While most of today's banks and e-commerce sites have their front doors locked, there's a side door that many still leave open: connections to third party scripts. We caught up with Hadar Blutrich, CEO of Israeli startup Source Defense, to hear about the solution that his team has cooked up to take control of these scripts.
You can watch the video interview above or read the transcript below.
After a presentation at the Advanced Technology Park on the Ben-Gurion University campus, Blutrich told ZDNet, "While creating Source Defense, we found out that almost any website in the world can be hacked using the third party scripts on the page. It doesn't matter if it's a bank, or if it's an e-commerce [site], or any other type of website. We were able to demonstrate that when we are hacking one of the third parties, we are able to get full accessibility to the page, change the page, add information to the page, and get any information back, including user credentials, including manipulating the [buyer's] order to buy...
"We saw a text from an analytic program that the user doesn't even know about them. We saw a text from advertisement. We even saw a latest attack using an accessibility program into the website. More than 4,000 different websites, government websites were compromised last month because of an attack to a third party that helped people with disabilities to access the websites."
He continued, "The problem with the third parties is that everything happening in those third party scripts is happening in the client side. Which means that all of the measures of defense, of cyberdefense that a website has, are being done by that time. You are finished with the firewall, you finished with the SSL, and only then you are calling those third parties. It means that the bank has no visibility to what they are doing on the page and don't have any way to prevent them from doing stuff that they are not supposed to do.
"Source Defense is creating what we call virtual pages. We are isolating the different third parties into virtual pages in the memory of the browser. Each one of those third parties is being run on the virtual page and can only see information that is allowed for it to see. When that same third party is trying to write information back to the page, we decide which part of it should be reflected back to the page and which should not."
Blutrich added, "For example, if a third party is trying to get access to the user name and password in the virtual page, the user name and password will never appear. He will not be able to see them in a virtual pages. If a third party is trying to write information to the page such as 'naughty poo propaganda,' we can prevent it from appearing in the real page.
"It really depends on the industry and on the type of the page, but we can see between five different third parties to sometimes 120 third parties. It basically means that you have 120 different open doors on the page, that if a hacker gets into them you will not even know that he was able to get access to the website.
"In a lot of the cases, third parties are slowing up the page. The reason is that the third party is loading synchronically and the page waits for it to be loaded. With Source Defense, what happened as a byproduct is that all of the third parties have been loaded into the virtual pages and therefore the actual page that you are looking at is loading faster in most cases."
- New research: Most IoT devices can be hacked into botnets (TechRepublic)
- Researchers find 29 types of USB attacks, recommend never plugging into a USB you don't own (TechRepublic)
- Two-factor authentication gets simplified with a new sonic vibration token (TechRepublic)
- Memcached DDoS: This 'kill switch' can stop attacks dead in their tracks (ZDNet)
- Homeland Security's own IT security is a hot mess, watchdog finds (ZDNet)
- IT leader's guide to cyberattack recovery (Tech Pro Research)