October is Cyber Security Awareness month, and a good time for organizations and anyone who uses the Internet (yes that means everyone) to review security best practices, for a safer user experience. Based on the current state of the Internet, here are our best tips for a better online browsing experience, for website guardians and end users.
1. Trust only HTTPS
While a few years back it was still widely debated whether HTTPS was really needed, encryption certificates and HTTPS are more widely adopted today since they can now be obtained for free by providers like Let’s Encrypt. Even Google has gotten involved with HTTPS-advocacy by flagging sites still on HTTP only as “Not Secure”, which can impact the user experience and even affect your Google SEO ranking.
And we agree with Google for flagging unencrypted websites (those in HTTP) as insecure. Why? Without the “S”, everything that goes to-and-from between the website backend and client is trivially readable by anyone sitting conveniently in between the traffic, which means that HTTP could expose users of a website to a variety of attacks. This includes an attacker listening to the network traffic in the same network or visit a website that’s been tampered with. For example, if the user connects to a WiFi hotspot controlled by a malicious attacker, they have the opportunity to insert malicious code or modify the content that the user sees on the website.
However, HTTPS is not the silver bullet to determine whether the website is absolutely secure or not. As we mentioned in the beginning, HTTPS certificates are easy to obtain for any kind of website, whether it’s used for hosting a legitimate e-commerce platform or a phishing website. And even encryption won’t protect your users from Javascript-related vulnerabilities such as Cross-site Scripting (XSS).
2. Double check the sender
Have you ever received an unusual email that’s made your blood pressure rise? Have you noticed weird transactions or activity on a personal account that’s prompted you to quickly log in to verify that everything is okay? These are some of the tactics that attackers use to get your attention and coerce you into clicking a convenient, yet cryptic looking, link, which leads you to fake login pages that are actually controlled by the attacker.
Phishing emails may look quite realistic, but there’s something off with them. For example, Apple would never send you an email from domain called tepindaupmi[.]com.
Image: Example of a phishing e-mail
Another way is to use email spoofing, which is caused by misconfigured email servers in the wild. This means that attackers can spoof the sender address, giving the phishing email even more legitimacy by making it appear it actually came from a trusted domain or trusted person.
If you’re an administrator of an organization, it is highly encouraged to configure a SPF, alongside with DKIM and DMARC to prevent your domain from being used as a camouflage for phishing campaigns. We’ve previously covered this with some internal research on misconfigured email servers from top domains and it’s still a relevant issue today.
Also, it should be noted that the attackers have discovered that in addition to phishing emails, people tend to be more susceptible to attacks delivered over unconventional mediums, such as text messages, according to Verizon’s Data Breach Investigations.
3. Disable Javascript
Javascript is a widely used interpreted programming language, which allows the creation of dynamic web pages and interactive functionalities. Interpreted programming language simply means that it does not have to be compiled before execution, thus allowing it to be interpreted by web browsers. But this also comes with a lot of security issues, because Javascript can access HTML building block elements that create the overall structure for the website, called the Document Object Model (DOM). However, this also means that in case of a Javascript-related vulnerability, an attacker can supply scripts that can be executed within the user’s browser.
Javascript related issues include Cross-site Scripting (XSS) vulnerabilities. You can read more about different kinds of XSS vulnerabilities.
Because Javascript tampers with data on the client-side, you can disable or limit execution of Javascript on your browser. For Google Chrome, you can specifically block sites and for Firefox, you can download for example this browser plugin. It should be noted that blocking all Javascript will most likely limit your Internet browsing experience, because some websites offer only partial support for Javascript-free HTML version. This means that some websites may not allow you to log in or the website layout can seem odd.
Go ahead and try it– disable Javascript on your browser and see what happens when you browse the Internet.
Image: Google Chrome settings to blacklist or whitelist for domains where Javascript can be loaded
Again, this is not a one-size-fits-all solution, and any Javascript related vulnerabilities should be remediated and fixed by the website’s owner. Even black/white-listing specific domains will do you no good where javascript is persistent on the website and is therefore executed within that specific domain’s context and you have not blocked that domain.
4. Keep passwords and secrets, secret
Passwords. No matter who you are, if you’re an internet-goer, a developer or an administrator, storage and handling of passwords has been an issue ever since they were first introduced as a method of authentication.
So just to recap, a good password is one that is only known by you, is unique to each service, and is long enough to withstand a guessing or brute-forcing attack. Also, Multi-Factor Authentication (MFA) should be enabled whenever a service supports it.
For secrets such as API keys and tokens, the secure storage becomes a little bit trickier as they need to be available to services and systems that use them. However, one definite no-go is storing them in the source code, as the source code is often copied to less secure locations and can be compromised. Secrets should always be kept clear of your version control.
5. Always ask yourself – why?
Whenever online, it is always good to take a breather and analyse the website you’re using, the message you received, and change your password by logging in to the service in question by typing out their URL manually in your browser.
Also messages and content that makes you feel like you need to act fast can be a sign that something is wrong. Attackers want to make you feel like you’re in a hurry, because that’s when you’re more prone to accidentally click on the links which you shouldn’t open. So next time you’re about to click a link in an email, however over it first to see the source and then manually type it or find it via search. It’s a bit more work, but can save you from giving up your credentials.
And to continue in the spirit of Cybersecurity Awareness Month, share these tips with your colleagues, to encourage best security practices in the workplace and across the Internet in general.
Written by:
Laura Kankaala
Security Researcher, Detectify
Detectify is an automated web application scanner that checks your web apps for 1500+ known vulnerabilities. By collaborating with our community of ethical hackers, we’ve developed a test bed with vulnerabilities beyond the OWASP Top 10 including misconfigured SPF records and HTTPS implementation. Check the security status of your web apps with Detectify today. Get started your 14-day free trial.