‘Bezoek geen verdachte websites’, was vroeger het advies. Maar tegenwoordig is het niet altijd duidelijk wanneer je in gevaar bent. Online bedreigingen overschrijden geografische grenzen en zelfs gerenommeerde websites kunnen worden aangetast. Dus hoe weet je of een website legitiem en betrouwbaar is? En vanuit de visie van de developer, hoe kun je een veilige website ontwerpen?
Christine Bejerasco en Laura Kankaala van F-Secure schuiven aan in aflevering 26 van de Cyber Security Sauna. Ze geven antwoord op deze vragen. Daarnaast delen ze tips en trucs om online veilig te blijven en om, met het oog op security, websites te ontwerpen.
Janne: As a user, what are some of the ways attackers are currently compromising websites that I should be worried about?
Christine: When you actually visit a website, if you just check, for example, the traffic that is happening when you visit the website, you’re going to realize that going to one website means that you could potentially be going to a hundred more websites because this one website will reference the others. For example, when they get advertising, they get it from another website. And for example, if there’s a malvertising campaign and they try to compromise the ad server of these websites, then it could affect all the other websites that subscribe to these ads. And for example, there is tracking also coming from another website. So you can’t really just hold one website anymore responsible for their security because everything is so interconnected.
So even though the website I’m sort of typing in my browser address bar is legit, I might still be at risk because of some other piece of content that gets pulled from someplace else.
Christine: Definitely, because at the moment they are now storing different content in different locations and there are different third party providers for all of this different content.
Laura: Yeah, I absolutely agree with Christine that when you go to a website, the ads you see, they may be used, for example, for cryptomining or then just tracking you. And you don’t know necessarily, if you are not that tech savvy, and if you’re not looking at the HTTP requests that are going out of the website, what kind of information on your behavior, or is something sensitive about you passed on to these third party providers as well? So they could be passing on your, for example your ID or ID in some kind of website or they could be passing even more confidential data. For example, your social security number in the most extreme cases.
Christine: And there is actually a lot of this that is happening when it comes to third party cookies, that they stay there and they are able to harvest information even when you’re going to another website now. So they kind of stick around longer than just when you are visiting that singular website. And as Laura said, all of this traffic, we don’t really check, but let’s face it, even if I open, let’s say Fiddler, and then I check the traffic that is coming through there, they’re coming so fast and there’s so much of them that it would probably take me an hour before I figure out that everything is safe. So it doesn’t make sense anymore.
That was the first minute, and that seemed okay.
Okay. So those are some of the reasons why the old stay away from shady websites thing might not be relevant anymore, because the website itself might be okay, but you’re just getting owned as you browse on by.
Laura: Yeah, absolutely. And well, there’s also another angle for this. An attacker could be posing to be someone who they’re not, so they could have created a website with a login page, for example, that impersonates Google or you know, Facebook or some other known service provider. And then they try to lure people into logging in through there, and then they get the credentials through there. So there’s also this angle that you have to keep in mind when you browse.
Absolutely. So are there ways that a user can tell that this website might be a little bit shady, there might be something weird going on?
Christine: That becomes a little bit trickier nowadays than ever before. Because for example, if, let’s say the user would really build this website to be malicious, registers his own domain, of course you can look at the Whois information and then see this is very recent, it’s gonna expire in one or two years, may be potentially malicious. But those things, they don’t happen always. So it could be that they did some mass injection with a recent WordPress vulnerability, for example. And then a lot of those different websites that were previously safe now are redirecting somewhere else malicious. So if I visited my favorite news website yesterday and then I didn’t go anywhere else, I visited today and I could be compromised.
Laura: Yeah. Well there’s the aspect of trust in everything, and online it’s even harder to decide who to trust and on what basis. So there are services that are more well known and more trusted by people in general. But let’s say you go to a smaller online shop and you find a really cool pair of shoes there, and you want to buy them. So in that kind of situation you have this really good deal and then maybe this website doesn’t make you trust them too much. But even with checking Whois information, you can find out like, okay, this domain was registered last week. Okay, sounds weird. And if you take for example, the picture of those shoes and put it on Google reverse image search and you find that they are some super expensive Michael Kors shoes that should not be only $5, I would say that most of these things they come back to your gut feeling like, okay, is this deal too good to be true, for example.
So if it feels shady, it might be shady.
Laura: Yeah. And even if it doesn’t, it still may be shady.
Sure. Okay. But like you said, Christine, it is getting harder to be able to tell the difference. We used to tell people to trust the little green padlock sign that says that the site is TLS encrypted. But these days, that doesn’t mean anything, cause anybody can get a certificate for any site.
Christine: Well, yeah, exactly. And while your traffic may be encrypted when you have TLS, and that’s really the only purpose of TLS, to encrypt your traffic during transit. But that website could have encrypted malicious traffic, and still it’s malicious.
Laura: Yeah. And I think, well, this is my personal opinion, but encryption has never been a method of verifying if this website is legit or not or if they’re shady or not. But maybe before, because these certificates, they cost you money. So the attackers were like, okay, well we might as well only serve the unencrypted version, to save money. But if you had a criminal who was even slightly more invested in this, they would have just bought the certificate. It was not that much more money after all. But let’s put it this way: If you have a website that they’re asking for your credit card information, but they do not have encryption like these days, that is something that should avoided. And I wouldn’t put my credit card information in there.
Christine: Avoid at all costs.
Yeah, but basically, what we’re saying is that the little HTTPS certificate only tells you that you’re seeing the website as it was sent and it doesn’t tell you anything about how legitimate it is or isn’t.
Christine: No, it doesn’t.
All right. But what about the encryption of the traffic in transit? So with mostly everything being HTTPS these days, do users still need to worry about using a VPN on a public Wi-Fi or things like that? Is that the sort of end to end encryption we hear people talking about?
Christine: In my opinion, not really. Because there is such a thing, for example, if, let’s say you have all of this HTTPS encryption. But still going through the network, there could be some DNS leaks that’s happening. So still they could potentially know where you are going. And even though nowadays there is this drive to actually have even encrypted DNS. So it still means that the DNS provider where you’re connecting to kind of knows what IP addresses you’re going to. But when you go for VPN, all of those are completely cloaked to anybody else in your network. So that gives you an even fuller level of encryption, fuller level of anonymity.
Laura: Yeah. And if you are not using VPN, you’re exposing your own IP address out there. So VPN, it protects you from that, so one will know where you actually are browsing the websites from.
Christine: And in addition, there are actually some VPNs with anti tracking. And this anti tracking functionality also enables us to drop tracking cookies when you go into these websites. So in addition to the anonymity, there is still an extra privacy protection which enables you to actually avoid visiting directly tracking links.
Okay. So there are active measures that make you sort of more secure or safer or less trackable. You guys talked about websites that are created to look like a legitimate login page to do credential harvesting. Is there a way to sort of spot that this is going on?
Laura: Yeah. There are some ways, for example, that the URL is not quite what you’re expecting. So let’s say you get an email, or even an SMS or anything, a message saying that, “Okay, your account in PayPal, for example, has been compromised, and quickly go log in using this link” and the link, it may have the word PayPal in it, but it may have also something else or the name has been slightly modified. So when you get this kind of message, my suggestion is that you go directly to the URL that you know that belongs to that specific service and then log in through there, and go check if there’s anything wrong with your account.
Christine: And to add to that, there are some operating systems that malware can actually work on deeper than others. For example, let’s take Windows. In Windows, some malware, for example this recent Trickbot, they are able to inject into browsers in such a way that if you actually got infected, the browser, when you visit let’s say your bank, could replace you with a webpage and inject that in front of you with the URL of the bank. And then it would be very hard to notice the difference. But in this scenario, it helps to have some endpoint protection that would have already blocked the malware in the first place. So that this time, you don’t need to worry if the website that you actually visited is legitimate or not. Because some of these malware, for example, Trickbot, they keep on adding more and more new banks into their arsenal.
What about when you’re shopping online, this whole discussion about maybe storing your credit card information on the website or not. What are some of the things you’d consider when you’re making that decision?
Christine: One of the things that I consider when I try to purchase online is these companies, how well do they care about their security? Because they will, well fortunately or unfortunately, store my credit card on their back ends. Do they even perform security assessments? Do they perform external-based red teaming for their systems? And we do know that these activities may be a little bit more expensive than the others, but it does show that the company is willing to invest in their security. And so if there’s a new company, starting with this selling online business and they haven’t done any of the security assessments, then nowadays we hear a lot of news about these data breaches and data getting dumped everywhere, credit card numbers, I would kind of get a little bit paranoid spending my money in their website.
Laura: Yeah. And whenever you are doing any kind of purchases online, you should always, always use your credit card rather than, for example, your debit card. So it’s easier to get refunded if something goes wrong. One more thing to add here is that let’s say the website is handling all of your transactions on their own versus that they use some external provider. If you have this small online store and they are not using anyone to do the transactions for you, I think that could be a very weird thing to trust.
Christine: Yes. Especially if they are very new. So they would need third party help to typically secure this.
But you’re talking about the kinds of security audits that the company has done and things like that. How would you know, how would you find out what they’ve done security wise?
Christine: That’s a very interesting question and typically, I would probably go back historically in the history of data breaches. Has this company been breached previously? Because really, you wouldn’t know unless they publish it. But this also goes without saying that the new ones, the new stores that pop up online, most likely haven’t done security audits at the beginning because in the very beginning of a company’s lifetime, security is not really the main consideration. They would go for functionality first and to deliver the features that are needed.
But you’re also saying that if you went to a new website, you found information that the company’s talking openly about their security position, about the kind of audits they’re having done and things like that, that would dramatically increase your confidence in the company.
Christine: Actually, well, of course, depending on if I really trust this. But if I did, yes, it would increase my confidence. That they are doing their due diligence to secure my data.
I wanted to touch on something else about storing credit card information, because we recently saw a string of these Magecart attacks happening all over the place. And I think that the point there was since the attack was happening sort of between the client and the service, those customers who chose to enter their credit card information every time during the transaction, their information was snatched in transit. But the other customers who just used a pre-stored credit card, clicked on a radio button, that information wasn’t compromised. So I guess you basically have to know what kind of tools the attackers are going to be using against you.
Christine: Yes. But unfortunately you can’t. So the thing with attacks online really is that attackers are opportunistic. Even if you try to secure your data or perform one type of security over the other, if more people already secure their data in one way, the attacker will try to find another way to attack. So as long as there are holes, they will try to find it and use that. And if the hole is bigger and more people have it, then it’s going to be the most prevalent type of attack that they’re going to use.
Doesn’t that mean that we’re screwed either way?
Christine: Not exactly. Because of course these attacks, it means increasing level of complexity. So let’s say the data that you have is not really that important, so these attackers may not really be interested to really probe and probe and try to get your information. Maybe a simple commodity malware is enough. But for example, if you’re a high profile person and then you have some really good information that they really want to get worth, I don’t know, millions of dollars, probably, then they would be very interested and would try to find every possible hole that they can get into so that they can get into you. So you would need to be a little bit more vigilant than the typical guy who probably feels like he has nothing much to lose.
Yeah. And I guess as a user of the internet it’s in my best interest to make the attacks against me as costly timewise or moneywise for the attacker as possible.
Laura: And in theory, for example, the Magecart thing that you described, it is happening on the client side. So in theory it would be preventable by you if you knew what to look for. But when I browse the internet, I probably would’ve missed that. When I go to an online store, it’s not like I check everything, so I just trust these services. But that’s in theory something you could maybe protect yourself from. But when it happens in the back end, let’s say someone gets access to the database itself and the data is not encrypted and it’s just dumped out there, that is something you cannot unfortunately do anything about because you are not the maintainer of that database. You’re not the maintainer of that system.
Christine: Yes. And that’s really interesting that you mention that, Laura, because nowadays it goes back to this very interconnected world that we are living in that, for example, you visit one website and they use Magecart, I mean, how could you have known? And typically we don’t really care what kind of payment gateways these websites are using, who’s processing your credit card transactions. You just know that you visit it, you use it and then it works.
Laura: Yeah. And that’s how it’s supposed to work. We should not as a user of a website, we shouldn’t have to worry about these kinds of things. But naturally when you have these attackers who have all the time and all the resources in their hands, then it’s hard to protect against everything.
So if it’s so hard to tell when a website is compromised or not, and if you’re being tricked or not, why should people even shop online?
Christine: Because it’s convenient and it’s cheap.
But you get tricked.
Christine: Statistically, if you look at the statistics, there are more people who actually shop online and really get their goods and not get tricked. So of course when you go online, there are the statistical minority that actually fall into this trap. And since there are more who actually manage to get their goods, then we keep on doing it because most of the time it does work.
Yeah. And I guess, with these tips and tricks we’re sharing here on this podcast, you can sort of control the risk a little bit.
All right. We touched upon developer responsibilities already, but are there things developers can do to ensure that their site will be as secure as possible? How do you design a website with security in mind?
Christine: And that is where threat modeling comes in. After you’re done with your architecture and before you start implementation, threat modeling should hopefully be part of the picture. Because now you are able to simulate whether a certain input could potentially become a point of attack and could potentially affect your website. And then of course when your website is deployed, especially when you’re using these modern frameworks, (especially very commonly used ones, which are of course malware favorites because they are very common), then do make sure that you get the most updated one, all the time. The framework, the plugins, and also, do your due diligence when it comes to subscribing to which third party providers of the offerings that you have on your website. Because all of those will affect the reputation of your website.
That makes sense. And if nothing else, sanitize those inputs.
So all those components and libraries are also exposing you to supply chain type attacks.
Laura: Yeah. And there are ways of mitigating through these things. So you can always read the code through before you run the website. But naturally when you are using, for example NPM, there are so many modules to go through. So one example is to have a frozen NPM repo on your own where you have checked all of the code and you know what you’re running. And then you update that repo instead of just pulling the updates directly from a public NPM repository.
Let’s keep talking fails. What are some of the common things we see that are wrong with website design?
Christine: The idea, usually when a developer goes to build a website, they’re usually only thinking of functionality. What is this website supposed to show? What is it going to deliver, what are the features, et cetera. And then when they go on and deliver it, then typically when there is a first compromise, that’s when they think about security. So it’s like not having an insurance policy at the very beginning. And websites, for example, IoT devices, when you don’t have security at the beginning and you add it at the very end, it just doesn’t always fit. So mostly you’re going to end up in a rewrite, which is costly. And then of course, if you’re a website owner and you hired a developer just by the hour, would you want to do it or, or not? That’s a very tricky proposition to do it down the road. So the really good thing to do at the very beginning is to have security in mind during the design. Because even though it’s a little bit more expensive at the beginning and it takes a little bit longer for the development time, it would pay off in the long run. Because your website is out there, exposed for every attacker to see and probe. And the probing that they do nowadays is quite massive and heavily automated.
So doing threat modeling while you’re planning your services is the internet version of sweat saves blood.
Christine: Well, basically, yes.
Laura: Yeah. Because at first it may seem like added effort, like why are we applying this much effort into securing stuff? But it will save you money in the end, when you don’t have a totally vulnerable website running out there in the wild.
But let’s say I don’t know anything about websites. I’m not a web developer. I want to set up my own website. So I’m going the route of choosing a CMS, like WordPress or Joomla or something like that. Is there a service that’s better than the others? Or how would you recommend what steps to take to make sure that my site is secure?
Laura: Well, I think it’s important, when you talk about these CMS platforms for example, if you’re using plugins, that you are keeping them updated, because for example, WordPress, the plugins have been notoriously known for being exploited. Just keep things up to date and do some research before choosing this kind of platform. So don’t go with the cheapest one or the free ones if that does not suit your business needs. If you need a more secured web application for example. So do your research on what kind of security level you need to meet.
Christine: Yes. And Laura had a very good point on the paid ones. Because when it is paid and there’s a service behind it, when you have a problem, they can respond pretty fast. Because it’s very competitive out there for these people who are providing these types of hosting. So if your website for example, got compromised, they could even provide services for them to clean it up for you.
Maybe you should talk about that. Like we’ve been talking about the user point of view, but as the owner and proprietor of a website, what are some of the risks that I’m exposing myself to if my website isn’t properly secured?
Christine: Well, for one, thinking of the website that I’ve set up…I have a website in WordPress and actually the moment I set up my website, I got massive traffic coming from Ukraine, coming from different countries. And of course they are not people who want to visit my wonderful website, which is a few hours old. So what I discovered is that there’s really massive mapping and probing out there happening. And your website could get tens of thousands of these traffic probes per day. What I use is WordPress and they do have plugins that could potentially block this traffic so that my website doesn’t end up getting compromised immediately. So looking at those plugins when, for example, you use a CMS, don’t just look at plugins that are for functionality, because there are also plugins for security. And when you add those plugins, they also control, for example, spam comments and spam comments typically contain these malicious URLs. And when your visitors visit your website with a spam comment, malicious URL, well then you become sort of a distributor of this malicious content. So as a website designer, it, it would help to look at those security plugins.
So maybe that’s not the look I’m going for when I set up a blog for example, to share my wonderful insights with the world. And all the comments I get are links to malicious content.
Christine: Yes. Or like, buy this latest medicine to enhance some certain something.
But are there more tangible –
Christine: Are we having an audience that is below 13?
No, this is good. Okay, that’s fair. But are there more direct risks that I’m taking? Are there more direct attacks that might affect me as the owner of that website?
Laura: Well, I think it depends. Are you just serving static content? Are you just serving your portfolio? For example, you only get GET requests to your server, and if you’re configured properly, there’s probably only a tiny bit of risk there involved. But let’s say if you’re handling any kind of sensitive data on your customers, you may also be under a certain kind of legislation to protect this data in a certain manner. For example, if you’re collecting users’ home addresses, their phone numbers or stuff like that, you can’t just slap them on a database and not encrypt them and hope that no one gets to them.
Yeah. But there’s a cost element to all this security. So I might start off small, but as my business grows, my website gets more popular. At what point should I start thinking about security?
Laura: The beginning.
Christine: In the beginning. Yes.
So if you’re going to do anything at all, do it securely.
Christine: Yes. Because the bigger you get, the costlier it’s going to get if you build on a foundation that is not secure. So when when you redo everything, then that’s going to cost you. And also in website downtime. If for example, in the future you have more users and you have to take your website down. We have experience with this with a shopping company who has built the website on the wrong foundation. And at some point there was some probing done. The problem was that the credentials, they were trying to use WordPress credentials, were actually very easy to get. In less than a thousand guesses, the idea attacker was already in. They had to take their website down, I think for a day and a half. It cost them a few tens of thousands of euros, because they are very popular.
Yeah. That’s a day and a half you’re not doing any business.
So basically, even though there is that cost element, that’s a cost you want to bear as early as possible and not when your website is super popular and under attack already.
Laura: And if you are mishandling your sensitive data and there’s GDPR and everything, even if you have not been breached, but let’s say someone comes to check on you, like how are you storing your data? You may still end up paying some money too, as fines for violating this kind of legislation.
All right. Let’s say I’m shopping online and I found the perfect pair of shoes in a web store, but I’ve never heard of this store before. How do I figure out if it’s legit or not?
Laura: Well, how much do you want that pair of shoes?
I really like these shoes.
Laura: Okay. Well then, one thing you can do is to take the URL or the domain of that shop and go see when it was registered through Whois, for example. And you can see if it’s new, you know, if it’s just registered a week ago or two weeks ago, then you may be like, why? And like, is this okay? Because there are parties out there who wait for domain names to expire. And then they quickly purchase them and serve their own content there. So it may be legit or it may not be legit.
Christine: And it’s also very interesting, like how did you come upon this store that we’ve never heard of before? Because for example, if you got this from an email spam mail and then you just clicked on it, that’s kind of already very iffy sign that maybe this is not really that legitimate.
Laura: Why is someone directly sending me an email about these shoes?
Exactly the kind of shoes I want, yeah. What about things like checking out the Wayback Machine and seeing what was running on this domain a year ago?
Laura: Yeah, absolutely. It comes back to the Whois thing. So you can check when was this domain registered, and then you can go on Wayback Machine and see if the website is actually doing the same thing it was doing a year ago or two years ago. So maybe it was actually not a store at all at first, and suddenly now it’s a shoe store online.
Yeah. And I think you mentioned already that if the bargain is too good to be true then maybe it is. But what are some other ways of spotting that this might be a shady shop?
Christine: Well, shady shops, typically you get to them not by accident, but they’re kind of pushed to you. It could be for example, via your phone, you get a WhatsApp message with a link going to the shop. It could be from your friend, but he may be infected. So it could be also like a Skype conversation, and then you click the link and go there. There’s always this element of pushing this shop to you, either via a link or perhaps also via a malware that is in your system and trying to sort of visit it when you go to a legitimate site. And that’s the element here that’s kind of already suspicious in the first place, because why are you getting this information? But let’s say you Googled and you found this website on the ads and you click on the ad. Then in that instance, looking at Whois information, that could help, because it would know the freshness of the website. But beyond that it becomes trickier. Because for example, if this is for some reason, a malicious website that managed to live beyond one year (and that’s really rare for malicious websites, they get hunted down), then yeah, it becomes a bit harder to understand that is this really malicious now or not? It looks like it has been alive for awhile.
Laura: Yeah, and I think when we’re talking about malicious websites, I think here we’re talking about websites that for example, harvest credentials or credit card information. Those get taken down quite quickly. But when we have websites that are actually delivering you the goods but they’re not maybe like they’re advertising them to be. For example, this dress, it’s really beautiful and very flowy, but when you order it, it’s not quite what you expected. So I think that’s also a sign of a shady website, that you are not actually getting what you thought you would get when you buy this kind of dress or shoes or whatever.
Yeah, we’ve all seen those memes online with people missing out on the measurements page. And your dream dress arrives, but it’s in doll size.
Laura: Yeah, that categorizes as a malicious website as well, in my opinion.
Yeah. We talked about some of the indicators that a website might be shady, but are there some indicators that will absolutely tell you that this website is legit?
I’m also using an ad blocker, by the way.
Christine: And that is really where the problem lies. Because to be honest, it’s easier to say that a website is malicious rather than to say that it is completely safe.
Because you can’t prove a negative.
Christine: Exactly. So when you visit a website with all of the different interconnections that just automatically load into a website, I mean, to isolate all of those individually, that’s quite a daunting task. So of course there is a level of trust and based on the history and reputation of this website it seems to be that this is more trustworthy than others, but with absolute trustworthiness, that’s getting trickier nowadays.
Laura: Yeah. Because then you may also have a developer who wanted to do something malicious or a sysadmin who wanted to do something malicious. So there are so many vectors and the attack surface is so large in the end, and you don’t know where the threat is coming from. So it’s very hard to determine that it’s purely safe.
So in summary, what are your top tips for staying secure online?
Laura: Never reuse your password. Always go directly to the URL where you want to go, don’t follow shady links that you are getting to any inbox, whether it’s social media or email. And when shopping, use your credit card. And I would still prefer not to store credit card information.
Christine: Whatever browser you use, whatever operating system you use, make sure that you are using the latest, most secure one. Because you will never know that a certain website could have an exploit that exploits a vulnerability on your browser. And then secondly, just some basic hygiene. Have your EPP product running. A lot of this commodity malware that we actually encounter nowadays, the type that inject to your browser, some of these malicious websites, your basic antivirus covers that. So that’s just basic hygiene, and use it. Because it’s there anyway for you.
That is some sage advice. Thank you very much for being on the show.
Christine: Thank you.
Laura: Thank you Janne.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter through F-Secure @CyberSauna. Thanks for listening.