The websec digest #20
The first story about passwords comes from Dashlane. Dashlane is a popular password manager and my personal favorite. They reported about the password practices at 40 popular consumer websites.
The real story is the lax password policies employed by many of these sites. Among the worst were Netflix, Pandora, and Spotify. All these sites depend on easy access from a variety of devices. These cases are a perfect illustration of why we need alternative authentication mechanisms.
The second story is an indicator of another upcoming IoT wave of mayhem. A list of telnet-accessible devices, including valid passwords, has been circulating online. Recently, the list has been discovered by the wider public. As a result, experts expect new waves of attacks originating from these devices.
One of the most important mantras in security is never to trust data, no matter what the source. Of course, when you hear advice like this, the first thing you think of is user input. But in the past few weeks, this valuable advice has proven more important than ever.
A first story is about dangerous deserialization vulnerabilities. In the past two years, the Java world was shaken up by such vulnerabilities. Improper handling of serialized code caused severe remote code execution vulnerabilities. As a result, many application servers needed to be patched.
Now, it turns out that the .NET ecosystem is also affected by such a flaw. In their research, the authors explain dangerous vulnerabilities in JSON libraries. Machines running these vulnerable libraries are vulnerable to remote code execution attacks.
The second story is a bit more exotic. Researchers have figured out a way to encode malware in a strand of DNA. Using this technique, they can corrupt the gene-sequencing software of DNA synthesizers.
Sure, this last story sounds like science fiction. But remember, never trust data, no matter what the source.
And in a positive note, Chrome is stepping up in the fight against malicious extensions. From now on, Chrome issues a warning to the user when an extension takes control of proxy settings or the new tab page.
These warnings inform the user about potentially unwanted behavior. Users that expect this behavior from an extension can approve this behavior. This way, Chrome helps prevent traffic hijacking by malicious extensions.
Here are two upcoming security courses for which only a limited number of seats is available:
On November 20-21, you can attend a new edition of the Web Security Essentials training course. The course will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
In February 2018, you can attend the next edition of SecAppDev. SecAppDev is a week-long course on security for developers. The faculty are world-renowned experts from industry and academia. More information and registration.
As usual, you can find the full list of events on my speaking page.
Philippe De Ryck