HTTP3
HTTP (Hyper Text Transfer Protocol) is an application layer protocol that facilitates the transfer of various resources such as web pages, text, images, media, and binary files. It enables communication between two main components: client and server. Typically, our web browser acts as a client, making requests to the server on our behalf, and other applications can play this role.
Over time, HTTP has evolved significantly to accommodate the massive growth of the Internet and the diversity of web content. The evolution of HTTP has continued from its earliest versions, HTTP/1.0, HTTP/1.1, and HTTP/2, to the more recent HTTP/3. With each iteration, new features are introduced to meet today’s needs and improve the limitations of previous versions.
Although HTTP/3 retains the familiar syntax and semantics derived from HTTP/2, its most important departure lies in the underlying protocol QUIC. QUIC operates over UDP rather than TCP, which modifies the stacking pattern of the protocol layers built on top of the Internet protocol. HTTP/3 is much faster than HTTP/2 when there is packet loss, or HTTP/3 connections have less latency and take less time to set up, and probably HTTP/3 can send data more quickly and can send more resources in parallel.
The QUIC protocol was developed by Google in 2012 and adopted by the Internet Engineering Task Force (IETF) — a vendor-neutral standards organization — when it began developing a new HTTP/3 standard with experts around the world all have been considered after the Group has concluded. QUIC is a transport layer protocol based on multiple UDP connections. Unlike TCP, UDP TCP does not support three handshakes.
QUIC and HTTP/3 have significant advantages over TCP+TLS+HTTP/2:
- Connection installation latency
- Improved crowd response
- Multiplexing without line head blocking
- Integrated migration
- Another unreliable or partially reliable mode of transport
Challenges due to the use of HTTP/3 in business include:
There is almost no plain text metadata for network traffic analysis. Existing NSM tools that rely primarily on “rational” navigation based on metadata analysis will be challenged.
Most security systems do not know how to properly analyze traffic sent over UDP. TLS proxy-based tools, such as firewalls, Secure Web Gateways (SWG), network proxy, etc., will argue that decrypting QUIC traffic is very challenging and at the time of this writing, very few vendors support QUIC decryption, even with their latest firmware.
Network devices that were specifically optimized for the TCP stack may not be so sensitive to the UDP stack. Many of them will need to be optimized for UDP, this should not be trivial. Also, the serial numbers of these devices may need to be reviewed.
All network devices in the area must be HTTP/3 and QUIC married. Considering that any large project will have a complex mix of modern and legacy networks, it may take years for the entire stack to become QUIC-married
Large network providers such as ISPs and cloud providers may not support QUIC or handle UDP in the same way as TCP.
Should I worry about QUIC now?
As of August 2023, 26.5% of all HTTP traffic already uses HTTP/3. Some popular websites that use, or support, HTTP/3 include Google, Facebook, YouTube, Netflix, Instagram, and Bing. Mozilla etc. This list is expected to grow with the percentage of HTTP/3 traffic. Also, almost all major web browsers are already built to support HTTP/3.
That’s already too many and businesses are blind to that traffic as their network is secure as well
Web3
The transition from Web 1.0 to Web 2.0 exposed companies to many new security threats. The free nature of posting means that unreliable and malicious plugins can easily crash websites, leak data, and infect databases.
As enterprises begin to explore the new world of Web3, they must encounter a crop of new security vulnerabilities — some of which they may not have encountered before and enterprises experimenting with Web3 will need new ways to address those challenges.
Concept of WEB3
Web3 is a vision of partially decentralized and collective ownership of the web. Web3 technologies are built on decentralized databases that require majority consent for each change or update.
To summarize how Web3 differs from previous web technologies:
- Web 1.0 reads: Users can access data on the Web but cannot interact with it.
- Web 2.0 is literate: users contribute data to the Web, for example, by uploading content.
- Web 3 is read-write-autonomous: users don’t just contribute data; They own their data.
How companies use Web3
There are many ways businesses are exploring the possibilities of Web3, from decentralized application architectures to simpler ways to store files
Blockchain and Developed Applications (DApps).
Blockchain is a method of recording transactions in bits of data over time in a distributed network. The data written on the blockchain cannot be changed.
One of the most popular applications of blockchain is cryptocurrency, which is an important part of decentralized financial services (DeFi) used today but developers can also write decentralized applications (DApps) using blockchain for use (including non-fungible tokens or NFTs).
Smart contracts are the very meaning of DApps. A smart contract is a code designed to perform specific tasks — like any other programmable task, smart contracts execute when invoked. Smart contracts are created and stored on blockchain networks.
From a scalability perspective, DApps give businesses the advantage of not having to manage and manage the full back-end processes needed to support the application Smart contracts are stored on the blockchain and automated. Organizations using a DApp also need to implement and manage user interfaces, using broker services to execute API queries from external smart contracts
DApps are reliable because they run on a large peer-to-peer network, while centralized apps go down if their supporting infrastructure decreases.
Finance is a key use case for DApps — examples range from cryptocurrencies to wallets, to decentralized exchanges. In addition, the developers also developed DApp web apps, games, social networks, and other services.
Major Web3 security risks
While the underlying principles of Web3 make it more secure than Web 2.0 in some aspects, like any technology it comes with its share of security risks. Some security differences stem from the way Web3 and Web 2.0 systems interact; Others are dedicated to how blockchain works with IPFS and other protocols. Web3’s reliance on network consensus makes patching these and other bugs a slow process.
Key security risks include:
Lack of encryption and verification for API queries
Most people know that they should not share their personal information with those who do not participate. However, Web3 applications often rely on API calls and responses that do not signal the end of the connection.
In theory, Web3 is completely decentralized, and any connected node on the network can communicate directly with the stored data. In practice, the front end of a Web3 application will still need to rely on Web 2.0 technologies that user endpoints can easily interact with. Most Web3 app front-ends use API queries to the Web3 backend for business logic and data storage.
Currently, many Web3 API queries are not cryptographically signed. This makes them vulnerable to attacks, data hijacking, and other attacks along the way — just as users of encrypted, unsigned HTTP Web 2.0 applications are vulnerable to data leakage and routing attacks Alternatively so, despite the notion of “false confidence” described above, Web3 application data is generally not guaranteed to be properly sourced
Smart contract hacking
Like any code, smart contracts can have major security flaws that put the user’s data or — more commonly — money at risk. A 2019 investigation identified Ethereum smart contracts with vulnerable code that put $4 million in Ether at risk. Over time, the problem has not improved; In December 2021, flawed smart contracts allowed attackers to steal about $31 million in digital currency. And in May 2022, a faulty algorithm caused the TerraUSD cryptocurrency to lose about $50 billion in value.
Best practices for securing Web3 applications and infrastructure
API query encryption and signature
The widespread use of Transport Layer Security (TLS) for HTTP requests and responses has greatly improved Web 2.0 security. Similarly, for Web3 DApps, the introduction of encryption and digital signatures on API queries and responses will be important in protecting application data.
WAF and other Web 2.0 security protocols
At this point, companies have decades of experience combating Web 2.0 security vulnerabilities. While that doesn’t diminish the seriousness of those vulnerabilities, mechanisms to protect users’ accounts, prevent code injection, and prevent cross-site scripting, among other attacks, mean web application firewalls (WAFs), bot management, API security measures and shut down a wide range of attack vectors for the front end of the application.
5G Technology
What is 5G security?
5G security is the integrated security of the underlying 5G network infrastructure, the traffic that crosses it, and the users of the network itself.
5G Safety Coach
5G security is a combination of physical and cybersecurity for the underlying 5G network infrastructure including hardware and software, including hardware and software, traffic circulation, and network operators for the proper implementation and implementation of 5G security the following five main characteristics occur:
- Resilience
- Communications Security
- Human resources management
- Privacy
- Assurance of security
5G security system
The 5G security architecture is based on advanced technologies such as network slicing, virtualization, and cloud-based processing. This technology allows companies to take advantage of significant productivity advantages. However, such a change also brings with it a new perspective on security.
Mobile protocol-based security
To understand security at the mobile protocol level for 5G, it is important to first understand 3GPP (3rd Generation Partnership Project). 3GPP is an organization that standardizes mobile protocols. 3GPP’s 5G standards provide security mechanisms based on well-proven 4G security mechanisms. They also include other enhancements for encryption, authentication, and user privacy.
In particular, some of the key improvements to the 3GPP 5G security standard include:
- New testimony arrangements
- Enhanced customer privacy
- Service-based systems and network security
- Maintaining the integrity of aircraft operations
Infrastructure/Cloud Security
Infrastructure and/or cloud infrastructure security affects how the 5G protocol is implemented as a system. Consider DISH Network. Dish builds the first 5G cloud-native network entirely on AWS (except for a few parts of the radio access network). In such a scenario, mobile protocol security improvements alone will not protect cloud network operations. Therefore, by tracking such deployments, companies should also ensure adequate cloud security.
- NVFI (Network Function Virtualization; Virtualized or Cloud-Native).
- Distributed clouds and edge computing
- Functions Based on Tools
- The connection between them
- Mobile Edge Computing
- Software-Defined Networking (SDN).
- Network Slicing
Is 5G secure?
Compared to previous wireless iterations, the security of 5G infrastructure has improved. For example, network slicing divides the underlying physical network infrastructure into logically isolated, independent, independent, and secure virtual networks In other words, there is such transformation in networks in also introduces a new concept of security.
AI in Pentesting
When we talk about thoroughly testing our environment or applications for vulnerabilities before a hacker finds them, we are talking about penetration testing or conducting “ethical hacking” exercises This concept has been around for a long time. If you are trying to find flaws in processes and controls through simulation or fake attacks, you are actually performing a penetration test and this requires you to hire a penetration testing company
The development of pentesting
Over time, the process of penetration assessment has evolved from a completely manual and tedious process that very few people know how to do, to a more automatic and widespread process This evolution is technological advancement goes. Download our guide to penetration testing here.
In the beginning, most of the things done with a computer were done by hand, so it was very effective to do a manual test. Then, with the proliferation of computers and automation, penetration testers were forced to design their equipment to cover more ground in less time , and led to the rapid discovery of vulnerabilities
Now, we have reached a point where companies have hundreds of thousands of different technologies and IP addresses, making it more difficult for pen testers to test everything in real time with accurate results and hence artificial intelligence (AI) . use it ) and machine learning (ML) are beginning to help pen testers overcome these obstacles.
Artificial intelligence refers to the ability of a machine to perform tasks that mimic human intelligence. A subset of artificial intelligence is machine learning, which refers to the idea that a system can learn and adapt without following explicit t instructions but can instead use an algorithm.
Scope of AI in Pentesting
So how can AI and ML help with penetration testing? Well, let’s examine the different approaches in general penetration screening assessment and see where AI and ML can be applied. There are several well-known methodologies and standards that can be used for penetration testing such as OSSTMM (Open Source Security Testing Methodology Manual), OWASP (Open Web Application Security Project), NIST (National Institute of Standards and Technology); , PTES ( Penetration Testing Methods and Standards), ISSAF (Information System Security Assessment Framework). However, in this particular article and to simplify the analysis, we will focus on the application of artificial intelligence and machine learning in the following four approaches to penetration testing.
Information Collection and Analysis – During this phase of pen testing we try to collect as much information as possible about our targets from publicly available sources with ports and services open At the end of this phase we will have goals dossier containing domain name, target hosts , service enabled, technologies in place, Pictures of physical locations, prospects and other information such as username and password at there.
AI and ML can not only help the pen tester actually gather all the data but also analyze it and identify patterns. For example, it can determine the best social engineering attacks to use based on the data collected (the use of social engineering and fraud to manipulate people into disclosing confidential or personal information for fraudulent purposes); or can be used to identify the target
Vulnerability Assessment / Scanning – During this phase of penetration testing we perform several in-depth vulnerability scans in an attempt to identify all possible weaknesses that the target may have. This is where AI and ML can help the pen tester understand the results of the scans, analyze them, eliminate any invalidity or noise sources, assess the data collected from the previous section, using threat reports from sources like social media, open records, the deep web, the dark web etc. Additionally, AI and ML can combine all the information and knowledge collected to help determine the best course of action for the attack phase.
Drying – This is the grafting phase where we work with everything we have previously planned. Here we try to gain access to systems, move sideways, increase opportunities, collect more data, and maintain access to innovation As I mentioned earlier, AI and ML can help by doing showing good to set goals, but they can also simultaneously consume someone. The results of these exploits can be fed back into the AI model, which can lead to previously unconsidered exploit options or new exploit strategies
There are already open source tools on the market that combine the functionality of the first three steps of this approach such as Deep Exploit (https://github.com/13o-bbr-bbq/machine_learning_security/wiki) This is a trick that works completely penetration testing tool that uses machine learning not only enhances the information gathering step but also vulnerabilities It is also for exploitation.
Reports – During this phase, a report with detailed information about issues, risk factors and recommendations identified is generated and distributed to penetration testing client AI and ML.
The future of admissions testing lies in the use of AI to streamline assessments and improve the accuracy of results. However, it is also important to understand that pen testers should still use their experience and knowledge to decide which is the best one to ultimately test.
Digital Payments
India has seen tremendous growth in digital payments in recent times. The transition from cash to cryptocurrencies has been dramatic, though not stable. People across India, including tier II and III cities, are making the switch and doing mobile banking or e-banking through unified payment interface (UPI), Aadhaar-enabled payment system (AePS), internet banking, and other means . . . . The adoption of wallets has raised the bar in the fintech industry and provides another layer of transparency in the transaction chain. But the rise in security threats, data breaches and cyberattacks has also increased consumer anxiety. Whether a physical transaction was secure or not is another matter for discussion, but digital vigilance is important.
Digital payments are here to stay
According to a recent report, India’s digital payments industry is set to grow to $700 billion by 2022. Another data from National Payments Corporation of India (NPCI) said digital payments worth Rs in October. Transactions were recorded through UPI These statistics are an indication that digital connectivity is here for a long time. The financial initiatives put in place by NPCI, especially during the lockdown phase, led to the adoption of digital payments in the country.
Most Indians have actively adopted digital banking and transformed their payment methods through digital. Its usage has expanded through the convenience of online shopping, online education and online banking systems, to name a few.
The internet is an open place
India has been a cash-based economy for decades, and the transition to digital has not been easy. Risk rates have been greatly increased due to lack of digital literacy and knowledge. Being online increases the risk of vulnerability. The Senate pointed out that more than 2.9 million incidents of digital banking were reported by 2020, involving techniques such as phishing, ransomware attacks, cyber espionage, distributed denial of service (DDoS), viruses, spoofing and website hacking . . . . Throughout the pandemic, hackers used other techniques to play on people’s emotions and vulnerabilities. From sending fraudulent messages for COVID-19 medical assistance and payments to selling fake oximeters, COVID medicines and oxygen cylinders to even conducting vaccination tours, they missed no opportunity to deceive people. The Delhi Police Cyber Cell received an estimated crore of rupees in the second wave.
Best practices to mitigate security threats
Like all other activities on the Internet, digital communication is vulnerable to attacks that can compromise your security and privacy. To avoid falling into such situations, we suggest a few steps to help you stay safe from cyber threats when making digital payments.
Personal Protective Equipment:
- Always try to use your own device to make digital payments because using others devices can be very risky
- Do not open links shared from unknown persons or sites that you don’t know of.
- Regularly check your financial activities and statements to get updated about you transactions
Password Security Features:
- Use One Time Password as much as you can.
- Keep Changing passwords on regular basis and do not use the same password at different places
Payment verification security measures:
- Always use 2FA – two-factor authentication for transactions.
- Attempting to bypass the biometric authentication process.
- Avoid storing card information on websites.
Technical Security Features:
- Always work with PCI DSS compliant vendors.
- Always check SSL encryption on payment pages.
- Always update antivirus software.
