No watchdogs but puppies for online security


In order to stay up to date with the latest IT developments I always see through articles at wired. While skimming through these articles I noticed an interesting one about Netflix. We all know Netflix as a platform (B2C) that provides series and or movies against a fee. In order to secure their service and above all the accounts of their users, they run loads of application assessments (Mimoso, 2015). Customer security is important in general but especially when transactions are included. Once this is not guaranteed, loyalty of consumers might be harmed and so sales might be affected (Flavián & Guinalíu, 2007). Throughout the readings of the literature of both Designing Business Applications and Information Strategy I noticed the same, the words privacy and safety are used very often. Netflix found part of the solution and openly shared this via open sources.

So what kind of puppies are we talking about? Well, Sleeping Puppy is a cross-site scripting payload management framework that provides delayed XSS testing (Mimoso, 2015). So what is cross-site scripting? “By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser” (Acunetix). By doing this attackers can get access to personal information, or they can even send messages under your name (identity theft). A typical example of cross-site scripting, people on Facebook send messages with extremely weird topics and later claim they were hacked. Companies do not want this to happen and so solutions like sleeping puppy are developed.

Sleepy Puppy Netflix

figure 1: simplified working of sleepy puppy (Bisson, D; 2015)

So how does this ‘sleepy puppy’ work? An application that is build can be tested by the security engineer by integrating the sleeping puppy JavaScript. Once the data or payload is injected it is stored on a server. Imagine the case of an attacker, he or she discovers a leak and is able to copy this information and saves it on a second server. Once the attacker uses this information to inject an infected payload, sleepy puppy backfires to the security engineer, noticing him about a leak.

Identity theft is a serious issue, let’s hope that these ‘puppies’ bring us a step closer to guaranteed security.

sources

Acunetix. (n.d.). Cross-site-scripting. Retrieved 9 15, 2015, from Acunetix: http://www.acunetix.com/websitesecurity/cross-site-scripting/

Bisson, D. (2015, 9 3). Netflix’s Sleepy Puppy Tool Helps Researchers Track XSS Propagation. Retrieved 9 15, 2015, from Tripwire: http://www.tripwire.com/state-of-security/latest-security-news/netflixs-sleepy-puppy-tool-helps-researchers-track-xss-propagation/

Flavián, C., & Guinalíu, M. (2007). Consumer trust, perceived security and privacy policy three basic elements of loyalty to a web site. Industrial Management & amp;data systems, 21-36.

Mimoso, M. (2015, 9 2). Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications. Retrieved 9 15, 2015, from threatpost.com: https://threatpost.com/netflix-sleepy-puppy-awakens-xss-vulnerabilities-in-secondary-applications/114517/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: