Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webzurich - The State of Web Security in Switzerland

917 views

Published on

On this talk BinaryEdge looked at the state of the main Websites of Switzerland, we also looked at the 3 pillars that it stands on banking, insurance and pharma and how they looked from an external perspective.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Webzurich - The State of Web Security in Switzerland

  1. 1. BinaryEdge.io Be Ready. Be Safe. Be Secure. The State of Web Security in Switzerland
  2. 2. AGENDA Who am I? What do we do? Switzerland and Cybersecurity Headers Dataleaks affecting Switzerland Data exposed
  3. 3. WHO AM I? Tiago Henriques Tiago is the CEO and Data necromancer at BinaryEdge however he gets to meddle in the intersection of data science and cybersecurity by providing his team with lovely problems that they solve on a daily basis.
  4. 4. WHAT DO WE DO? VNC RDP Files People Social Company registration internal external Phone Email Linked urls BGP AS Whois AS membership AS peer List of IPs Shared infrastructure Co-hosted sites Contact Geolocation Office locations Social networks Phone portscan dns torrents Screenshots Web Services http https Users AppsFiles Peers Torrent name Banners Image Classifier Vulnerabilities 200 Ports scanned per month >120 million IPs with services > 1.5 billion Events generated per month DATA POINTS metadata Photos Family&friends Behaviour Likes Topics Search News Forums Sub-reddits Domains AXFR MX records Webserver Framework Headers Cookies Certificate Configuration Authorities Entities OCR SW ip address url address SMB
  5. 5. WHAT DO WE DO? balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists $ head ch.csv google.ch uploadable.ch eztv.ch projectfreetv.ch blick.ch ricardo.ch watchseries-online.ch 20min.ch cokeandpopcorn.ch bluewin.ch balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists $ cat ch.csv | wc -l 1533995
  6. 6. SWITZERLAND AND CYBERSECURITY INSURANCEBANKING PHARMA
  7. 7. SWITZERLAND AND CYBERSECURITY
  8. 8. Source: https://securityheaders.io SERVER STRICT-TRANSPORT-SECURITY X-FRAME-OPTIONS X-CONTENT-TYPE-OPTIONS X-XSS-PROTECTION CONTENT-SECURITY-POLICY PUBLIC-KEY-PINS This Server header seems to advertise the software being run on the server but you can remove or change this value. HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjack- ing. X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff!”. X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is “X-XSS-Protection: 1; mode=block”. Content-Security-Policy is an effective measure to protect your site from XSS attacks. By wh- itelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail. HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event of a certificate authority is compromised. Analyse this policity in more detail. HEADERS
  9. 9. Most Common Server Headers (top20) HEADERS
  10. 10. 0 35,00017,5008,750 26,250 Strict-Transport-Security X-XSS-Protection Content-Security-Policy (report + enforced) Public-key-Pins (report + enforced) X-Content-Type-Options X-Frame-Options 32,687 31,552 20,220 16,444 1,282 210 Most Common Security Headers in Switzerland HEADERS
  11. 11. BANKS - WEBSITES UBS.COM CREDIT-SUISSE.COM JULIUSBAER.COM POSTFINANCE.CH BANKCOOP.CH FALCONPB.COM X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER RAIFFEISEN.CH HEADERS
  12. 12. HEADERS BANKS - E-BANKING UBS.COM CREDIT-SUISSE.COM JULIUSBAER.COM POSTFINANCE.CH BANKCOOP.CH FALCONPB.COM X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER RAIFFEISEN.CH
  13. 13. BANKS - E-BANKING UBS.COM CREDIT-SUISSE.COM JULIUSBAER.COM POSTFINANCE.CH BANKCOOP.CH FALCONPB.COM X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER RAIFFEISEN.CH THIS IS HARD TO DO RIGHT! HEADERS
  14. 14. https://www.troyhunt.com/how-chromes-buggy-content-security-policy-implementation-cost-me-money/ HEADERS
  15. 15. CANTONAL BANKS CYBER COMPETITION - E-BANKING ZÜRCHER (ZKB.CH) VAUDOISE (BCV.CH) BASLER (BKB.CH) LUZERNER (LUKB.CH) ST.GALLER (SGKB.CH) BERNER (BEKB.CH) X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER HEADERS
  16. 16. INSURANCE COMPANIES ZURICH FINANCIAL SERVICES SWISS RE WINTERTHUR GROUP SWISS LIFE BALOISE HELVETIA PATRIA X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER HEADERS INVALID CONFIGURATION SUVA GROUPE ALLIANZ (SUISSE) LA MOBILIERE VAUDOISE ASSURANCES
  17. 17. PHARMACEUTICAL/CHEMICAL COMPANIES NOVARTIS ROCHE SYNGENTA CLARIANT CIBA X-frame- options Strict-Transport- Security X-Content- Type-Options Content-Security- Policy Public-Key- Pins X-XSS- Protection SECURITY HEADER HEADERS DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER
  18. 18. aerzte-zh.ch/ HEADERS 8 7 3 3 3 X-FRAME-OPTIONS X-XSS-PROTECTION STRICT-TRANSPORT-SECURITY CONTENT-SECURITY-POLICY PUBLIC-KEY-PINS X-CONTENT-TYPE-OPTIONS 0 130 DOCTOR WEBSITES
  19. 19. DATA LEAKS http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  20. 20. DATA LEAKS AFFECTING SWITZERLAND UBS 26,763 Credit Suisse 14,262 Julius Bär 765 Zürcher Kantonalbank 505 Raiffeisen 442 Banque Cantonale Vaudoise 375 PostFinance 352 Falcon Private Bank 64 St. Galler Kantonalbank 56 Luzerner Kantonalbank 50 Berner Kantonalbank 47 Basler Kantonalbank 41 Bank Coop 31 BANKS
  21. 21. DATA LEAKS AFFECTING SWITZERLAND INSURANCE COMPANIES Zurich Financial Services 2,753 Swiss Re 2,883 Winterthur Group 554 Swiss Life 507 Baloise 414 Helvetia Patria 239 Suva 230 Groupe Allianz (Suisse) 6 La Mobiliere 0 Vaudoise Assurances 228
  22. 22. DATA LEAKS AFFECTING SWITZERLAND PHARMACEUTICAL/CHEMICAL COMPANIES Novartis 19,872 Roche 17,708 Syngenta 6,409 Clariant 0 Ciba 676 31
  23. 23. DATA LEAKS AFFECTING SWITZERLAND
  24. 24. DATA EXPOSEDDATA EXPOSED
  25. 25. DATA EXPOSEDDATA EXPOSED
  26. 26. DATA EXPOSEDDATA EXPOSED
  27. 27. DATA EXPOSEDDATA EXPOSED
  28. 28. DATA EXPOSEDDATA EXPOSED Big DataTechnologies Changes in amount of data exposed on the internetMongoDB Memcached Redis 2TB 644.3TB Aug 2015 Jan 2016 July 2016 724.7TB 627.7TB 13.2TB 11.3TB 710.9TB 12.0TB 598.7TB 27.5TB 1.5TB 1.8TB 619.8TB
  29. 29. DATA EXPOSEDDATA EXPOSED
  30. 30. BE READY. BE SAFE. BE SECURE. www.binaryedge.io CONTIGENCY THREAT SAFE IRRELEVANT

×