Miscellaneous Security

Reading time: 2 – 2 minutes

When developing a security strategy for web applications many companies have no idea where to begin. The Open Web Application Security Project (OWASP) understood this problem and developed the OWASP Top 10.

The OWASP top 10 are the top 10 vulnerabilities that are found in web applications. If you have an hour or don’t want to read all of these posts, you can simply watch a video.

If you are a developer, you should understand these vulnerabilities. Understanding them is critical into introducing less vulnerabilities into your code.

The OWASP Top 10:
A1 – Cross Site Scripting (XSS)
A2 – Injection Flaws
A3 – Malicious File Execution
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Information Leakage and Improper Error Handling
A7 – Broken Authentication and Session Management
A8 – Insecure Cryptographic Storage
A9 – Insecure Communications
A10 – Failure to Restrict URL Access

Reading time: 3 – 4 minutes

Photo: B.G. Lewandowski

Why did you just click that link? Most likely you have came to this site by clicking a link from another site. Why did you do that? Did you trust the person who sent you the link? Did you click a link from Twitter, Facebook, or an email someone sent you?

When you click a link, you are telling your browser, “I trust this person.” However, this is not the way we use the Internet. We click on links all the time. We click on links from “untrusted” sources. We click links from people we don’t know and we even click on URL’s that have been modified. On Twitter, a person is much more inclined to click the shortened link http://bit.ly/5hXRW then they are to click http://somewherebank.com/transfer.jsp?amount=1000&to_account=56777564. Even though the shortened link could redirect to the somwherebank.com site.

But, why would someone trick you into clicking a cleverly disguised link? The site that you are redirected to may seem harmless. It could also be extremely malicious.

What happens if this page, (the one you are currently viewing), was filled with Cross-Site Request Forgery (CSRF) links? This web page could be setup with all types of malicious intent. However, you didn’t know that when clicking the link. Now, it is too late.

If this site did have Cross-Site Requests, I could do things such as:

• Change the password on your Facebook account
• Transfer the money from your on-line bank account to another account
• Enact trades from a financial institution such as E*Trade

The sites that I exploit would have to be vulnerable to CSRF. But researchers, such as Mike Bailey and Russ McRee, are constantly finding CSRF vulnerabilities in web applications.

An example of how clicking links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account numbers were inside. They sent this email to 25 known phishers. 10 of the phishers opened the word document and were presented with this. In addition, there was another link that said, “Actually, my account information is here.” 3 of the 10 clicked on that link. Even the phishers click links they shouldn’t.

What should be done? Who knows. It is human nature to trust people and we can’t get things done if every time someone sends us a link we open up a VMware image to view a link. So continue using the Internet the way you have been and remember, “These aren’t the droids your looking for.”

Reading time: 4 – 6 minutes

Photo: Kristin Bradley

Attackers are motivated by multiple factors. Previously, “experts” believed most attackers were social outcasts who were writing malicious software out of their parent’s basement. These attackers were not driven by any particular motive. They were more driven by the problem-solving aspect. They wanted to know if they could do it. This idea that attackers are socially inept kids based in the United States is quickly becoming inaccurate.

Most security articles are focused on the means of the attack. They don’t address what attackers are actually after.

The four motivating factors for attackers that have been identified are:

1. Financial Gain
   
2. Notoriety
3. Political
4. Vengeance

Financial Gain
Hacking, Malware, and Worm Creation is a money making opportunity. Worms, such as Conficker, are being tied to organized crime based in Soviet republics.

The tightly managed criminal organizations behind such scams—often based in Russia and former Soviet republics—treat malware like a business. They buy advanced code on the Internet’s black market, customize it, then sell or rent the resulting botnet to the highest bidders. They extend the worm’s life span as long as possible by investing in updates—maintenance by another name. This assembly line–style approach to crime works: of all the viruses that Symantec has tracked over the past 20 years, 60 percent of them have been introduced in the past 12 months.

This shouldn’t be surprising. If criminals have no problem killing another human and taking their wallet, why would they have problems stealing massive amounts of money electronically?

However, organized criminals aren’t the only attackers driven by financial gain. There is also evidence of financially driven attackers being petty criminals. These are the types that don’t have a great understanding of what they are doing. They can be found on websites specifically setup for trading credit card numbers or other Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this subgroup.

Notoriety

There is still evidence of hacking for notoriety. Most of these attackers are the “13-19″ year old kids described above. The reason these individuals attack systems is driven by their want to become famous.

A recent example is the Mikeyy worm created by Michael Mooney of StalkDaily. This sub-group usually will justify their attacks by stating, “I wanted to bring awareness to the problem.” This is a constructed answer but demonstrates their want to become famous. They are clearly stating, they were the ones who wanted to bring awareness to the issue. These attackers typically have a Robin Hood type mentality of bringing knowledge to the uninformed.

Political
These attackers are politically focused or driven by political means. This group includes “hacktivists” and foreign nationals driven to cause damage to an enemy country. Examples of these attacks are the Titan Rain and more recently Power Grid hacking.

Political motivation is frightening. Many countries will not deter attackers from hacking a foreign country. In addition, law enforcement has a hard time tracking down or arresting these type of attackers due to the lack of cooperation of foreign countries.

Vengeance

These attackers are the most dangerous. They will attack people who have somehow made them upset. Their driving factor is causing as much pain as possible for their victim.

These attacks typically target an ex-girlfriend or a celebrity. These are the electronic equivalent of breaking someones windshield. There is nothing that can really be done to prevent it other than to stop using the Internet.