Author: DN

New Pluralsight Course: Modern Web Security Patterns

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

I was chatting to some folks at a bank just the other day about a bunch of modern web security standards. Whilst this blog post is about a Pluralsight course I created with Lars Klint, it only really hit me during that bank conversation just how much there is to take onboard when it comes to securing things in the browser today. Let me paraphrase:

Bank: We’re thinking of using SRI to protect malicious modification of scripts we load in from a partner.

Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break the site.

Bank: We’re also thinking about using HPKP to pin the TLS cert to the browser and protect against misissuance of a rogue cert from a CA.

Me: Well, given HPKP is being deprecated from Chrome (and frankly caused more problems than it solved), there’s no longer much value in that approach. Have you considered CAA?

Bank: First we’ve heard of it!

Me: It’s pretty neat, it’s just a DNS record but it stops a CA you haven’t expressly given permission from issuing a cert for your domain. Another really neat modern pattern you can use is the upgrade-insecure-requests directive in CSP. It’ll take your HTTP requests and automatically turn them into HTTPS ones.

Bank: We were planning on using HSTS to do that.

Me: HSTS is awesome, but it’s different. That’ll redirect any requests to the host name HSTS is been set for, but it won’t cascade that logic down to child resources served from other host names. If one of those partners you’re embedding content from accidentally inserts an insecure request, you’re going to need upgrade-insecure-requests to fix that for you.

Bank: But upgrade-insecure-requests isn’t fully supported by all browsers, right?

Me: No, IE won’t recognise it and neither will the current version of Edge (the next one is all good), but there’s a mitigating pattern for that; you add a CSP “report only” that blocks all insecure requests and reports the violation to a report URI of your choosing.

As I had that discussion, the nuances such as the ones I described above just kept coming up over and over again. There were so many edge cases and angles not just to the security controls the folks at the bank had heard of before, but of course all those others that were entirely new to them. These were smart people I was talking to and it made me realise just how complex things are getting these days.

Getting back to the point of the blog post, a couple of months ago Lars and I caught up down in Sydney to record a course on Modern Web Security Patterns which set out to highlight precisely these sorts of security constructs. It’s another “Play by Play” in that the course involves Lars and I discussing the content on camera. I decided not to give Lars a heads up on any of the content, but rather let the whole discussion play out as organically as it possibly could because that’s really what this style of course is about – a candid discussion between a couple of people. It’s also a fairly high-level course intended primarily to introduce the concepts and it only runs for an hour an 24 mins which makes it great for consuming on the daily commute or over a lunch (or two). If you want to get down into the details, Google [security thing] and my name (or Scott Helme’s) and you’ll find a heap of in depth material.

Modern Web Security Patterns is now live – enjoy!

48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

Chances are that you’ve never heard of Washington-based data firm LocalBlox. But that doesn’t mean that they haven’t heard of you. And it doesn’t mean that your personal information hasn’t been recklessly exposed through their sloppy disregard for the most basic security.

As Zack Whittaker of ZDNet reports, Localblox scooped up information from the personal profiles of some 48 million users of social networks like Facebook, LinkedIn, Twitter, and real-estate site Zillow without their consent.

The data LocalBlox collated included names, email addresses, dates of birth, postal addresses, and even – in some cases – individuals’ net worth.

LocalBlox then consolidated that sensitive information into a single unencrypted file over 1.2 terabytes in size, and placed it on an Amazon S3 bucket.

If you’ve been following past data breaches you can probably guess the worst part of this story – you didn’t need a password to access LocalBlox’s Amazon S3 bucket, meaning anybody in the world could download the data.

The massive lapse was discovered by security researcher Chris Vickery who has made quite a name for himself in recent years discovering a wide array of organisations pouring data onto the public web because they have failed to properly configure their cloud storage systems.

Thankfully Vickery is a responsible researcher, who informed LocalBlox’s CTO Ashfaq Rahman of the problem – and the data was properly secured just a few hours later. But we simply don’t know how long the data was available for anyone to download beforehand.

LocalBlox makes no secret of how it collects and consolidates data about individuals. Its own website explains how it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks… LocalBlox helps companies acquire and utilize a vast amount of information from sources held captive on the web with exceptional speed and scale.”

I cannot confirm if LocalBlox does demonstrate “exceptional speed and scale”, but I’m pretty certain from this incident that it falls down when it comes to security.

The fact is that little-known companies like LocalBlox wouldn’t be able to grab your data if you were more careful about what you shared online, and ensured that proper privacy settings were in place to prevent public access to the most sensitive information on your profiles.

And LocalBlox, and other firms like it, wouldn’t find themselves the centre of unwanted attention if it took the time to take even the most elementary steps to protect the data it controversially collects.

If proper care isn’t taken it won’t be ethical researchers like Chris Vickery who stumble across your unsecured data, it might be malicious hackers.

Alaskan airline hacker sentenced to 5 years’ probation

A former employee of Alaskan regional airline PenAir has pleaded guilty to felony fraud associated with hacking attacks against the company’s ticketing and reservation system in the spring of 2017, announced the US Department of Justice. Suzette Kugler, 59, was sentenced to five years of probation and 250 hours of community service.

After working for PanAir for almost 30 years, Kugler was “dissatisfied with the circumstances surrounding her departure.” As PanAir’s director of system support, she was in charge of administering the Sabre database system which was vital to ticketing and reservations. After she retired, Kugler used her knowledge of the database to create fake employee accounts.

Assigned with high-level privileges, she used the accounts to destroy information and keep legitimate employees at eight airports from making any flight changes, including booking, ticketing or boarding flights. Research revealed Kugler actually started creating fake profiles in her last week of work. This caused a major service interruption across multiple states.

“Kugler used her specialized knowledge regarding the Sabre database to create fake employee accounts with high-level privileges, without authorization, and then used those accounts to destroy critical information in a series of network intrusions,” reads the DOS release. “It was discovered that the primary fake employee account used in the intrusions was created by Kugler a week before she left the company.”

Kugler was caught after tracking her VPN logs.

PenAir officials have made no comment.

In 2017, PanAir filed for bankruptcy, keeping only local operations.