As i was sifting through websites, i decided to give my ISP in Malaysia, a visit. I have an account with them which gives me perhaps the best internet in Malaysia at the moment. Of course with my information security training and background, i have a keen eye on things that do not look good…
I use Google Chrome for my daily surfing and online transactions. They do have an edge with the amount of time spent in infusing security with browsing. Though, we have our doubts on their legions with government surveillance bodies, I have got to say that they do know how to protect their netizens…
Data breaches are made not by an attack which takes a few hours, no. It is made with exact precision. Typically synonymous to a military attack, black hatters follow a strict process, known as the cyber kill-chain. We have come across kill-chains in the military but it is prevalent in the world of cyber warfare. It takes a lot of effort, meticulous planning and an evil deed to go through with a cyber attack. Hence we call them APTs. APT stands for… Advance Persistent Threats. We, as security professionals are trained(hopefully) to look at signs of an attack taking place.
I cannot stress more, the importance of sniffing out potential failures and disclosing this things to companies. This is what we do as ethical security professionals. We never take for granted the signs of an imminent attack or disclosure of personal data.
I, remember once, my father forwarded me a suspicious email. I trained my parents well, when it came to phishing emails. Kudos to my parents, for always following up with me, if there was something out of the ordinary. Now, back to the suspicious email. It was from our national power company, seeking out for bill payments etc. What caught my eye was the domain and the email address this mail came from. My thought was, “Hey, how did they get my fathers email address. This is bad, they must have breached the database of the Power Company and got a list of emails”. Deadly. I notified the relevant authorities, and up to this day, no acknowledgement came from them.
Back to Chrome, yes the powerful sniffer of trouble, gives you an idea whats good and bad. So, i wanted to check my account with this service provider. When i got to the page, Chrome gave me a warning, in fact the warning was really interesting. It just stated that the Service provider uses SHA-1 on its trust chain. Ok, i am cool with that, who wants to attack a Malaysian service provider. I do not know, but according to the Kill-Chain, it might be something bigger. So i would say, fix your own flaws, and lessen your attack surface.
I gave Qualys a crack, i did the awesome test to check the sites SSL certification. It was very eventful and it gave me a grade “F”. What!!! No way, i have all my Personal Information on that site. It has SSLv3 enabled and some of its cryptographic issuance are obsolete. This is bad. You are talking about customer data and a potential attack surface for a black hatter. We all hear of multi-million dollar loses from breaches. They all start from a flaw not fixed.
I do hope they fix it, as i disclosed this flaw to them. It might be a small issue for humongous security teams, and perhaps a financial cost to them to fix the certs, but it is definitely going to prevent a massive issue later on.
People reading my blog, always listen and watch out for warning signs. Since we are ultra connected these days, you can never go wrong spending a few minutes with your security. It saves you in the long run.