Everyone, their mom and dog has been confronted with Internet security. Everywhere in life; the mainstream media, workplace policies, and even casual social life includes news and warnings about cybersecurity. Facebook, Google, and Twitter are in the international news constantly being accused of privacy violations and of having a negative impact on younger people by changing their lifestyles to one of screen engagement. In addition to that, many people have had the personal experience of their online accounts or personal computer being hacked. On a national security level, just last week American oil pipeline company Colonial payed 4.4 million dollars to recover ransomed data. So, do we all need a deeper understanding of Internet / IT security? Yes. It’s is a big complicated field but also an important one for users to understand. So put your seat belt on and let’s do a deep dive into Internet security. What do…
Information Technology
Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…
Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. … Our analysis of the Alexa-ranked top 1000 popular websites gives clear evidence that such risks are far from remote, as the HttpOnly and Secure flags appear as yet to be largely ignored by web developers. – CookiExt: Patching the Browser Against Session Hijacking, Journal of Computer Security (2015). Summary of Session-hijacking attacks When you login into a website, the web-server creates a “session” to identify your identity by sending the client browser a session cookie. Cookies have functions other than sessions, but perhaps the most important use of cookies from a security perspective managing your “state” or “session-state”. This is because a single IP address may have many clients connecting to the server, so…
NOTE: This vulnerability has been patched in Safari Last week, Rafay blog wrote a short blog piece about the recently publicized browser URL spoofing vulnerability in Safari. To summarize, the browser bar is considered the only reliable security indicator to validate the authenticity of the website. Looking at the browser URL bar at the top of your browser, and checking that the domain contained in the URL matches the domain of the site you expect to be visiting. If it says “google.com” or “facebook.com” you should be able to reliably tell that you are on the correct website. However, in addition, all browsers include a symbol to show whether the SSL/TLS certificates have been properly validated to authenticate the identify of the server you are communicating with, as well as initialize an encrypted connection to protect your data as it transits the internet. Besides the recent publicized vulnerability in Safari,…
Monitoring your network traffic and sniffing packets for rouge connections is an important step to determine if data-ex filtration is happening on your network. Monitoring traffic can also uncover legitimate processes that are broadcasting or poking around your network. Wireshark, tshark, or tcpdump can monitor network traffic and a more robust Network Intrusion detection System (NIDS) can attempt to detect and parse out anomaly traffic. If the process is legitimate, you may want to simply disable it, and if its not legitimate, initiate an incident response process . But how to determine what process is initiating the network traffic? Wireshark does provide any process ID (PID) or name. This following examples show how to get the process ID and name on a client that has open connections and is also attempting to make a remote connections to two different servers on the local network. You can see that the processes…
Part 2 of this article is aimed at demonstrating how to code a accept-list validation class in PHP. We will start with a classic example of request routing where a HTTP GET request will include a “page=” parameter which will instruct the server which page the user is requesting and an empty “?action” parameter which will instruct the sever-side application which HTTP POST data to expect in the request. However, this model of input validation can be modified to handle other forms of HTTP GET and POST attribution to specify the data request. Let’s start with the basics of compiling the accept-lists for GET and POST. This is specified as a config file as shown below. The configuration is setup as constants that hold arrays. This does a couple things. Firstly, it makes the values global and they can be access from anywhere in the application code. Secondly, it prevents…
Input handling is an key aspect of secure web-design. But what makes a good data validation/sanitation engine? The implementation depends greatly on the language and framework that your site is build on. However, best practices across IT security topics maintain that “whitelisting” or “strict checking” is a more secure way to validate. The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. Below are some exerpts from their advisories on input validation . After the quotes from OWASP, the article will use the terms “strict checking” and “accept list” to refer to whitelisting and “blocklist” to refer to blacklist . OWASP Input Validation Cheat Sheet Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering…
This article attempts to give an overview of how IT vulnerabilities are categorized during their life-cycle. Understanding the terms related to the various stages of IT security vulnerabilities can allow a better understanding of what a proper security policy framework should include. First lets cover the stages: Unknown – vulnerabilities that exist but nobody knows about them. The vulnerability is not designed in put into the software or hardware by a malicious actor. These vulnerabilities are caused by poor implementation. Software coding standards and software development guidelines attempt to prevent these types of vulnerabilities from happening, but complex constructs in software programming languages are difficult to implement properly can be a large source of vulnerabilities. Unknown vulnerabilities may be discovered through static code analysis and “fuzzing” (automated testing) by malicious actors, bug hunters, or security threat hunters. Known – once the vulnerability has been discovered, it may fall into…
If you are responsible for securing a network, you should know that monitoring reliable IT security news is now critical to mitigating threats on your precious goods. Prioritizing that news landscape and rolling out a timely response is also critical to a solid recipe for security. While it is not realistic to expect security architects to have that kind of response time, if you are ignoring IT security news, you might need those backups you have been diligently maintaining or worse. Building a solid incoming information pipeline requires an analysis of the IT security news landscape. The most fundamental elements of this landscape includes threat advisories & guidelines, updates to best-practices and standardization recommendations, and changing legal requirements if they apply to your organizational assets. Threat analysis reports and newly released Common Vulnerability Exposure details (CVEs) are critical secondary elements that relay more detailed information about vulnerabilities affecting specific software. …
What is red-teaming? A important term in IT security context, a red team (red cell) is a group of hackers with various skill-sets, who simulate attacks on the network infrastructure. By contrast the blue team’s job is to defend the network. Red teams follow a specific set of rules known as the rules of engagement which stipulate what types of attacks are allowed and points in the attack when they should stop and reporting should be done. The attacks may employ technical, physical, social or process-based attack vectors. This intends to cover all aspects of a organization’s security controls such as physical, administrative, and technical. The red team helps step 4 of the NIST Risk Management Framework to assess the security controls. Taking the steps of the cyber-kill-chain into account (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives), the red team may simply seek to gain reconnaissance…