ImmuniWeb

Last updated
ImmuniWeb
Company type Private
IndustryCybersecurity
Founded2019 (2019)
FounderDr. Ilia Kolochenko (CEO) [1]
Headquarters
Geneva
,
Area served
Europe
North America
APAC
ProductsImmuniWeb AI Platform
ServicesApplication security testing,
Attack Surface management,
Dark Web monitoring
Number of employees
50+
Website www.immuniweb.com

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

Contents

Early Security Research

Security Advisories

The ImmuniWeb Security Research Team (formerly known as High-Tech Bridge) has released over 500 security advisories [2] affecting various software, with issues identified in products from many well-known vendors, such as Sony, [3] McAfee [4] Novell, [5] in addition to many web vulnerabilities affecting popular open source and commercial web applications, such as osCommerce, [6] Zen Cart, [7] Microsoft SharePoint, SugarCRM and others.

The Security Research Lab was registered as CVE and CWE compatible by MITRE. [8] It is one of only 24 organizations, globally, and the first in Switzerland, that has been able to achieve CWE certification.

The company is listed among 81 organizations, as of August 2013, that include CVE identifiers in their security advisories. [9]

ImmuniWeb launched an SSL/TLS configuration testing tool in October 2015. [10] The tool can validate email, web or any other TLS or SSL server configuration against NIST guidelines and checks PCI DSS compliance, it was cited in articles covering the TalkTalk data breach. [11] [12]

Security and Privacy Research

The discovery of vulnerabilities in Yahoo! sites by the company was widely reported, [13] [14] leading to the t-shirt gate affair and changes in Yahoo's bug bounty program. The firm identified and reported four XSS vulnerabilities on Yahoo! domains, for which the company was awarded two gift vouchers to the value of $25. [15] [16] [17] [18] The sparse reward offered to security researchers for identifying vulnerabilities on Yahoo! was criticized, sparking what came to be called t-shirt-gate, [19] a campaign against Yahoo! sending out T-shirts as thanks for discovering vulnerabilities. The company's discovery of these vulnerabilities and the subsequent criticism of Yahoo!'s reward program led to Yahoo! rolling out a new vulnerability reporting policy which offers between $150 and $15,000 for reported issues, based on pre-established criteria. [14] [20]

In December 2013, the firm's research [21] on privacy in popular social networks and email services was cited [22] [23] in a class action lawsuit for allegedly violating its members' privacy by scanning private messages sent on the social network.

In October 2014, the company discovered a Remote Code Execution vulnerability in PHP. [24] In December 2014, they identified the RansomWeb attack, [25] a development of Ransomware attacks, where hackers have started taking over web servers, encrypting the data on them and demanding payment to unlock the files.

In April 2014, the discovery [26] of sophisticated Drive-by download attacks, revealed how drive-by download attacks are used to target specific website visitors after their authentication on a compromised web resource.

In December 2015, the company tested the most popular free email service providers, for SSL/TLS email encryption. [27] Hushmail, previously considered as one of the most secure email providers, received a failing "F" grade. Just after, the company updated its SSL configuration and received a score of "B+". [28]

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Moxie Marlinspike</span> American entrepreneur

Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the Signal Protocol encryption used by Signal, WhatsApp, Google Messages, Facebook Messenger, and Skype.

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.

<span class="mw-page-title-main">Goatse Security</span> Hacker group

Goatse Security (GoatSec) was a loose-knit, nine-person grey hat hacker group that specialized in uncovering security flaws. It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). The group derives its name from the Goatse.cx shock site, and it chose "Gaping Holes Exposed" as its slogan. The website has been abandoned without an update since May 2014.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

CRIME is a security vulnerability in HTTPS and SPDY protocols that utilize compression, which can leak the content of secret web cookies. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. CRIME was assigned CVE-2012-4929.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

<span class="mw-page-title-main">DROWN attack</span> Security bug

The DROWN attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.

Version history for TLS/SSL support in web browsers tracks the implementation of Transport Layer Security protocol versions in major web browsers.

WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution. The exploit was discovered in May 2014 by IBM, who else helped to patch the exploit. The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1

References

  1. "Articles by Ilia Kolochenko". CSO Online. Retrieved 22 July 2015.
  2. "Packet Storm - Files from High-Tech Bridge SA". PacketStorm.org. Retrieved 20 February 2016.
  3. "Security Update Program for VAIO® Personal Computers". esupport.sony.com. Sony. Retrieved 20 January 2015.
  4. "McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability". kc.mcafee.com. McAfee. Retrieved 20 January 2015.
  5. "Security Vulnerability: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability". www.novell.com. Novell. Retrieved 20 January 2015.
  6. "Researchers at Swiss-based security firm High-Tech Bridge have identified serious vulnerabilities in several popular web applications". SecurityWeek. Retrieved 20 February 2016.
  7. "Critical Zen Cart vulnerability could spell Black Friday disaster for online shoppers". BetaNews. Retrieved 20 February 2016.
  8. "Product from High-Tech Bridge Now Registered as Officially "CWE-Compatible"". MITRE. Retrieved 7 August 2014.
  9. "Organizations with CVE Identifiers in Advisories". 26 June 2013. Archived from the original on 7 August 2013. Retrieved 1 September 2013.
  10. "Free PCI and NIST compliant SSL test". Help Net Security. Retrieved 23 October 2015.
  11. "TalkTalk boss receives ransom demand as massive customer data breach deepens". The Inquirer. Archived from the original on October 24, 2015. Retrieved 23 October 2015.{{cite web}}: CS1 maint: unfit URL (link)
  12. "TalkTalk CEO admits security fail, says hacker emailed ransom demand". The Register. Retrieved 23 October 2015.
  13. "Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal". 3 October 2013.
  14. 1 2 Kirk, Jeremy (3 October 2013). "Yahoo security bounty program ditches T-shirts for cash" . Retrieved 19 October 2013.
  15. Rubenking, Neil J. (1 October 2013). "Yahoo Offers Sad Bug Bounty: $12.50 in Company Swag". PC Magazine. Retrieved 19 October 2013.
  16. Bilton, Ricardo (1 October 2013). "I reported a major Yahoo security vulnerability and all I got was this lousy T-shirt" . Retrieved 19 October 2013.
  17. Frank, Blair Hanley (1 October 2013). "Researchers find critical vulnerabilities in Yahoo's site, offered $12.50 per bug" . Retrieved 19 October 2013.
  18. Hackney, Steve (7 October 2013). "Yahoo! Inc. (NASDAQ:YHOO) Removes Bugs Identified By High Tech Bridge" . Retrieved 19 October 2013.
  19. Osborne, Charlie (3 October 2013). "Yahoo changes bug bounty policy following 't-shirt gate'". ZDNet . Retrieved 19 October 2013.
  20. Martinez, Ramses (2 October 2013). "So I'm the guy who sent the t-shirt out as a thank you" . Retrieved 19 October 2013.
  21. "Social networks: can robots violate user privacy?". Archived from the original on 2013-09-03. Retrieved 2014-01-13.
  22. "Facebook sued for allegedly intercepting private messages".
  23. "Is Facebook spying on you?". CNBC.
  24. Brook, Chris. "PHP patches buffer overflow vulnerabilities". threatpost. Retrieved 27 October 2014.
  25. Fox-Brewster, Thomas. "RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses". Forbes.com. Retrieved 1 February 2015.
  26. Gallagher, Sean (13 April 2015). "Universal backdoor for e-commerce platform lets hackers shop for victims". arstechnica. Retrieved 14 April 2015.
  27. "Testing Your SSL Encryption Can Provide Important Security Insights". IBM Security Intelligence. 15 December 2015. Retrieved 15 December 2015.
  28. "High-Tech Bridge Grades Email Services on Security, Gives Fastmail Top Score". Talkin Cloud. 3 December 2015. Archived from the original on 6 December 2015. Retrieved 3 December 2015.

See also