We've all been through trainings at work where they tell us to pay attention to URLs and validate their authenticity, examine emails for red flags, not trust calls and messages asking for urgent action - and so on. A false sense of security can creep in: I should be able to recognize a scam. The last week's episode of Smashing Security, however, brought up an attack that is scarily easy to fall for.

Here's my brief summary:

• The attackers sent emails to hotels with a link to an infostealer.
• Once it was executed, they could access booking platforms on behalf of the hotels.
• The attackers contacted customers with urgent requests to update their credit card details - otherwise they'd lose their reservation.
• The link to update credit card details was illegitimate.

Unlike a regular phishing attack that we're all used to, this was performed through legitimate and - you'd think - safe channels. As the report says:

It is often recommended that customers use only official and known methods of communication, such as various messaging platforms within the site, to prevent illegitimate or scam interactions. Unfortunately, this great advice becomes moot now that the attacker can access those methods. <...> It is important to remember that this message comes from within the booking site’s message platform itself.

Honestly, I'm impressed - that's a rather sophisticated attack. Here you can read about it in detail, along with suggestions on how to protect yourself.

Stay safe and inform people around you!

I recently took CS50's Introduction to Cybersecurity, an online course from Harvard University on edx.org. It's taught by David J. Malan, who never fails to deliver an energetic and engaging lecture. Over five weeks he covers some of the most important threats in the online world and explains what can be done to mitigate them. The main topics are:

• How to secure our accounts
• How to secure data
• How to secure systems
• How to secure software
• How to preserve privacy

I can really recommend this course to anyone even remotely interested in the subject. Bear in mind, it's an introduction to cybersecurity, so don't expect too much. But these lectures touch on a lot of topics that are good to know in this day and age.

Today I received a scary looking letter from abuse@hetzner.de, which is my German hosting provider. The text started as follows:

We have received a notification from the German Federal Office for Information Security...

Knowing how notorious German laws are when it comes to intellectual property, I immediately thought: "What did I do?" and "How big is the fine?" To my best knowledge, my blog doesn't violate any rules, yet I didn't expect a message from a Federal Office without any wrongdoing.

Photo by Maria Tyutina

As a test engineer, I often need to see what requests applications are making and what responses they are receiving. While browsers offer developer tools that include network monitoring, I find them inconvenient. Additionally, you can't use them with mobile and desktop software.

Recently, I discovered Burp Suite, a tool for security assessment and penetration testing that comes with many useful features. Although the professional edition is quite expensive, the free community edition is sufficient for regular testing activities.

Key functionality

• A proxy server to intercept traffic.
• A convenient user interface to analyze network activity.
• The ability to modify and repeat requests.
• The option to store individual requests for future use; however, the history is erased in the community edition when you close the program.
• A text decoder that automatically translates strings like "%7B%22key%22:%22value%22%7D" to {"key":"value"}.

Whether we're concerned about privacy or not, we utilize cryptography every day. Thanks to HTTPS we can securely log in to online banks, use government services, share our location, chat with friends, and participate in other activities where leaks could result in financial loss, damage to our reputation, or even mental or physical harm.

Your communications with this website are also encrypted! That's not because you're transmitting or receiving confidential data while being here, but rather your browser wouldn't allow you to open this page otherwise. In the past, something like credit card details could be transferred in plain text, making it an easy target for hackers. Today, the risk is significantly reduced as browsers enforce site owners like me to secure the connection.

Long before the advent of the World Wide Web, the secrecy and confidentiality aspects of his role led Julius Caesar to contemplate how to safeguard his orders. A messenger carrying important information could be intercepted, and then it would be disclosed to the enemy. To counter this threat, he began encrypting his correspondence using a simple algorithm that was eventually named after him: a Caesar cipher.