(cache)Perspectives Project | Web Application Security & Compliance

What is GDPR? GDPR means the General Data Protection Regulation, that was agreed by the European Parliament and Council in April 2016. These will substitute and replace the Data Protection Directive 95/46/ec in Spring 2018 as an original decree regulating how organizations and companies protect the citizen’s personal information. Intuitively companies have started implementing the decree, and they are in align with it, more so they are also supposed to be fully compliant with the new requirements of the bill before it becomes more active on May 25, 2018. Penalties have also been put in place this is for the companies that will not have complied with the commandment.

The GDPR is implied to each adherent state of the European Union as per the requirements, with an objective to create more and unswerving fortification of consumer and personal informational statistics athwart European Nations. Some of the building key solitude and data protection of the GDPR do include:

Getting first the permission of the subjects for data processing.
Hiding the origin of the data to protect privacy.
Providing notifications and alerts whenever data breach has occurred.
Carefully handling the movement of data across precincts to ensure its security.

The subject of GDPR

The drive of GDPR is to directly carry out uniformity to data security edict on all the European Member State, and this is done so that each member State finds no value in drafting her own data protection rules and furthermore they are the same in the entire EU members State. To add to the subject matter is that every company that markets its goods or its services to the people of EU regardless of its location is still a substance to the regulation. Thus the bill will provide an avenue where the data protection requirements will be globally implemented.

Requirements of the GDPR

The GDPR bill contains 11 chapters and 91 articles. But some sections do have a more significant potential bearing on the safety maneuvers. Some of the chapters and articles are:

Article 17 and 18 – In this article data subjects do have more authority over personal information that is managed automatically. The results are that the owners may transfer their private information service providers more quickly.
Article 23 and 30 – These articles do require the organizations to put in place substantive data protection mechanisms to protect data confidentiality against loss or exposure.
Article 45 – It just extends data protection requirements on global companies that collect or possesses EU citizen’s personal information, injecting them to the same laws.

A number of companies working towards compliance have recommended the following GDPR checklist, which is simple and easy to check list style resources to help you on your GDPR compliance path.

Enforcement and Penalties for non-compliance

GDPR sets standardized rules across EU. These make it more enforceable than the previous law. SAs hold inspective and curative powers that may question forewarnings for non-compliance, carry out audits, require an organization to make specified enhancements by agreed deadlines, order data to be cleared, and block the companies from moving data to other countries. Since GDPR has empowered SAs to do all of these and also issue substantial fines like 2% to 4% of the company’s global annual income or ten to twenty million pounds penalties, this is done as per there discretion

Best Data Security Software in 2018

Data security software protects and encrypts data, catalogs, and systems from threats, hacks, and mechanical failure. Companies will utilize data security software to ensure the safety of sensitive and secretive data about their business, clients, and customers. Administrators will utilize data security software to automate tasks like data backups and threat and hack monitoring. They will frequently utilize data security products to perform tests to guarantee data, pictures, and other sensitive data is encrypted while being shared. Firewalls and authentication tools will anticipate spills, while encryption will keep spilled data from being legible or understandable. Data security devices can be utilized with backup software to avert data misfortunes. Data security products will impart highlights to network security and web security products, as they all expect to secure systems and data.

The best security companies offer security suites that coordinate an assortment of features. Some adhere to the basics, while others heap on huge amounts of valuable additional items, from online backup to committed ransomware protection. Most security companies offer no less than three levels of security products, an independent antivirus utility, an entry-level level security suite, and an advanced suite with extra highlights. Most entry-level suites incorporate antivirus, firewall, antispam, parental control, and some kind of extra security insurance, for example, assurance against phishing sites, those frauds that endeavor to steal your passwords. The new and advanced “mega-suite” commonly includes a backup part and some type of framework tune-up utility, and some additionally include secret password managers and other security additional items.

The best all-around security software is Norton Security Premium.

Norton has been a popular name in the security world for a long time now. Chances are you’ve utilized at least one of its products sooner or later for your PC, as Norton software is frequently packaged with new PCs. Before Norton software has endured objections about slowing down the performance of the computer and that has been adjusted in the recent years, immediately after the complaints started, making this an incredible suite for covering every one of your needs.

Other than protection for anti-virus, there’s an intelligent firewall which furnishes advanced protection without aggravating you with ceaseless pop-ups and warning. It’s exceedingly able and viable, without affecting your PC’s execution in any capacity.

For the concerned parent, there are parental controls that confine your child’s web time, the sites they can peruse, what they can scan for, and whether they’re permitted to get to any social media sites. Programmed backups can likewise be orchestrated by means of the suite, with 25 GB of secure cloud storage along with local solutions.
Different highlights incorporate a secret password manager to urge you to utilize more complicated passwords to keep secure, and a spam channel for subduing your inboxes. Likewise, security and hostile to burglary measures are accessible for your cell phones — whether Android or iOS based.

HTTP Security Headers Explained

The cases of hacking have been on an upward trajectory forcing website owners and developers to come up with advanced solutions for threats mitigation. The use of HTTP security headers is one of the ways website owners are using to protect their public-available sites from hackers. When properly implemented, the HTTP headers can protect your website from various threats that range from clickjacking, cross-site scripting, downloads attacks and code injection among other threats. So much so, that the OWASP project have setup the OWASP Security Headers Project, with the sole purpose of raising awareness for HTTP security headers, which are typically only brought to lite during a website security audit. Therefore, it is important for every website owner to understand what are HTTP security headers including the most used HTTP headers. In addition to understanding the different headers, it is also helpful for the website owners to understand their method of mitigation threats as well as their configurations.

In depth look at the common HTTP security headers:

Content-security Policy (CSP)

Generally, the browsers are designed to trust all elements and contents of a website including the style sheets, site pages, javascript files and fonts among others. The trust aspect means that the browsers load and executes all website content without any form of authentication. The lack of authentication means that the hackers can exploit the browser behavior to run malicious codes on the target browser. Content-security policy helps to address the vulnerability by defining the approved contents for websites. The policy ensures that the browsers only load and execute the approved content and thus, prevent various attacks including code injection and cross-site scripting attacks.

X Frame Options

The X Frame header directs browsers how to behave when handling website contents. The X Frame options protect sites against click-jacking attacks by directing the browser whether the page should be opened in a frame or an iframe. The X frame options are currently supported by Chrome 4.1+, IE 8+, Opera 10.5+, Firefox 3.6.9+ and Safari 4+. The X Frame options support three settings that include SAMEORIGIN, DENY and ALLOW-FROM uri.

Strict Transport Layer security (HSTS)

Most sites use the HTTPS protocol to secure the exchange of a user’s data over the web. Although the protocol is highly effective, it is possible for it to be downgraded to HTTP compromising the confidentiality of data. The HSTS prevents the protocol from being downgraded to HTTP by an attacker or a legitimate user and subsequently prevent eavesdropping of data. It also prevents cookie hijacking.

X-Content-Type Options

The X-Content-Type options help to improve the safety of the website by disabling the MIME sniffing feature available in some browsers. Although the purpose of sniffing is to let browsers know whether the requested file is different from the documented file, hackers can take advantage of the feature to conduct cross-site scripting attacks.

X-XSS Protection

The X-XSS protection helps to protect sites against cross-site scripting attacks. The X-XSS header is necessary if the website does not have the CSP policy in place.

Conclusion

There is absolutely no reason why every website should not use the HTTP security headers. The HTTP headers are easy to implement and play an important role in protecting your website and user’s data from hackers. Nevertheless, you should make sure that the safety headers are set in the right way and up to date to cut down on the threats.

What is CyberSecurity?

You have probably come across the phrase cyber security all too often. It is a phrase that appears online frequently these days. But do you know what it really implies? If you answered yes, good job on your part. But if you answered no, there is no big deal. Today we dwell on the subject of cybersecurity. We delve deeply into this popular subject to add value to your life in one way or another as our reader. Without further ado, let’s begin straight away:

What is cyber security? It can be defined as the protection of systems that are connected to the Web from cyber attacks. Systems may include data, software and hardware. In the cyberspace, security normally consists of two components.

Physical Security
Cybersecurity

Both are vital to the safeguard of data, software, and hardware from criminals. Physical security prevents the bad guys from accessing these materials physically for ill purposes. It also makes it difficult for them to download data or software on-site so that they can use it for criminal purposes. A good example of physical security in the world of computing is a flash drive with sensitive data that is being protected from getting into the hands of criminals. Another perfect example is a server room, which is guarded so that no unauthorized party can gain access to the data or software inside that room.

Cybersecurity, on the other hand, is the protection of Internet-connected systems from online criminals. This form of security is different from physical security in that it protects data, software and even hardware online as opposed to onsite. One basic application of cybersecurity is the use of a password to prevent third parties from accessing your social media account. A password that is only you knows makes sure that nobody is able to get onto your Facebook, Twitter or Instagram account.

What Is the Significance of Cybersecurity In Our Daily Life?

The protection of data, software and hardware online is critical for everybody who uses the internet. Cybersecurity is not only crucial to big organizations as you may assume. Even you, who is at the grassroots level, do face a constant cyber threat from online criminals.

You probably have a social media account with personal details, which the bad guys can use to steal money from your bank account or locate your residence. After all many social media companies, if not all, require details such as your name, location, mobile number and date of birth to create an account. Without cybersecurity, those details can easily get into the hands of the bad guys who could use those at your disadvantage.

Final Thoughts

When it comes to cybersecurity, what comes into the mind of many people is banks and other big organizations, which are vulnerable to cyber attacks. They assume that this is an issue that only matters to organizations and not the ordinary man. But the truth is that we are all vulnerable to cyber attacks. Just like the banks and other organizations, we face constant cyber threats.

Perspectives broken in Firefox 32

Perspectives currently does not work in Firefox 32 and higher. This is a known issue. When Perspectives runs you will see a yellow exclamation icon and the error message “‘an internal security change error occurred: TypeError: ti.cert.md5Fingerprint is undefined’”.

Firefox 32 is the first version where support for the MD5 hashing algorithm has been removed (see BugZilla). From a security point of view this is great news – the MD5 algorithm is known to be not completely secure, and software should be moving to better hashes. We also want Perspectives to move to using better hashes.

Unfortunately Perspectives needs some internal fixes before this upgrade can be completed. We are actively working on fixing this error and will update Perspectives ASAP. Thanks to everyone who has contacted us about this issue.

Coming Soon: Notary scanning with SNI

Soon the heimdal and nine-eyes notaries will be upgraded to scan websites with Server Name Indication. Notaries will display whether they use SNI scanning on their index page:

Notaries will display their SNI status on their index page

This change should only improve notary results and give you more accurate readings for servers that require SNI, but let us know if you run into issues.

Many thanks to Perspectives user Carl for reminding me of this feature and for helping with testing. Thanks!

Setup a Free Notary Server in 15 Minutes with AWS

Note: These instructions are for version 2 of the Perspectives Server software, and are now out of date. We will be releasing an updated guide with the next release, version 3.2. For now please see the Perspectives Serve README for up-to-date instructions, or feel free to contact us on the mailing list.

The Good News: it’s now even easier to run a Perspectives Server and you don’t need to install or use the ‘psv-admin’ package. Simply running the server will automatically create a key pair and set up the database if required!

Amazon Web Services (AWS) let’s you easily create a server in the “cloud”. In fact, they even let you run a “micro” instance for free, thanks to something call the “free usage tier”

This post will show you how you can get your own notary running in just 15 minutes using AWS.

First, read about the free usage tier and sign up for an AWS account: http://aws.amazon.com/free/

Then, access the AWS management console to create an instance: http://aws.amazon.com/console/

Click on the “EC2” tab near the top left of the screen, then click the “Launch Instance” button in the main window pane.

Choose an Ubuntu server AMI by clicking on the “Community AMIs” tab and finding a matching image. Here are a couple things to keep in mind:

Make sure the image is free tier eligible (denoted by a yellow star).
I use an image with a “Root Store” of “ebs”, as this means that even if this particular instance dies, I can spin up a new instance and reattach the same disk.
64-bit image is suggested.
I’ve done most of my testing on Ubuntu Maverick (10.10), but other recent Ubuntu platforms should work as well. You can see the exact version for an image by reading the “Manifest” field.

In the “U.S East” region, an AMI that matches these criteria is: ami-cef405a7

Select your AMI, and keep the default “Micro” instance.

You will need amazon to create a SSH keypair, which will automatically be “injected” into the instance, allowing you to access the instance remote without a password. Give this key a name (e.g., notary) and download it to you filesystem.

After downloading the key, make sure it is only accessible to your user:

Now you can access your machine remotely. Click on “Instances” in the left panel and select your instance’s row in the main pane and view the details box at the bottom. Note the “Public DNS” field, as this is how you will access the machine remotely. For example, run:

Now your notary is up and running! It will respond to notary requests on port 8080 . To see the public key the notary uses to sign all requests, run:

This is the public key that can be provided to a Perspectives client to authentic the notary response. The server code comes with a simple client for you to test. To query a website to monitor (called a “service-id” with Perspectives), specify it using the form ::2. For example for http://www.google.com, run:

The first time this you query the notary server, it will not know about a service and will return a 404 error, as the notary -server will launch an “on-demand” probe for that service. Wait a couple seconds and run the same command again and it should succeed.

A new version of the Perspectives Firefox Client will soon be released that will let you use your own notary servers as well.

By default, this notary server will run a scan of all known service-ids twice a day, as configured using crontab. You can manually run a scan of all services at any point by running:

What is GDPR Compliance? (An Overview)

Best Data Security Software in 2018

HTTP Security Headers Explained

Future Trends in the Information Technology Industry

What is CyberSecurity?

What is GDPR Compliance? (An Overview)

What is the GDPR

The subject of GDPR

Requirements of the GDPR

Enforcement and Penalties for non-compliance

Best Data Security Software in 2018

HTTP Security Headers Explained

Content-security Policy (CSP)

X Frame Options

Strict Transport Layer security (HSTS)

X-Content-Type Options

X-XSS Protection

Conclusion

What is CyberSecurity?

What Is the Significance of Cybersecurity In Our Daily Life?

Final Thoughts

Perspectives broken in Firefox 32

Coming Soon: Notary scanning with SNI

Setup a Free Notary Server in 15 Minutes with AWS

What is GDPR Compliance? (An Overview)

Coming Soon: Notary scanning with SNI

Perspectives broken in Firefox 32

The Importance of Securing Your Web Applications

What is CyberSecurity?

What is GDPR Compliance? (An Overview)

Best Data Security Software in 2018

HTTP Security Headers Explained

Future Trends in the Information Technology Industry

What is CyberSecurity?