Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #9

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to Cisco, which really screwed up security in their Chrome WebEx plugin.

Last week, a researcher discovered that Cisco’s WebEx plugin for Chrome is not really secure.. The plugin allowed you to launch arbitrary commands using a secret URL, which is trivial to extract from the source code, by the way. Cisco patched the plugin, by adding an explicit confirmation box before actually launching the program. If you run WebEx, you might want to consider running it in a different browsing profile. If the digest would be accompanied by a shame trophy, Cisco would definitely take it home.

The next story was a close contender or for the headline of this digest. An Austrian hotel was hit by ransomware, which took control of all their systems, including the system that controls access to the rooms. The hotel eventually caved and paid up, showing that ransomware campaigns are very lucrative. Another campaign was discovered in the US, where attackers held Washington DC’s traffic cams hostage, right before Trump’s inauguration. More stats about ransomware can be found here.

If you only have time to read one report, I can highly recommend the 2016 TLS Telemetry Report, released by F5 Networks. In the report, they analyse various properties of SSL/TLS deployments in the wild. Like I said, it’s worth a read, but here are two spoilers to get you interested: plenty of sites still rely on self-signed certificates, and only 2% of sites deploys the very effective HTTP Strict Transport Security policy.

The next story is about running a VPN on your Android devices. An analysis of 283 Android apps offering VPN services revealed that 38% percent contained viruses and/or malware. Besides that, most applications severely over-reach when they request permissions, with the worst offenders even being able to send texts from your phone.

And as usual, we conclude with a positive note, offered by Facebook this time. Facebook announced support for U2F security keys, thereby integrating one of the best mechanisms for multi-factor authentication. The campaign was launched together with Yubico, the company behind the YubiKey, which is such an U2F hardware token. As a YubiKey owner, I am not only excited about this news, but I can also testify to the quality and awesomeness of the YubiKey. In related news, Facebook also announced a service which allows other sites to use Facebook for password recovery, instead of some shaky mechanism based on “not-so-secret” questions.

Upcoming Events

There are two upcoming training events I wanted to highlight:

  • From February 27 till March 3, you can attend the 2017 edition of the SecAppDev course. SecAppDev is a developer-oriented security course, where you will learn important concepts to build secure applications. Topics include cryptography, SDLC activities, and IoT security. More information and registration.
  • On April 24 and 25, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.

As usual, you can find the full list of events on my speaking page.


Comments & Discussion