On The Launch of Shape Connect

The war against “fake” begins today, with the launch of Shape Connect.

Shape spent the last eight years building a machine-learning engine that has a single focus: to distinguish humans from robots on the Internet. The engine is constantly learning as it processes over a billion transactions every day from 25 percent of the consumer brands in the Fortune 500. It’s actually a billion-and-a-half on payday and National Donut Day (June 7, thank you, Dunkin’ Donuts).

We’ve made this incredible engine available to everyone and we call it Shape Connect. Connect is self-serve, takes minutes to set up, and is free for two fortnights (yes, GenZ, that’s the correct spelling).

Why is Connect so revolutionary? Distinguishing automation (bots) from humans is the most difficult, and most pressing, challenge on the Internet. Stopping fake traffic should be job #1 for any website that has value—yet, Facebook, Twitter, and Google all struggle with fake traffic. Shape Security can, and we’re practically giving the service away. Why? Too many reasons to go into here, but check with us after therapy and we might talk.

Solving Modern Problems

Okay, okay, so we built a computer that can identify other computers. How does this help you? Many businesses are being defrauded by bots and don’t even know it. They might know they have a problem of some kind but not understand that automation is the real threat vector.

Credential Stuffing Causes HUGE Business Losses  

Credential Stuffing: Shape didn’t invent it, but we DID name it. It’s where malicious actors  acquire login credentials belonging to blithely unaware Internet users, employ bots to pour billions of username/password combinations into millions of websites, then drain users’ accounts of money, credit-card numbers, email addresses, and other valuable stuff.

Website breaches resulting in gargantuan credential spills are common occurrences these days despite mighty efforts to boost privacy and security measures. A sophisticated criminal industry has sprung up that uses automation to access online accounts across the board, including social media, retail, banking, travel, and healthcare.

What credential stuffing looks like before Shape Connect stops it

Believe it or not, credential stuffing-related activity can make up more than half of a website’s traffic. It’s estimated that this kind of nefarious pursuit results in business losses of over $5 billion annually in North America alone.

Gift Card Cracking

Another super-annoying problem is the cracking of online gift-card programs. Most gift-card programs allow recipients to check the card balance online. Attackers create bot armies to check the balance of every possible gift-card number! When they find a gift-card number that has a positive balance, they use it to purchase re-sellable goods before the recipient can use the card. Isn’t that horrible? It costs retailers millions of dollars per year.

Business Logic Mischief

But it gets worse. Almost any site that has significant intellectual property in its business logic is either being attacked or is at risk. Consider the stalwart health-insurance company. Insurance websites allow you to get premium estimates based on your profile. Their rates are based on diligent research and proprietary actuarial tables accumulated over decades of experience. One of our customers found that a competitor was creating millions of fake profiles, each with a slight tweak to its age, income, and pre-existing condition to map out the insurer’s quote-rate tables. What took decades to create was being stolen by a competitor using bots. That’s not fair, is it?

Are You Dating a Robot?

One of the curious facts that emerged from the aftermath of the Ashley Madison breach in 2015 was that a significant number of the female profiles on the affair dating site were fake. They’d been created by bots to yield vehicles by which swindlers around the world could establish online relationships with men whom they would then defraud through a money transfer. While Ashley Madison is no longer with us, there are other, less controversial dating sites that still have the same problem. Shape helped one of them deal with fake-account creation, leading to a much lower probability of robot dating. (Sorry, robots, true love is for humans.)

Hotels and Airlines: Point Theft

Hotels and airlines have their own currencies in the form of loyalty program “points” or “miles.” These have long been a target for fraudsters who can take over thousands of accounts, merge all their points, and convert them into re-sellable goods. In many cases, attackers prefer going after points. Your average consumer will notice immediately if their bank account is drained, but may not quickly (or ever) notice that their points are gone. They might just assume the points had expired. Room rates and flight fares are another form of intellectual property, and aggregators scrape the sites constantly, pulling rate information for competitors, leading to overly low “look-to-book” rates.

Fight The War Against Fake

Those are just a few examples of automation as a threat vector for business. We could tell you about a million cases of sophisticated bots threatening every different type of business, but we hope you get the picture already.

So let’s get back to Shape Connect, what it is, and how it works.

How Shape Connect Works

Our fully cloud-based service stands staunchly between your site and the Internet, deflecting bots and protecting you credential stuffing, DDoS, account takeovers, gift card cracking, and all other malicious activity done at scale.

We’ve put together a couple of videos showing how Shape Connect works to protect your site. For those of you blessed with short attention spans, we have a 90-second, visually stimulating cartoony video (above).

If that piques your interest and you want the whole story, here’s a six-minute video that goes deeper into the workings of Shape Connect.

And if you’re a reader, we’ll break it down for you right here.

Without Shape Connect, there’s nothing between your website and the user’s browser. But what if it’s not a browser or a real user? Both real users and bots follow the same steps to get to your site.

  1. The client (user or bot) queries DNS.
  2. DNS returns the IP address of your website (or load balancer or cluster, or whatever).
  3. The browser or bot sends a request directly to your website.
  4. Your website returns the response.

With Shape Connect, there’s a layer of protection between your site and the user or bot.

  1. DNS returns a dedicated Shape Connect IP to the user or bot.
  2. All client requests are routed through Shape’s Secure CDN for fastest response.
  3. Shape Connect absorbs any DDoS attacks that the client might have sent.
  4. Shape Connect’s artificial intelligence determines if the request came from a real human using a real browser or from an automated bot. It passes only human requests through to your website.
  5. Your website responds only to legitimate requests, sending the data back through Shape Connect and to the human at the other side.

Of course, if you have “trusted bots” that you want to allow, you can manage your own whitelists.  

With the Shape Connect Dashboard, you can see all the requests that have come through, and marvel at all the automated malicious requests that Shape blocked!

Your Honor, I Object!

The rest of the industry is catching on to the bot problem, and some are pushing approaches that differ from Shape Connect.

What about WAF?

One of those alternative solutions is so-called “bot management” integrated into a Web Application Firewall (WAF). We’re seeing many WAF vendors trying this, but failing. Here’s a long treatise that explains why we think WAF is a suboptimal approach.

What about PCI?

With Shape Connect, you can drive away all unwanted automation and still be PCI compliant. We’ve got more details for you in this informative and colorful brochure.

Connect with Shape Connect

To celebrate the official launch of Shape Connect, we were going to throw ourselves a gigantic poolside party, with mumble rappers from LA and rivers of Henny.  But we decided, instead, that it would be more fun to watch all the new customers come in and bask in the delight they experience as they get connected.

Shape Connect is live right now, and if you’re comfortable and confident, you can sign up for a free trial. But we’re also here if you want to chat first about how Shape Connect can secure your business, reduce your latency, keep your servers afloat, and improve your customer experience journey. Talk with you soon!

Do You Need a WAF, or Something Better than a WAF?

The King is Dead, Long Live the King, by cayusa, license Creative Commons 2

“The king is dead! Long live the king!” The jarring conflict embodied in this timeless hoorah is about to apply to the application security space. Subjects are giving up on the old king—the web application firewall (WAF) technology—as their primary appsec tool, for several reasons. First, because WAFs are too complicated. Second, because attackers have changed their attack vector to target credentials at scale (credential stuffing) before hacking. Third, and most important, because the market has evolved to offer an approach superior to WAF in efficacy, value, and worker hours invested.

While we at Shape Security have been predicting the shift away from WAF for years, others have been taking note. The PCI DSS specification had previously mandated a WAF, and that drove WAF sales for a decade. However, the language of PCI DSS has changed in 6.6, and other solutions can be used to fulfill the requirement.

The new approach is a distributed, cloud-based, machine-learning Turing service backed by anti-automation specialist operators. Let’s call it “anti-automation” for short until a clever analyst comes up with a better name.

2018 had 1500+ critical CVEs

WAFs are Too Complicated

Consider the statement that WAFs are too complicated. In our experience working with customers over the last decade, we’ve rarely, if ever, seen complete WAF protection cover even a tenth of critical applications. Frequently, the WAF has just a single dedicated (and expensive) administrator, and the ruleset for the WAF must be updated under the following conditions:

  1. When attackers evolve an attack to get around existing signatures.
  2. When content has been added (which is constantly in today’s agile web paradigm).
  3. When a web vulnerability is detected in the application or any supporting infrastructure (2018 had over 1500 critical CVEs — six for every working day).

These factors, which are all external to the WAF, quickly overwhelm the administrator and end up protecting only a handful of applications (or a single application). And usually not well.

Credential Stuffing and Retooling are the New Threat Vectors

Even if WAFs had done their job properly, it wouldn’t really matter because attackers have radically changed their approach. Gone are the days of attackers manually hacking websites. Today, they focus first on taking over the accounts of legitimate users. From there, they perpetrate their blight or escalate their privilege.

Today it’s all about credential stuffing. Attackers test millions of breached credentials using automated tools like Sentry MBA, PhantomJS, or automated headless browsers to gain their initial beachhead. Between 0.2% and 3% of credential-stuffing attempts are successful—a piteously low rate, which is why attackers try millions of credentials at a time. Even a 0.5% success rate using one million breached credentials will yield 5,000 accounts.

WAF technology was designed to stop SQL injections, not credential stuffing. An on-premises WAF managed by a single or part-time resource has no hope of defeating sophisticated credential-stuffing campaigns.

When a defender concocts a rule to stop a credential-stuffing campaign, the attacker pauses, retools to get around it, and then resumes the campaign. We at Shape see this all day, every day, with up to ten different levels of retooling. No single resource can keep up with that degree of sophistication, and the world is coming around to admit the problem.

The New Paradigm for Application Protection

If we all admit that the WAF is too long in the tooth, and that attackers have changed their approach anyway, the obvious question is: What is the right approach?

There are only a handful of highly skilled specialists with the right combination of technologies to consistently defeat and deter attacker automation. The key technologies of the best approach are:

  1. Artificial Intelligence (AI). Each attacker is launching millions of login tests, from millions of different IP addresses around the world. Only an AI-assisted SOC can see through the tidal wave and pick out real users.
  2. Expert-Assisted Mitigation. As useful as AI is, no vendor has machine-learning models that can detect and block all automation without also blocking real users (false positives). AI must be used to detect and flag campaigns to real human operators who make the final determination and remediation.
  3. Collective Defense. Most attackers launch credential-stuffing campaigns against multiple defenders in a serial fashion. The right approach must include defending a plurality of targets in each vertical market, so attacks seen against one company can be used to inoculate all the other companies before the attack can get to them.

Shape Security pioneered all these technologies for the Fortune 500 and Global 2000, and we’re now bringing them to everyone else to take the burden off WAF admins.

Looking Beyond the WAF

The OWASP Top Ten is the Open Web Application Security Project’s top-ten application security risk list. The legacy WAF technology was the only tool specifically designed to speak to the OWASP Top Ten, but at the end of the day, it was poorly suited to solve the list’s issues. Table 1 shows a breakdown of how well a WAF executes against an anti-automation service like Shape for each entry of the Top Ten.

RankOWASP RiskWAF AbilityAnti-Automation
1Injection******
2Broken Authentication****
3Sensitive Data Exposure***
4XML External EntitiesN/AN/A
5Broken Access Control***
6Security Misconfiguration****
7Cross-site Scripting***
8Insecure Deserialization*N/A
9Known Vulnerabilities*****
10Logging and Monitoring****

Let’s dive a little deeper into some of the Top Ten.

#1: Injection, #3: Sensitive Data Exposure

One could argue that the number-one job of a WAF is to prevent SQL injection. Modern organizations have learned to use identity as perimeter to keep unauthenticated users from causing any kind of SQL query, and that in itself is a commendable first line of defense. To get around the perimeter, attackers must gain control of an account. To do that, they use credential stuffing or brute force, both techniques that are much better blocked by an anti-automation service than a WAF.

#2: Broken Authentication, #5: Broken Access Control

Authentication systems are difficult to perfect. When they fail, they increase risk disproportionately to other systems, which is why OWASP keeps them high on their list. With sufficient tweaking, a properly configured WAF can assist broken authentication or access control system. But wouldn’t the knowledge to create the necessary defensive WAF configs be better utilized fixing the original misconfigurations? The anti-automation service simply detects that systems probing for these vulnerabilities are not human, and blocks them—which is a much simpler and broader approach than trying to make sure every knob is at the right level.

#10: Logging and Monitoring

Insufficient logging and monitoring of the application weaken   incident response. WAFs can help by flagging attacks before other systems do, but an anti-automation service comes with its own highly trained, specialized SOC. There is no contest here.

Conclusion

The final defense for WAF apologists used to lie in the PCI DSS WAF requirement, but even those have been relaxed to allow for a more flexible solution, and that’s a good thing. Shape Security has additional documentation on how cloud-based services can meet the requirement here.

Given all these factors—the deprecation of PCI DSS, the decreasing emphasis on WAF (and its magic quadrant), the evolution of credential stuffing, and the strategy of identity as perimeter—the market has been casting about for a new solution. Shape’s distributed anti-automation service, fronted by machine learning and backed by specialist operators, is rising to meet the challenge.

What Your Login Success Rate Says About Your Credential Stuffing Threat

One of the problems with imitation attacks such as sophisticated credential stuffing is that they are designed to blend in with legitimate traffic. How can you measure something that you can’t detect? Fear-mongering marketing compounds this problem and makes everything sound like a snake-oil solution for a problem people don’t think they have.

Imitation attacks against your services and APIs leverage inherent functionality in your system. In other words, they can be successful even when you have patched, firewalled, and done everything perfectly from an application security standpoint. Blocking basic credential stuffing attacks generated from naive bots is straightforward but, as attackers evolve, they develop more sophisticated tools to launch attacks that blend in with legitimate traffic better. They use machine learning to emulate user behavior like mouse movements and keystrokes. They generate or harvest digital fingerprints to distribute across a botnet to make each node appear more “real.” They proxy requests through residential IP addresses to give the traffic the appearance of originating from known-good home networks. Googles themselves make tools like Puppeteer & headless Chrome to automate and script the world’s most common browser which is exactly what you would use if you were trying to blend in with legitimate users. This is a problem that is getting harder, not easier.

Imitation attacks like advanced credential stuffing do have one thing in common, though – they send millions of requests hoping that a fraction of a percentage end up successful and result in an account takeover, a valid credit card, an account number with a loyalty balance, anything. This success/failure ratio is observable with data you have now. What we’ve found at Shape, is that similar companies have similar success ratios for similar user experience flows.

If you’re debating if you have a credential stuffing problem, then take a long look at your login success ratio.

What is your average login success ratio?

The average login success ratio drops dramatically during periods of credential stuffing attacks. These attacks use combolists with millions of usernames and passwords and of course the majority of these credentials aren’t valid on your site. Shape sees credential stuffing success rates between .2 and 2%, typically – attackers don’t need a very high success rate as long as the attack is cheap to perform. These attacks push the login success rate for your site down well below normal numbers. Some Shape customers have seen login success ratios lower than 5% before enabling countermeasures. Success ratios that low are abnormal and should be immediately investigated. Below are average login success ratios for one month of traffic across three major industries:

  • Financial institutions: 79%
  • Travel industry: 73%
  • Retailers: 62%

Individual companies deviate from this average as much as 10% – the sites where customers log in more frequently tend to have a higher login success ratio. The users at these sites are more likely to remember their passwords and are also more likely to have stored their credentials in their devices or web browsers. Banks and financial institutions only keep users logged in for 15 minutes leading to more successful logins than retailers or social media sites that keep users logged in for longer periods of time. This results in much higher login success rates for banks than for retailers.

Users also have access to few bank accounts and do not change them often, as a result they are more likely to remember their login credentials. Users however regularly shop at multiple retailers and it is easy to create a retail account. This results in lower login success rates for such sites, reflecting a higher rate of users who may be visiting for the first time in months or even years. Infrequent visitors naturally forget their passwords more regularly.

Companies should expect to see 60-85% login success rates. Anything higher or lower is suspect.

No matter the industry, companies should expect to see 60-85% login success rates. Anything higher or lower is suspect. Spikes in traffic can temporarily affect the login success ratio but those should be explainable by commonly understood events like promotions or viral marketing. If there are spikes that have nothing in common then you should look deeper, that traffic is probably a credential stuffing attack that you need to stop as soon as possible.

Graph of a customer who experienced a credential stuffing attack during a steady state of normal login successes.

One caveat

Some industries like banks and other financial institutions are frequently targets for aggregators, services like Mint and Plaid that act as delegates with user permission to log in and gather data across many companies and present it in one unified interface. Aggregators use legitimate credentials and log in multiple times a day, unnaturally inflating the login success rate. You can look for evidence of aggregators by querying for successful logins across multiple users from the same IP addresses, especially if the IP addresses are from cloud or hosting providers. This is not a foolproof method of detection but you will see traces that will help you get a better understanding of your true login success ratio. If you see login success rates in the high 80s or 90s, that is abnormally high and indicative of low credential stuffing threat but high aggregator traffic. Whether or not to consider aggregators a threat is different for every business.

Where to go from here?

What do you do if you find a login success ratio that is concerning? Like with any threat, you need visibility into the attack before you can think about mitigation. Start with free options before committing to a vendor. Tying yourself up with a vendor too early can spin you in the wrong direction and end up wasting months of time. I’ve written an article on 10 things you can do to stop credential stuffing attacks which goes over some free detection methods as well as some mitigation strategies. This should be enough to get you started understanding your problem and, once you understand the scope of your issue, then you can have better conversations with security vendors. Of course we at Shape Security are available to answer questions any time of day and you can feel free to reach out to me personally on twitter.

5 Rando Stats from Watching eCrime All Day Every Day

David Holmes here, cub reporter for Shape Security. While I’m luxuriating in United Airlines’ steerage class, our crack SOC team is back at HQ slaving away over their dashboards as tidal waves of automated traffic crash against the Shape breakers. At least they have Nespresso and those convenient eggs-in-a-bag from the kitch. The day shift of SOC team #1 actually sits pretty close to the corporate marketing brigade, so we kind of know each other and exchange awkward greetings in the hallway.

Breakfast of SOC Champions

ANYWAY, I thought it would be cool to share some statistics from SOC’s recent cases that highlight the shape of the anti-automation industry today.

1. 750 Million in a Week for One Site

Since the release of the Collection #1 credential corpus, some of our customers are experiencing insane levels of login events. One customer saw over 1.5 billion automation attempts in a two-week period. That’s pretty high even for them, one of the largest banks in the solar system. If, for some tragic reason, the Collection #1 campaign persists at its current level, you could extrapolate 39 billion automation attempts in a year (assuming no cracker vacation). Against a single site. That’s sick, brah. Sick.

2. IP Address Re-use: 2.2

This stat is actually sadder than last week’s Grammys. During a credential-stuffing campaign, the attacker throws millions of credentials (gathered from breaches or the “dark web”). If he tried them all from a single IP address, then, of course, you’d just block that IP address, right? So he uses multiple IP addresses. In extreme cases, the most sophisticated cracker will only try a single login from each IP address (no re-use). Lately, the average number of times an IP address will get reused during a campaign is a paltry 2.2.

Basically, blocking by IP address is useless. By the time you add an IP address to your blacklist, it’s too late—it’s not going to be reused again during the campaign. If you see a vendor touting address-blocking, or CAPTCHAs, as a solution, please put your hands on your hips, throw back your head, and issue forth the biggest belly laugh you can. Bwahahaha!

Sadly, some of the technical people we talk to just don’t get it. We tell them: “Blacklists are useless,” and they say “Sure, but you block by IP address, right?” Then we explain it again, and they still don’t get it. Someone should write a paper! Oh, wait, that’s us.

3. Credential Stuffing Succeeds 2% of the Time

2% is funny. It’s our favorite milk. It’s the conversion from US dollars to Philippine pesos. It’s our reader-retention rate when we let Holmes write. Two percent may not sound like much, but consider an attacker testing a million stolen credentials against your web property. That’s 20,000 valid usernames and passwords he’s going to confirm. Actually, the success rate varies between 0.1 and three percent, but two percent is good enough for government work. And speaking of government…

You might be thinking: Actually, guys, 0.1 to 3.0 is a huge range. That’s a multiple of 30. An order of magnitude and then some.  True enough, but when dealing with a million—or even a billion—credentials, the difference is really just “bad outcome” versus “really bad outcome.”

Yesterday Shape looked at a small campaign where a single, lonely attacker in Vietnam had 1,500,000 credentials. Even a 0.1-percent success rate, for him, would have translated to the confirmation, and possible account takeover (ATO), of 1,500 accounts. We say “would have” because we foiled all of his posts. He didn’t even seem to notice, which makes us think maybe he’s TOO automated, or that he suffers from some kind of “educational gap” (that’s the new euphemism for stupidity).

4. 15 Months to an Ugly Baby

The number of months between when some dood stole all your credentials and when you read about it in The Register while eating your precious Honey Smacks is: 15. A lot can happen in 15 months; French words, mostly. Organization penetration, exfiltration, hacker celebration, hacker inebriation, and stock depreciation. Of course 15 months is just an average, and individual cases vary widely, but the point is that it’s an eternity in Internet time.

“Well, dang!” you sputter around your Honey Smacks. “What’s being done about this???”

We’ve got a solution we call Blackfish. We’re already seeing all the waves of credential stuffing against the busiest commercial sites in the world. So we can tell when someone stuffs, say, the creds from your entire customer login database against HoneySmacks.com. Now you don’t have to wait 15 months; if you had Blackfish, you’d know the minute someone tried your logins. How cool is that? If you’re interested, a single chat with our trusty sales chatbot can get the ball rolling for you.

And if you want to read a much more coherent explanation of the 15-month effect, print out our award-winning Credential Spill report, and read it over your Honey Smacks tomorrow.

Disclaimer: Shape Security in no way endorses Honey Smacks; in fact, they have been voted the number #2 worst breakfast you can possibly eat. But dang, they are yums.

5. 99.5% of POSTs are against “forgot-password.js”

Our SOC team dealt with an ATO campaign last month. We remember it well because against that website, we detected that 99.5 percent of requests headed for their “forgot-password” page were automated. Yes, that’s 199/200 for the fractionally-minded (aren’t numbers fun)!

Sure, that’s a single campaign, but in our experience, it’s not an uncommon one. Check your own weblogs and see how the access requests to your forgot-password page compare to, well, anything else (and then call us).

We have many customers for whom forgot-password is their most-frequented page by far. By far! And if our customers weren’t the paragons of morality that they are, they’d put ads on that page and fund themselves a couple of truckloads of egg-in-a-bags. Or is it eggs-in-a-bags? The Oxford dictionary is strangely silent on this topic.


Well, there you have it: five random statistics about fighting anti-automation we slapped together compiled from the last month. Stay tuned, friends, and we at Shape Security’s marketing brigade will bring you more pseudo-cogent security-related statistics, probably from RSA 2019, in a couple of weeks.

ES2019 features coming to JavaScript (starring us!)

Shape Security has been contributing actively to TC39 and other standards bodies for the past 4 years but this year is special for us. A significant portion of the features coming to JavaScript as part of the 2019 update are from Shape Security engineers! Shape contributes to standards bodies to ensure new features are added while taking into account evolving security implications. Anything Shape contributes outside of this broad goal is because we believe the web platform is the greatest platform ever made and we want to help it grow even better.

Thanks to everyone who contributes to TC39 and thank you Michael Ficarra (@smooshMap), Tim Disney (@disnet), and Kevin Gibbons (@bakkoting) for representing Shape.

TL;DR

The 2019 update includes quality-of-life updates to JavaScript natives, and standardizes undefined or inconsistent behavior.

Buffed: String, Array, Object, Symbol, JSON

Nerfed: Try/Catch

Adjusted: Array.prototype.sort, Function.prototype.toString

Native API additions

Array.prototype.flat & .flatMap

> [ [1], [1, 2], [1, [2, [3] ] ] ].flat();
< [1, 1, 2, 1, [2, [3]]]

> [ [1], [1, 2], [1, [2, [3] ] ] ].flat(3);
< [1, 1, 2, 1, 2, 3]

The Array prototype methods flat and flatMap got unexpected attention this year, not because of their implementation, but because Shape Security engineer Michael Ficarra opened a gag pull request renaming the original method flatten to smoosh thus starting SmooshGate. Michael opened the pull request as a joke after long TC39 meetings on the topic and it ended up giving the average developer great insight into how TC39 works and under how big of a microscope proposals are placed under. When considering new features to add to JavaScript, the TC39 committee has to take two decades of existing websites and applications into account to ensure no new feature unexpectedly breaks them.

After FireFox shipped flatten in the nightly releases, users found that websites using the MooTools framework were breaking. MooTools had added flatten to the Array prototype ten years ago and now any site using MooTools risks breaking if the method changes. Since MooTools usage has declined in favor of more modern frameworks, many sites using the library are sites which are no longer actively maintained — they will not be updated even if MooTools released an updated version. SmooshGate ended up surfacing serious discussions as to what degree existing websites affect future and present innovation.

The committee concluded backwards compatibility was of higher importance and renamed the method flatten to flat. It’s a long, complicated story with an anticlimactic ending but that could be said of all specification work.

Drama aside, flat operates on an array and “flattens” nested arrays within to a configurable depth. flatMap operates similarly to the map method by applying a function to each element in the list and then calling flat() on the resulting list.

Object.fromEntries

let obj = { a: 1, b: 2 };
let entries = Object.entries(obj);
let newObj = Object.fromEntries(entries);

Object.fromEntries is a complement to the Object.entries method which allows a developer to more succinctly translate objects from one another. Object.entries takes a regular JavaScript object and returns a list of [key, value] pairs, Object.fromEntries enables the reverse.

String.prototype.trimStart & .trimEnd

> '   hello world   '.trimStart()
< "hello world   "

> '   hello world   '.trimEnd()
< "   hello world"

Major JavaScript engines had implementations of String.prototype.trimLeft() and String.prototype.trimRight() but the methods lacked a true definition in the spec. This proposal standardizes the names as trimStart and trimEnd, aligning terminology with padStart and padEnd, and aliases trimLeft and trimRight to the respective function.

Symbol.prototype.description

> let mySymbol = Symbol('my description');
< undefined

> mySymbol.description
< 'my description'

Symbol.prototype.description is an accessor for the unexposed description property. Before this addition, the only way to access the description passed into the constructor was by converting the Symbol to a string via toString() and there was no intuitive way to differentiate between Symbol() and Symbol(‘’).

Spec & Language Cleanup

Try/Catch optional binding

try {
  throw new Error();
} catch {
  console.log('I have no error')
}

Until this proposal, omitting the binding on catch resulted in an error when parsing the JavaScript source text. This resulted in developers putting in a dummy binding despite them being unnecessary and unused. This is another quality-of-life addition allowing developers to be more intentional when they ignore errors, improving the developer experience and reducing cognitive overhead for future maintainers.

Make ECMAScript a proper superset of JSON

JSON.parse describes JSON as a subset of JavaScript despite valid JSON including Unicode line separators and paragraph separators not being valid JavaScript. This proposal modifies the ECMAScript specification to allow those characters in string literals. The majority of developers will never encounter this usage but it reduces edge case handling for developers dealing with the go-between and generation of JavaScript and JSON. Now you can insert any valid JSON into a JavaScript program without accounting for edge cases in a preprocessing stage.

Well-formed JSON.stringify

> JSON.stringify('\uD834\uDF06')
< "\"𝌆\""

> JSON.stringify('\uDF06\uD834')
< "\"\\udf06\\ud834\""

This proposal rectifies inconsistencies in description and behavior for JSON.stringify. The ECMAScript spec describes JSON.stringify as returning a UTF-16 encoded JSON format string but can return values that are invalid UTF-16 and are unrepresentable in UTF-8 (specifically surrogates in the Unicode range U+D800U+DFFF). The accepted resolution is, when encoding lone surrogates, to return the code point as a Unicode escape sequence.

Stable Array.prototype.sort()

This is a change to the spec reflecting the behavior standardized by practice in major JavaScript engines. Array.prototype.sort is now required to be stable — values comparing as equal stay in their original order.

Revised Function.prototype.toString()

The proposal to revise Function.prototype.toString has been a work-in-progress for over 3 years and was another proposed and championed by Michael Ficarra due to problems and inconsistencies with the existing spec. This revision clarifies and standardizes what source text toString() should return or generate for functions defined in all the different forms. For functions created from parsed ECMAScript source, toString() will preserve the whole source text including whitespace, comments, everything.

Onward and upward

ES2015 was a big step for JavaScript with massive new changes and, because of the problems associated with a large change set, the TC39 members agreed it is more sustainable to produce smaller, yearly updates. Most of the features above are already implemented in major JavaScript engines and can be used today.

If you are interested in reading more TC39 proposals, including dozens which are in early stages, the committee makes its work available publicly on Github.com. Take a look at some of the more interesting proposals like the pipeline operator and optional chaining.

Lessons Learned from 2018 Holiday Attacks: No Rest for the Wicked

Scrooge would approve—attackers work on Christmas Eve, and now on New Year’s Eve, too

We at Shape Security defend the world’s top banking, retail, and travel websites. And while you might be just getting back to work this first full week of January, our attack forensics teams are finally getting a break, because this holiday season was a busy one. Now that the dust has settled, we’ve analyzed our data to determine how 2018’s online holiday-season shenanigans differ from 2017’s.

During this festive Holiday season, attackers worked through Christmas Eve and Christmas Day. But in a striking change from the previous year, the most sophisticated attackers no longer took a New Year’s Eve (NYE) off. In fact, this year, we saw several intense campaigns that started or peaked on NYE.

The Best Time to Rob a Bank is Christmas Day

No matter what institution they use, most online banking customers have one thing in common: they stop checking their online balances during the December holidays. Turning a blind eye to one’s finances is optimistic human nature; our customers report that legitimate online banking activity often drops as much as 30 to 40 percent during this period.

Financial institutions may not observe the full extent of this change, however, because the drop in legitimate banking activity is overshadowed by an increase in malicious activity. According to our data, in both 2017 and 2018, malicious actors took advantage of the holiday, launching new attacks on or right around Christmas.


Figure 1: A malicious actor waited to launch their attack until Christmas Day itself.

Shape’s Christmas present to the Top 5 US bank, the target in the above graph, was the fact that we didn’t take Christmas Day off, either.

New Year’s Eve is Cancelled (for Professional Criminals)

With some notable exceptions, nearly all attackers took New Year’s Eve off. On that night, attacks aimed at Shape’s customers dropped over 65% overall – and in one case over 99%, We observed this trend across all industries, including retail, travel, financial services, and tech. Perhaps tired from their exertions over Christmas, nearly all attackers put their keyboards away and joined the poor furloughed federal workers on a break for the New Year’s holiday.

“The holiday season now separates the hobbyists from the dedicated professional cybercriminals.”


Figure 2: Reductions in both legitimate consumer traffic and automated attack traffic.

But the sophisticated attackers, the ones who do this for a living, actually used the global holiday for surgical strikes, particularly against banks .

The attack graph below illustrates the trend. The tiny, tiny red bars on the left (they look like a dotted line) show the normal level of traffic on a financial institution’s website.

Figure 3: Attacker launches failed campaign, retools on NYE, gives up on Jan 1

On December 29, malicious actors launched a large attack against the site. Even by spoofing dozens of signals at all levels – network, client and behavioral, they still couldn’t penetrate Shape’s defenses. On New Year’s Eve they retooled, doubling the number of signals that they were spoofing, but that too, failed, and they gave up towards the end of the day.

Why Launch Attacks During the Holidays?

Sophisticated attackers, the ones for whom crime is their day job, know they are playing a chess game that requires human intervention. So they plan their moves according to when organizations are most vulnerable, i.e., when a security team is most likely to be distracted or short-staffed. What are the days that a security operations team is most likely to be away from their desks? Christmas and New Year’s.

Furthermore, because professional criminals are relying on their ill-gotten gains, they are loath to waste resources. Everyone knows that the top banks are the most lucrative targets, yet hardest to crack. So we suspect that’s why FSIs in particular are targeted during the holidays.

The clearest example of this theory comes from the most sophisticated attack group Shape saw in 2018—a bot that mimicked iOS clients (see our 2018 Credential Spill Report, in which we talk about this attack group). They’d previously targeted a top Canadian retailer, a top global food and beverage company, and a Top 10 North American bank, and we had successfully held them off across our entire customer network.

Figure 4: Sophisticated attacker activity on NYE

This group had been lying low for a couple of months, but on NYE they came back with a sneaky, retooled attack when they thought we weren’t watching. But Shape detected the new attack and quickly blocked it. The attacker gave up on New Year’s Day.

It is not clear why only sophisticated attackers worked on New Year’s Eve this year. We suspect they are getting desperate as more and more organizations harden their application defenses against automated fraud and are looking for any type of vulnerability to exploit. In that case, it’s possible we will see this behavioral trend extend to other major holidays in which companies effectively shut down, such as Chinese New Year and Labor Day.

About Shape Security

Shape Security is defining a new future in which excellent cybersecurity not only stops attackers, but also reduces friction for good customers. Shape disrupts the economics of cybercrime by making it too expensive for attackers to commit online fraud, while also enabling enterprises to more easily transact with genuine customers. The Shape platform, covered by 55 patents, was designed to stop the most dangerous application attacks enabled by bots and cybercriminal tools, including credential stuffing (account takeover), fake account creation, and unauthorized aggregation. The world’s leading organizations rely on Shape as their primary line of defense against attacks on their web and mobile applications, including three of the Top 5 US banks, five of the Top 10 global airlines, two of the Top 5 global hotels, and two of the Top 5 US government agencies. Today, the Shape Network defends 1.7 billion user accounts from account takeover and protects 40% of the consumer banking industry. Shape was recognized by the Deloitte Technology Fast 500 as the fastest-growing company in Silicon Valley and was recently inducted into J.P. Morgan Chase’s Hall of Innovation.


Extreme Cybersecurity Predictions for 2019

Prediction blogs are fun but also kind of dangerous because we’re putting in writing educated guesses that may never come true and then we look, um, wrong. Also dangerous because if we’re going to get any airtime at all, we have to really push the boundary of incredulity. So here at Shape, we’ve decided to double down and make some extreme cybersecurity predictions, and then we’ll post this under the corporate account so none of our names are on it. Whoa, did we just say that out loud?

“Baby, when you log in to my heart, are you being fake?” Photo Credit: HBO

Forget the Singularity, Worry About the Inversion

New York Magazine’s “Life in Pixels” column recently featured a cute piece on the Fake Internet. They’re just coming to the realization that a huge number of Internet users are, in fact, fake. The users are really robots (ahem, bots) that are trying to appear like humans—no, not like Westworld, but like normal humans driving a browser or using a mobile app. The article cites engineers at YouTube worrying about when fake users will surpass real users, a moment they call “The Inversion.”  We at Shape are here to tell you that if it hasn’t happened already, it will happen in 2019. We protect the highest-profile web assets in the world, and we regularly see automated traffic north of 90%. For pages like “password-reset.html” it can be 99.95% automated traffic!

Zombie Device Fraud

There are an estimated five million mobile apps on the market, with new ones arriving every day, and an estimated 60 to 90 installed on the average smartphone. We’ve seen how easy it can be for criminals to exploit developer infrastructure to infect mobile apps and steal bitcoins, for instance. But there’s another way criminals can profit from app users without having to sneak malware into their apps—the bad guys can just buy the apps and make them do whatever they want, without users having any idea that they are using malicious software. The economics of the app business—expensive to create and maintain, hard to monetize—mean less than one in 10,000 apps will end up making money, according to Gartner. This glut of apps creates a huge business opportunity for criminals, who are getting creative in the ways they sneak onto our devices. In 2019, we’ll see a rise in a new type of online fraud where criminals purchase mobile apps just to get access to the users. They then can convert app-user activity into illegitimate fraudulent actions by hiding malware underneath the app interface. For example, a user may think he is playing a game, but in reality his clicks and keystrokes are actually doing something else. The user sees that he is hitting balls and scoring points, but behind the scenes he is actually clicking on fake ads or liking social media posts. In effect, criminals are using these purchased mobile apps to create armies of device bots that they then use for massive fraud campaigns.

Robots will Kill Again

Have you seen those YouTubes from Boston Dynamics? The ones where robots that look like headless Doberman pinschers open doors for each other? You extrapolate and imagine them tearing into John Connor and the human resistance inside. They are terrifying. But they’re not the robots we’re thinking of (yet). A gaggle of autonomous vehicle divisions are already driving robot fleets around Silicon Valley. Google’s Weymo and Uber use these robots to deliver people to their next holiday party, and we’ve heard of at least two robot-car companies delivering groceries. Uber already had the misfortune of a traffic fatality when its autonomous Tesla hit a cyclist in Arizona last year. But Uber robots will be back on the road in 2019, competing for miles with Weymo. Combine these fleets with the others, and more victims more can join Robert Williams and Kenji Urada in the “killed-by-robot” hall of fame. Hopefully it won’t be you, dear reader, and hopefully none of these deaths will be caused by remote attackers. Fingers crossed!

Reimagining Behavioral Biometrics

Behavioral biometrics are overhyped today because enterprises lack the frequency of user interactions and types of data needed to create identity profiles of digital users. But in 2019, behavioral analytics will merge with macro biometrics to become truly effective. The market will move to a combination of macro biometrics, like Face ID, and traditional behavioral biometrics, like keyboard behavior and swiping. Apple is ahead of the game with Face ID and has applied for a voice biometrics patent to be used with Siri.

Kim Jong Un as Online Crime Kingpin?

North Korea will become a dominant player in the criminal underground with more frequent and sophisticated financially motivated hacks, rivaling Russian gangs. International sanctions have pushed the country to be more economically resourceful, so it has beefed up its cyber operations.The northern half of the Korean peninsula has been blamed for cyberattacks on banks, via SWIFT transfers, and bitcoin mining, in addition to traditional espionage involving governments, aviation, and other industries. In 2019, cyber attacks originating from groups (allegedly) associated with North Korea will continue to be successful and enforcement remains challenging. And with the recent Marriott breach affecting 500 million Starwood Hotels guests, the theft of passport numbers means nation-states and other attackers have an even more valuable and rare tool at their disposal for financial, tax, and identity fraud.  

All Breaches Aren’t Created Equal

As industries mature, we refine the metrics we use. In 2019 we’ll see enterprises change how they approach data breaches, moving beyond identifying size and scope, focusing instead on potency and longevity. Breach impact will be measured by the overall quality and long-term value of the compromised credentials. For instance, do these assets unlock one account or one hundred accounts? Most recently we’ve seen the Starwood data heist become one of the biggest breaches of its kind, largely due to the bevy of personal data exposed. In this case, since the unauthorized access dates back four years, we can assume this data has already fueled and will continue to fuel serious acts of financial fraud, tax fraud, and identity theft. As hacker tools become more sophisticated and spills more frequent, businesses can’t afford to ignore downstream breaches that result from people reusing the same passwords on multiple accounts. In reality, today’s breaches are fueling a complex and interconnected cybercriminal economy. In 2019, expect businesses to join forces and adopt collective defense strategies to keep one breach from turning into a thousand.

The Future Looks, Um, Futuristic!

These are our extreme predictions for 2019. Will they come true? Some of them, probably. We hope the robots don’t actually kill people, but we’re pretty sure that the Inversion (where automated traffic surpasses human traffic) is a sure bet, if it hasn’t happened already.

Where do you want to be when the Inversion happens?
Working with us, at Shape!