You think your web/mobile applications are safe? Think again! 10 misconceptions about web application security. Come & Meet us at #CeBIT !
1. Only big companies are threatened by hackers
We cannot even tell you how many times we have heard that. The problem is: hackers do not care about the size of your company. They don’t go around looking for how many employees you have, or what’s your turnover. They seize every opportunity they get. Of course multinationals are more visible thus more susceptible to be hacked. Therefore, they are more prepared and SMEs become easier targets for hackers. One of our client who own a small digital business learned it the hard way when he discovered that all the online payments on his website were hijacked to a foreign bank account. Moreover, have you ever thought that your competitors could be interested in what you have?
2. I have the best developers on the market
Super developers have to code fast, and deliver both powerful and user-friendly applications. Unfortunately, they are generally not security experts. Building a software and hacking it are two distinct expertise. Hence the crucial importance to test their work – security wise – with a pentest. They will learn from the experience and you can also train them more specifically on the topic. Let’s put it that way: the finest paintwork will always need a paint coating to protect it.
3. I use robust frameworks, so I’m safe
Robust frameworks do help to build secure code. However this is not just a question of choosing a framework: it is all about how to use the framework properly with regards to security needs. We often see that developers disable some protections that are embedded in the framework because they want to speed up their development process. This is why security testing is always necessary.
4. We don’t collect sensitive data, so why bother?
Sensitive customers’ data are obviously and rightfully one of the main thing to secure on an application. Nevertheless, it is just the tip of the iceberg. Let’s say that you run an Ecommerce website, how would you react if your platform was down for 2 days? Or think about your reputation, even information that many do not consider as « sensitive », are in fact sensitive. I am sure that your clients would not appreciate that their email & passwords leaked on the internet.
Your company’s IT security is not only a matter of firewalls and security staff. You, as a non-security person can do a lot to avoid data and sensitive information leakage. Through our security audit experience we have learned that in most companies the staff unconsciously leaves a big amount of elements that is available on the internet to anyone. These unknown elements can be of many types, like contact details, credentials, technical information or business data. All of them are “unknown” because they are not part of any process : they have been left unconsciously and without any follow-up. Attackers are fond of this data, which they can use for technical or social engineering attacks.
How can you avoid leaking such precious information? Here are some bad habits that you should definitely get rid of.
1. Using your professional contact details for personal things
The quite recent data leakage on Ashley Madison confirmed what we already knew: many people use they professional address (email) to register on websites. Probably because some of them don’t want to receive notifications on their personal emails (and risking direct exposure with their spouse).
Websites often get hacked, which leads to information disclosure such as the entire list of users’ logins and passwords. And many people tend to use the same passwords on different websites (including professional ones) because they find it hard to remember many different passwords. So if you use your professional email and same password on different websites, your company is at risk …
But even when the password is not similar or does not get disclosed, using your professional email on a website that get hacked is dangerous. When Ashley Madison got hacked, attackers had the users’ email addresses. Then they used these addresses to send phishing emails about help from lawyers after people’s accounts had been hacked. This relevant pretext led to many people clicking on links or opening attached files … that could compromise their company’s information system.
The darknet is the hidden face of the web. It contains pages which are not indexed by search engines, many of them providing illegal information or services. On the darknet you can find stolen data or sensitive data that could be used for massive cyberattacks. So, could your company’s data be found on the darknet?
Deep web or Dark web?
First, there is a distinction between deep web and dark web (or darknet). The web can be compared to an iceberg: – some part can be reached by search engines such as Google: the visible web (the tip of the iceberg) – some part contains a vast amount of non indexed websites: the deep web (the hidden part of the iceberg) – the most hidden part especially contains pages concerning illegal activities such as mafia, crime or terrorism : the darknet (the bottom of the iceberg)
To access hidden websites, you need to access an anonymous network such as Tor, through a specific browser. The Tor network enables you to access websites which top level domain is .onion. Surfing on Tor is completely anonymous, which explains why this underground network is used by criminals but also by activists and people living in countries censuring the Internet.
MALWEAR – (n) a malicious software category causing a failure to dress properly amongst infected individuals. DEVFLAWPER – (n) an individual who develops software, websites or apps but repeatedly adds security flaws into their code. HACKOHOLIC – (n) an individual who surfs the World Wide Web and cannot help from hacking websites.
Some functional aspects of your web platform can reveal many things about its security level. The security of a website is not limited to the functional aspects, but the level of “functional security” usually matches the level of “technical security”.
As an example, the resilience you put in the user journey is a very critical aspect.
Rather negative signs
Passwords sent by email
Some websites send passwords by email when users create their accounts. Although quite convenient, this scenario is not recommended, since the password is then visible in the user’s mailbox. If the mailbox is hacked, then the password is not reliable anymore.
Even worse: Some websites frequently send the password to users, for instance in newsletters. Despite the fact that having the password ready to copy/paste can be useful for users who have lost it, this practice is a disaster for 2 reasons: – The password is accessible in several emails, which increases the risk of credentials theft. – If the password can technically be sent in clear text, then it means that it is not protected enough in the website’s database. If the website is hacked, then all passwords can be stolen (like in the recent Ashley Madison attack). A properly stored password cannot be decrypted.
Passwords visible in clear text
To be properly secured, passwords must not be visible on the screen when users type them. This prevents prying eyes to steal them! Although this is becoming quite uncommon these days, some websites still show passwords in clear text to users, for instance in an account settings section or upon login.
This question can sound silly because every cybersecurity flaw is the result of human behavior. Indeed, every security flaw is the result of human work – the work of developers or system engineers.
However, hackers plan and execute attacks on several layers: infrastructure, application, and human. As cybersecurity technical solutions are becoming more and more efficient, the human relationships are a key for penetrating into increasingly secure systems.
Attack surfaces from a hacker’s view
Attacking the IT infrastructure of a company can provide access to many valuable data. A massive attack can even shutdown a network, which results in very heavy loss for the target. Having to face these risks, cybersecurity experts have first invested most of their efforts in securing servers and network architectures.
This has resulted in hackers looking for more vulnerable entry doors, such as web applications.
A logic flaw is something that happens when the application (website, mobile app, webservice…) does not behave as expected. It generally happens when some logic or workflow can be avoided or circumvented.
Imagine a simple website where you can buy t-shirts. The usual workflow is the following:
The consumer adds t-shirts to the basket.
The consumer pays with their credit card.
The consumer finalizes the order.
A malicious guy comes to the website and does the following:
Adds 2 t-shirts to his basket.
Pays with his credit card.
Adds more t-shirts (10) to the basket.
Finalizes the order and gets 12 t-shirt, for the price of 2.
We can compare this e-commerce example to what can happen in a “physical” supermarket: The normal workflow of a supermarket supposes that consumers put all articles they want to purchase in their basket and then on the cash counter’s conveyor. But what if a malicious consumer hides an article in his caddy? The cashier will not see the article and the consumer will get it for free.
Has your website been developed using a CMS? Wordpress, Drupal, SPIP, and many more, provide great help for building ergonomic and performing websites. But do these websites face risks of cyber attacks? What are the risks? Here are some clues about this topic.
Are CMS more secure than “from scratch” developments?
At first sight, they tend to be more secure. If you are using one of the most popular CMS across the world, you are using a robust and technically up-to-date solution. This will not necessary be the case with websites that have been developed “from scratch” by freelance developers or web agencies: all will depend on the security skills of the development team.
Google’s mobile operating system Android is open, mostly, and can be distributed by many actors within the global Android ecosystem. For the best, but also for the worst.
For the best, first
Openness brings many possibilities in terms personalization and led to a diversity of mobile devices. Today’s Android ecosystem counts hundreds of manufacturers, even if only a few of them count for more than 80% of devices. On top of manufacturers, carriers also bring they touch of personalization to devices they sell. This openness is for sure part of the reasons why Android is a success and why today (April 2015) more than 63% of mobile devices are running Android (iOS is now at 20.84%) according to statcounter.com
Then, for the worse
When dealing with security updates on applications, Android does not seem to be better of worse than iOS in the way it allows developers to push updated versions of their apps to app stores. However, when it comes to operating system vulnerabilities, the update process if not really simple and prompt. Let’s take the example of a flaw that is discovered by a security researcher or by Google itself. Google usually fixes the vulnerability within days or weeks and makes the update available in the AOSP (Android Open Source Project) repository. But the end-user device is not updated at this point. How much time does it take for devices to be updated?
Connected objects are a fast growing phenomenon. Today there are 15 billion connected objects whereas there will be 80 billion in 2020. The current technological environment offers all ingredients for them to grow: high-speed internet network, smartphones to be used as monitors, and big data technologies to process the collected data. How do connected objects work? What are the risks? How can they be secured? These questions are essential to consumers who wonder about the using of their personal data.
What is a connected object?
It is an object with a connection that provides additional useable value. But unlike a computer peripheral equipment or an interface to access the web (like a smartphone), its main purpose is not to provide an internet access. For example, the main purpose of a connected fridge is to preserve food but adding a connection extends its functionalities. Connected objects allow data transmission. Collecting, processing and displaying this data (food available in the fridge, electricity consumption within the house, heart beat frequency of an individual…) constitute their key added value.