Tag Archive for: Clientside

Client-Side Security: You Can Delegate Authority But Not Responsibility

/in


By Source Defense

There’s an old saying that leaders can delegate authority but not responsibility. That remains relevant and true in the digital supply chain. Companies can give their supply chain partners authority to operate on their websites, but responsibility for what that 3rd, 4th, and 5th-party code is doing ultimately rests with your internal security team.

Security practitioners struggle to keep up with the volume and pace of cybersecurity incidents, are overwhelmed by alerts and false positives, are distracted by new and evolving compliance requirements and are under pressure to show value to business peers. But the corporate website—often the centerpiece of the enterprise revenue model—presents a structural security risk that could mean the difference between business success and failure.

In the browser, client-side processes are almost always written in JavaScript. According to our team’s latest intelligence, there are more than 1.7 billion public-facing websites worldwide, and JavaScript is used on 95% of them. Frontend JavaScript code has grown in size by more than 347% for desktop and more than 593% for mobile during the last 8 years and keeps growing. 

And therein lies the structural security issue that poses one of the biggest threats to your most critical business channels—protecting your customer data at the point of entry. Javascript is used by all of your 3rd party digital suppliers, including payment card processors, advertising networks, social sharing services, analytics, and more, and it sits outside your security perimeter and is vulnerable to a wide range of attacks. 

How Much Do You Know About Your 3rd Party Attack Surface?

As a security team, if you still aren’t convinced that taking action to secure client-side transactions like payment card entry is an immediate necessity, the latest release of the Payment Card Industry Data Security Standard (PCI DSS version 4.0) has decided for you.

PCI DSS v4.0 section 6.4.3 states explicitly in its guidance that payment page scripts that are loaded and executed in the consumer’s browser must be managed as follows:

  1. A method is implemented to confirm that each script is authorized.
  2. An inventory…

Source…

Client-side content scanning as an unworkable, insecure disaster for democracy • The Register

/in


Fourteen of the world’s leading computer security and cryptography experts have released a paper arguing against the use of client-side scanning because it creates security and privacy risks.

Client-side scanning (CSS, not to be confused with Cascading Style Sheets) involves analyzing data on a mobile device or personal computer prior to the application of encryption for secure network transit or remote storage. CSS in theory provides a way to look for unlawful content while also allowing data to be protected off-device.

Apple in August proposed a CSS system by which it would analyze photos destined for iCloud backup on customers’ devices to look for child sexual abuse material (CSAM), only to backtrack in the face of objections from the security community and many advocacy organizations.

The paper [PDF], “Bugs in our Pockets: The Risks of Client-Side Scanning,” elaborates on the concerns raised immediately following Apple’s CSAM scanning announcement with an extensive analysis of the technology.

Penned by some of the most prominent computer science and cryptography professionals – Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso – the paper contends that CSS represents bulk surveillance that threatens free speech, democracy, security, and privacy.

“In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance,” the paper says.

“Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be…

Source…

Week in review: Web shell malware, client-side web security, phishers exploit Zoom and WebEx

/in

Here’s an overview of some of last week’s most interesting news and articles: 46% of SMBs have been targeted by ransomware, 73% have paid the ransom …
internet security – read more

Week in review: Web shell malware, client-side web security, phishers exploit Zoom and WebEx – Help Net Security

/in

Week in review: Web shell malware, client-side web security, phishers exploit Zoom and WebEx  Help Net Security
“internet security news” – read more