Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #21

The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. The headline this edition is another deserialization vulnerability in the Struts framework. As you can imagine, it's causing quite a ruckus.

You may remember that we covered vulnerabilities in the Struts framework before. Unfortunately, here we are again. At the beginning of September, a [remote code execution vulnerability]struts] was discovered.

The vulnerability is yet another deserialization problem. It’s also quite dangerous since it affects all versions of Struts since 2008. The good news is that the vulnerability has been patched. So if you haven’t done so already, go and install those updates now.

We also have a data breach story this edition. Equifax, a US-based credit rating giant, lost data on 143 million customers. The stolen data consists of the most sensitive personally identifiable information. As a result, the potential fallout of this breach is massive.

Unfortunately, as a victim, there is not much you can do about situations like this. It is shocking to see how careless companies are with our data. If it’s any constellation, the stock price of Equifax took a steep dive after the data breach.

A last note about the Equifax breach. It seems that someone at the company is trying to blame the Apache Struts vulnerability. However, there does not seem to be much merit to that claim.

From this latest data breach, we can jump towards multi-factor authentication. You may remember from earlier editions that SMS-based multi-factor authentication can be attacked. Brian Krebs has an elaborate piece that zooms in on the problem.

Don’t let your mobile carrier be the weakest link! Opt for the use of strong two-factor authentication when possible. I can personally recommend a Yubikey for this purpose. By the way, we implement 2FA with Yubikeys in the upcoming Web Security Essentials course.

Did you know that phishing is still a significant threat? A Canadian university became the victim of an elaborate phishing attack. The attackers ran off with 11.8 million dollars (yes, that’s not a typo). The only way to beat these attacks is proper security education. Every member of an organization, no matter what their role, should have a basic level of awareness about this kind of things.

To conclude, a short story about HTTPS. ChromeOS statistics show that over 75% of Chrome traffic is now served over HTTPS. Another major milestone on the way to an encrypted web!

Upcoming Events

Here are two upcoming security courses for which only a limited number of seats is available:

On November 20-21, you can attend a new edition of the Web Security Essentials training course. The course will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.

In two weeks, on October 3rd, I’m speaking at ACA IT’s Tomorrow starts today event. Attendance is free, but there are only a few tickets left.

As usual, you can find the full list of events on my speaking page.


Comments & Discussion