Rossander’s Security Reader

I just read two security articles with some interesting implications when you take them together. The first noted that anti-virus software, while still vitally important to your computer, only stops 35-40% of malware attacks – down from about 47% last year. The second described a “sexy Candid Camera Prank” attack being currently launched against Facebook users.

In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.

This post is a little more technical than our norm but I think it’s important to understand some of the buzzwords around security. SQL Injection attacks (pronounced see-kwel) are a tactic that a hacker can use to get your computers to do more than they should.

SQL stands for Standard Query Language and is the code that almost all databases use when answering your questions. SQL is what brings up your account when you log onto your bank to see your latest statement. Any but the most rudimentary website uses a SQL database to hold, sort and present the content to you, the reader.

As long as the user plugs in things that make sense (like a name into the username field), the query will run properly and will return only the results for your account. But what happens if you type something unusual into that field? What if you put in an account number instead? If the website was well-designed, the request will simply fail. If, however, the website was not designed properly, the computer may return something – but it won’t be anything that you intended.

For example, a hacker might try typing ' OR 1=1 -- into a date field. The “OR 1=1″ part will always be true. The -- characters tell the computer to consider everything after as a comment (that is, a note the programmer left to him/herself as an explanation of the code). The result is a request for all lines of data where the first part is true. But 1=1 is always true so the computer spews out all the data in that table. Not only does the hacker get his own account details, he gets yours and everyone else’s as well.

Other commands can be crafted to modify data, add tables, execute commands, etc. If a site is vulnerable to a SQL-injection attack, there is little that the hacker can’t do.

How do you stop it? The easiest way to prevent a SQL-injection attack is to design your application to validate its inputs. The username field should have only text characters (or maybe also some numbers but nothing that looks like computer code), the credit card number field should only accept numbers, etc. Define the acceptable character sets and enforce those whitelists. Force the inputs to conform to specific patterns when special characters are needed (i.e. dd-mm-yyyy). And validate the data length of all inputs.

These are all basic checks that the folks building your website should be making. Put the IT processes and controls in place to make sure that they are building you a quality product and won’t leave your data vulnerable to the world.

By the way, to test whether a site has their own security in place, type something unusual into a field and see what happens. If you get a simple error telling you the allowable format (or if the computer simply rejects the request), you’re probably okay. If you see a lot of computer gobbledy-gook, you might not want to let that company have your confidential data.

Sorry I haven’t posted in a while but it’s been an interesting few weeks. If you’d looked at this site on the morning of 6 October, you would have seen a very different page – black background, yellow arabic writing and some very disturbing pictures. The vandal replaced the front page of our local beekeepers’ website with very similar content. It was a rude surprise, especially so early in the day.

Some background – I maintain the beekeepers’ website for them and host both that site and this one through a third-party provider. And while I do all of the writing for the infosec blog, I have a couple of other beekeepers who were helping to maintain the beekeepers’ site. It’s all volunteer work and I’m so glad for any help I can get that it’s hard to impose a lot of strict standards or hurdles. Besides, who cares about hacking a beekeeper club’s website?

Apparently lots of people.

It’s unlikely that we will be able to prove exactly how the hacker got in but it was almost certainly a scripted attack – a robot run by a hacker against anything he/she could find vulnerable – not a targeted attack. (For example, the hacker vandalized only pages titled index.htm, the standard name for a site’s home page, and none of the pages which had human-created names. Any targeted attack would have overwritten the other pages as well. Not only would it be more pages hacked but the vandalism might go unnoticed longer.) Our best guess is that the hacker go in because we weren’t careful enough about passwords. One of my authors had a password the same as his username. Even a kiddy-script can test for passwords that easy.

Lessons Learned:

• Any site is vulnerable even if you don’t think that anyone would bother with little old me.
• Passwords are important, even when you think they aren’t.
• Volunteer time is valuable but only if it’s the right volunteer. Even if his/her heart’s in the right place, sometimes that time is more expensive than it’s worth.
• Internal segmentation would have limited the damage. Merged accounts makes it easier to manage the domains but separate accounts would have kept the hacker from “promoting” himself across to the other accounts so easily.
• Monitoring is a good thing. In my case, it was dumb luck. My wife has the site as one of her home pages and noticed it as soon she logged on in the morning.
• Good backups make repairing the damage easy. My backups are automatically managed through third-party host and they do an excellent job. Once we discovered the vandalism and collected the evidence, the act of repairing the vandalism took mere minutes. I wish I could take credit for it but I got lucky and picked a good vendor.

Anyone can get hacked. Do what you can to minimize your chances, discover it quickly and plan so the costs to repair are low. I can’t say that I’m proud of this post but I do hope that you can learn from my mistakes.

If you’re a home user, skip this post. As long as you have some form of anti-virus on your computer and you keep it current, you should be okay.

If you run a small business with a network (that is, anything more than one computer and your credit card reader), read Mary Brandel’s recent article in CSO Online about the Dos and Don’ts of selecting an anti-virus solution for your enterprise. The short version is that there is a lot more out than just anti-virus these days. Look around for a good package that does more than just virus-checking. That was good enough a few years ago but not any more.

You may also be able to save some money by buying an integrated package and consolidating your security products some.

On point worth mentioning: Brandel is a fan the use of whitelists but I’m not so sure. Whitelists are lists of applications which are allowed to run in your environment. If you have a comprehensive list, then anything not on the list must be malicious and gets blocked. In theory, it’s a great idea. In practice, it requires a great deal of control to build and maintain that list. In a dynamic, small business, you may lose some flexibility.

Her other points (especially the one on page 4 about malware removal) are spot-on.

In general, web filtering is the idea of setting some kind of filter on your internet connection to block users who try to browse to a site with inappropriate content. You may not care about pornography on an adult’s computer at home (and indeed, it’s protected under free speech laws) but few businesses want to deal with the reputational damage that comes from finding one of your computer’s digital ‘footprints’ in the logs of a questionable site. Web filters are commonly put in place to help keep your users within your corporate Acceptable Use policy (or, at home, to make sure that you’re kids are staying at age-appropriate kinds of sites).

Corporate examples of web filters include Websense and OpenDNS. Home tools might include NetNanny or CyberSitter.

All of these tools work by building long lists of webpage addresses and categorizing each site. Amazon gets classed as a shopping site, Playboy as adult content, YouTube as streaming media, ESPN as a sports site and the local high school as an educational institution. When a user attempts to go to a webpage, the URL is compared to the filter’s master list. If the URL is on the list and allowed, the content flows through to the user’s browser. If the URL is in a blocked category, the user gets an error message on his/her screen instead.

There might be as many as a hundred different categories. You decide whether to permit or block each category on the list based on the risks to your organization including the risk that you will interrupt the business accidentally. Block too much and you’ll find that you’ve gotten in the way of business. Or that you’ve cut off some service that your younger employees take for granted, hurting morale and making retention more difficult. Don’t block enough and you increase legal and employment risks unnecessarily. And no matter how much or little you block, there will always be some false positives – legitimate sites that are mistagged by the vendor. (Breast cancer research sites, for example, are frequently mistagged as adult content.)

The problem now is that the hackers are starting to find ways around the web filters. Inappropriate sites are often up for only a short while, then moved to a new address faster than the filter-makers can update their lists. Inappropriate content is also hidden on hijacked sites that some legitimate business or person failed to properly protect. No matter how hard they try, some inappropriate sites can always slip through. (For more about the limitations of web filters, read this article from CSOonline.)

Even with those limitations, I strongly recommend that every organization install a webfilter to stay safe from hostile workplace suits and other employment risks. It won’t be perfect but it’s still an important part of your layers of defense. I also recommend that any parent with children still living at home install a filter. Kids may seem very web-savvy but they still don’t know how to fully protect themselves from strangers, hackers and other age-inappropriate content. Help to protect them from themselves.