The websec digest #8

The Guardian made some waves on the Web when it released a story about a backdoor in the popular WhatsApp messaging service. Unfortunately, the article turned out to be pure sensation, and actually described a legitimate feature as a backdoor. The culprit is WhatsApp’s mechanism to deal with changing encryption keys (e.g. when you switch devices), which can also be used for malicious purposes. A successful attack would compromise future messages, but would not allow to decrypt past messages. The real problem here is that the article creates doubt around a secure messaging mechanism, which may result in people choosing less secure alternatives for no good reason.

Data breaches are a popular theme in earlier editions of the websec digest. Using tools like Have I Been Pwned, you can check whether your information appears in one of these publicly released data dumps. Here’s a step-by-step explanation of how Troy Hunt, the guy behind Have I Been Pwned, actually investigates potential data breaches before loading them up in the database.

Did you hear about the largest public bug bounty payout? Last week, Facebook awarded $40,000 for being able to abuse an ImageMagick vulnerability on Facebook systems, giving him the possibility to execute remote code. The actual exploit requires bypassing Facebook’s firewalls using a DNS tunnelling trick, which is actually pretty clever. A good example of how a bug bounty program should work!

The web has been buzzing about Google’s Infrastructure Security Design Overview. In this document, Google outlines how they approach security in their infrastructure, and provides some (high-level) information on how to tackle security on every layer. It’s only 16 pages, so if you have some time to spare, I can definitely recommend going through the document. You’ll see what a modern infrastructure looks like, and how much the security landscape has changed from a decade ago.

Last year, GitHub shared a wonderfully detailed blog post describing their ongoing efforts to deploy CSP and keep their users safe. Last week, they shared another technical master piece, titled “GitHub’s post-CSP journey”. In this post, they explain the next steps in their security efforts, after having deployed CSP. Topics include information leakage through img tags, securing cookies with the SameSite flag and other obscure attack vectors.

Upcoming Events

2017 is already shaping up to be an awesome year. Plenty of public events are already lined up, as you can see on my speaking page.

The most important highlight for the moment is the SecAppDev 2017 course. In this week-long course, experts from around the world will not only talk about current best practices for developing secure software, but also shed some ligt on state-of-the-art technologies that will boost security even more.

All information is available on the SecAppDev website.