News of the week
Feature: connecting to people whose email and phone number you know.
Flaw allowed association of anonymous accounts with emails and phone numbers.
Introduced June 2021, disclosed after 6 months by security researcher, announced August 2022.
Web Communication
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
Edward Snowden
Encryption works. The problem is everything else.
OSI model protocols:
- Application: HTTP, FTP
- Presentation: SSL
- Session: SSH, NFS
- Transport: TCP, UDP
- Network: IP, NAT
- Data link: ARP, PPP (Point to Point Protocol)
- Physical: IEEE 802.3 (Ethernet), USB, 802.11 (Wi-Fi)
URL format:
Unqualified hostname
|--|
https://foo.bar.example.com:443/some/path/to/a/file?query=cat
|___| | |_________|
Scheme | Second-level domain
|_____________|
Subdomain
OWASP Top 10
Open Web Application Security Project
A07:2021 – Identification and Authentication Failures
- Automated attacks: credential stuffing, brute force
- Weak/default passwords
- Insecure password storage
- No/ineffective MFA
- Session identifier exposed in URL
- Reuse of session identifier
- Session IDs not validated
Insecure Design
Security flaws caused by:
- Inappropriate or reckless design decisions that lead to potential risk
- Lack of knowledge, time pressure, wrong definition of deployment constraints
- Careless exposition or transfer of sensitive data
- e.g. passwords, phone numbers being sent in logs
Secure design lifecycle as a drier:
- Careful and continuous threat modeling
- Active monitoring of vulnerabilities in third-party dependencies
- Apply least-privilege principles