Some of the most amazing minds in the world come together annually in Las Vegas, Nevada, to share bits of the somewhat incredible, totally awesome and you-won't-sleep-tonight world of online and offline security.
Though there is a lot of crossover, Black Hat has become more the domain of security professionals, researchers, and academics, whereas DEF CON is an anything goes world that borders on renaissance festival meets hacker fest.
So what are the newest, biggest, baddest potential dangers facing your online presence today?
This post will cover how you might wind up the victim of a Google malware warning, selling Viagra off your .gov, or allowing access to your internal network via your printer.
And you thought WordPress was your biggest worry! Don't fret too much – for most of you, it still is.
Still, the last thing you want to be doing this weekend is sending emails to customers explaining a security breach, exposing their private data, or watching site traffic dive and SERP positions plummet because of a Google malware warning. Knowledge is power.
Let's start with simple, but powerful vulnerability.
1. Ad Holes!
Ever get one of those nasty Google red malware warnings when navigating to your site? Or found out users were getting malicious downloads, but you weren't sure how it happened?
Aside from the typical brute force attack on your passwords where someone got into your site, XSS, or your lack of updates on WordPress security issues, what else might be causing those nasty headaches for you and your users?
Your advertising networks are likely to be one of your biggest security holes on your website.
What to Do
So then ask yourself, unless you have big pull at these networks and can get them to change this huge, obvious issue. Are you making enough money off these ads to make them worth your site security? If not, then remove them; find a network that blocks these scripts or make sure your security protocols watch for unusual behavior that would alert you to this activity before you get the red kiss of death. And as users, this is why you use adblockers.
2. Bypassing Malware Scanners
This one was a bit of brilliance you can't help, but respect. This little exploit uses your site to deliver payloads that bypass all scanners and though it is good that you don't get the malware warning.
The bad thing for you is, they give your users nasty viruses and they can also be used to deliver payloads into your site that could be used to take your site out of the rankings or even get into your internal networks, not to mention use your site as part of a vast bot network to attack other sites.
Not to get too technical, the RDI ("Reflected DOM Injection") in this case uses a set up website to host encrypted content, and a web utility which is provided by a well known website such as Yahoo Cache or in this case, Google Translate.
When you visit the page, in the background unbeknownst to you, you're also visiting one of these services, which are used to unlock an encrypted file that downloads the malicious attack.
Now you may be thinking ok, but that is on their site. Using the ad networks could that not just have downloaded code into your site, while evading the entire malware scan? This code then delivering a payload that would infect your users or maybe turn your site into a zombie? See where this is going?
That code could be anything. Nothing, no scanner, would pick it up. It looks benign unless activated by the actions of a user.
What to Do?
In this case you need to make sure your site is one, locked down from injectable scripting (Cross Site Scripting as well XSS), payload downloads, and password cracking. There is no failsafe method, but if you make this hard there is a very good chance the attacker will move on to someone easier.
Unless your site is just a really, really great target. In that case you should have a security team that works on defeating these attacks already.
3. HTTPS Cracking in 30 Seconds or Less
The details of how https and SSL are compromised can be found in this Information Week article, which noted that "all versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable to the attack, but not every HTTPS-using site is necessarily at risk."
Basically BREACH (short for the very long - Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext and extension of the CRIME SSL/TLS attack) can extract secure data from the https session such as login information, email addresses, and security credentials. Now larger data such as an entire email cannot be extracted this way.
All of this may be unimportant to you if you run a free music download service, but it's crucial if you handle financial transactions.
Pretty self-apparent, get important otherwise secure data.
What to Do?
There are certain site conditions that will make you much more likely to this type of attack.
- If your applications or site pages use the "HTTP Response Body" (if you don't know, no worries, your programmers will).
- In addition to "HTTP Response Body" you also (POST) string query parameters to reflect user data.
- Most important, you must have data that an attacker would want in the first place.
These conditions are why all HTTPS/SSL are vulnerable, but not all sites need to be concerned. If you would like to check your site, you can use BreachAttack.com.
Note: If you think TLS/SPDY compression (things like Google use SDPY) is any better, they aren't; the original previously mentioned attack called CRIME was able to perform a similar compromise.
The severity of this is such the Department of Homeland Security has sent out this missive. There is no cure. Your best bet, if you handle critical data is to get a good security professional to review your site and suggest best practices for site monitoring and best risk management.
4. Mass Scanners. Mass Injectors.
Let's call it a version of Moore's law for "hacking". Not quite the same, but the basics are there.
As the power of computers becomes exponentially greater, as cloud and the power of cluster systems such as Hadoop come online for ease of public use the power of a single attacker becomes that of 1,000 or even 10,000 bot machines or humans.
Wonder why anyone would ever find your site interesting? How did you wind up with that malware? Why you?
Well, why not you?
There has always been the ability to scan for vulnerabilities, but now with the power of Hadoop one researcher HyperionGrey brought to DEF CON the power of the cluster scan.
With this tool, you can enter the type of vulnerability you're seeking, hit enter, return (in this case) 300,000 websites with that vulnerability in less than 10 seconds.
So? What is the power of a search query without the power to act on it? Well, there is now, with the power of computing, the power to act. Want to scan for the ability to inject your code into the vulnerable SQL databases and not one, but into several 100,000 sites fast, there you go.
HyperionGrey, who developed this scan, is very clear in telling people not to use it for evil. However, you know it will be – and even if his tool goes away, there will be others.
Either way, the power of the massive scan and massive (insert bad thing here) injector is here and will only become more powerful as computing becomes more powerful and the existing knowledge base becomes more plentiful – all at an exponential rate
One Method – The XSS
Here is a quick view on the current state of web application exploit vulnerabilities. For Cross Site Scripting it is believed that up to 82 percent of all site applications are vulnerable (if you connect to a database with a form it qualifies).
Image Credit: Black Hat
For instance, XSS (Cross Site Scripting) is one of the most common security vulnerabilities on a website.
XSS allows attackers to do such fun activities as deface websites, sell Viagra on you .gov URL, or inject information into a website – and now it can do it to many sites at once by finding those sites quickly and easily. (Applies to SQL injection of databases too).
For some, it's just fun to say "HEY SEE ME, I JUST TOOK OVER YOUR WEBSITE". For others, it's about taking you out of the SERPS, gathering important data, or just selling their product off your awesome site. And for others, it's about very serious things, like getting your users' passwords and information.
What to Do?
If you're an SEO professional, you need to know there are many "negative SEO" or "competitive leveling" techniques you can perform with this exploit, but I'm not here to tell you how. All you need to know is that your website needs to be protected, that it's easy it is these days to get infected, and the path to start on to protect yourself. For everyone else, meh, it's the same.
If you're looking for your site's most vulnerable spots, take a primer from Black Hat presenters Ryan Barnett of Trustwave and Greg Wroblewski of Microsoft and check these areas of your sites for potential attack surfaces:
Image Credit: Black Hat
5. Exploiting Offline to Get to Your Online
Do you know one of the most vulnerable routes into your corporate network, protected data, or secrets? Look over to one of your most benign and forgotten of devices, one that sits there alone next to your desk, or perhaps down the hall.
Yes, your most vulnerable access point may indeed be your printer!
Last year's Black Hat and DEF CON revealed how easy it was to retrieve all your corporate info off a printer. (Because they are hardly ever secure, usually connected to a port, and store everything scanned to them.)
This year they took it one step further: 97 percent of the printers mentioned haven't updated their firmware. So, here's how it works:
- Send a print job with the firmware that has a special command and control center and a tunnel connector readied.
- Update the printer with your firmware on the print job.
- Then in this case, a command and control was opened through the port connection, the tunnel went searching for connected devices to carry out the intended attack (in this case a denial of service, but it could be to do damage in your network, grab data, plant spyware, whatever they are inside your network).
How easy was it? Well if you knew what you were doing and you didn't have to be an expert once you were inside, not that hard.
How hard is it to find a printer? Well I did a 5 second search on Shodan, a search engine that looks for ports and devices with "opportunities."
Here is one of the first four searches that were returned for just the word "printers". Hmm, seems like some good information to start, doesn't it?
What to Do?
Update your firmware and secure everything that is attached to your external network. This is vital. The weakest link is a way in.
In this case, espionage wasn't even the goal. They just used the printer to create a denial of service attack on another website and it just took one printer. Imagine is they had two.
Being Security Conscious
Scared yet? If so, that really isn't my intention. However, there is a lot of insecurity in that ethereal land we call cyberspace
Is security on your radar? Have you given thought to it and, if so, are you keeping up with your site, servers, and printer's latest updates, patches, and security warnings? Are you security conscious?
Do you have someone available, whether on staff or just a consultant, depending on your needs, who can help you if you get into an emergency security situation?
For instance, if your site goes down because of a denial of service attack, how much will that cost you? How long will it take you to get rid of that Google malware warning? How many negative links will that hidden Viagra store generate to your once top ranked site? What will your customers do if you have to send out that most dreaded of emails, announcing that you've had a security breach?
Website Security Isn't Just for the Big Guys Anymore
Site security used to be the stuff of big companies and governments, but with so many WordPress users attacked almost daily (and often en masse) and "hacking's" ability to take your site out of your most lucrative SEO positioning, can you afford not to keep site security in your direct line of sight? It is just as much a part of your SEO as your need for the proper keyword.
Ask someone who lost time, money, and their mind trying to recover from an attack; it ain't pretty. And this article is only the tip of a very large iceberg.
Think of this as the sample platter of website vulnerabilities that exist right now. How secure is your site?