords visible in clear text

To be properly secured, passwords must not be visible on the screen when users type them. This prevents prying eyes to steal them!
Although this is becoming quite uncommon these days, some websites still show passwords in clear text to users, for instance in an account settings section or upon login.

SIgns of insecurity website

This question can sound silly because every cybersecurity flaw is the result of human behavior. Indeed, every security flaw is the result of human work – the work of developers or system engineers.

However, hackers plan and execute attacks on several layers: infrastructure, application, and human. As cybersecurity technical solutions are becoming more and more efficient, the human relationships are a key for penetrating into increasingly secure systems.

Diversity of threats

Attack surfaces from a hacker’s view

Attacking the IT infrastructure of a company can provide access to many valuable data. A massive attack can even shutdown a network, which results in very heavy loss for the target. Having to face these risks, cybersecurity experts have first invested most of their efforts in securing servers and network architectures.

This has resulted in hackers looking for more vulnerable entry doors, such as web applications.

What is a web application logic flaw?

A logic flaw is something that happens when the application (website, mobile app, webservice…) does not behave as expected.
It generally happens when some logic or workflow can be avoided or circumvented.

Imagine a simple website where you can buy t-shirts.
The usual workflow is the following:

  1. The consumer adds t-shirts to the basket.
  2. The consumer pays with their credit card.
  3. The consumer finalizes the order.

A malicious guy comes to the website and does the following:

  1. Adds 2 t-shirts to his basket.
  2. Pays with his credit card.
  3. Adds more t-shirts (10) to the basket.
  4. Finalizes the order and gets 12 t-shirt, for the price of 2.

We can compare this e-commerce example to what can happen in a “physical” supermarket:
The normal workflow of a supermarket supposes that consumers put all articles they want to purchase in their basket and then on the cash counter’s conveyor.
But what if a malicious consumer hides an article in his caddy? The cashier will not see the article and the consumer will get it for free.

Dangerous cart

Google’s mobile operating system Android is open, mostly, and can be distributed by many actors within the global Android ecosystem.
For the best, but also for the worst.

For the best, first

Openness brings many possibilities in terms personalization and led to a diversity of mobile devices.
Today’s Android ecosystem counts hundreds of manufacturers, even if only a few of them count for more than 80% of devices.
On top of manufacturers, carriers also bring they touch of personalization to devices they sell.
This openness is for sure part of the reasons why Android is a success and why today (April 2015) more than 63% of mobile devices are running Android (iOS is now at 20.84%) according to statcounter.com

Then, for the worse

When dealing with security updates on applications, Android does not seem to be better of worse than iOS in the way it allows developers to push updated versions of their apps to app stores.
However, when it comes to operating system vulnerabilities, the update process if not really simple and prompt.
Let’s take the example of a flaw that is discovered by a security researcher or by Google itself. Google usually fixes the vulnerability within days or weeks and makes the update available in the AOSP (Android Open Source Project) repository. But the end-user device is not updated at this point. How much time does it take for devices to be updated?

Mobile security payment