WebSight Design Inc.

The device known as the RSA SecureID is widely relied on in big business and government. It is used to securely authorize users so as to prevent unauthorized access to sensitive networks and services. For years it has been the ‘gold standard’ , and considered to be highly secure and reliable.

But then one day this past March, it was revealed that the encryption used to make the devices secure had been compromised. All of the many users of the devices had to be issued replacement devices, and in the mean time it is possible that there were many security breaches as a result of the compromise.

This was what is considered an ‘advanced’ attack. An unknown party, very likely backed by a foreign government or military, blasted the company that makes the devices with an email that looked legitimate and contained an attachment, an excel spreadsheet. That excel spreadsheet was specially crafted to make use of an at that time unpatched vulnerability in Excel, so when the right user with the right type of access opened that attachment, the attackers were able to gain access to what were supposed to be secured systems. Once they had that access, they used it to gain other access, which ultimately led to them finding the secret information needed to ‘crack’ the device’s encryption.

There are many lessons to learn from all this, but one of the clearest is this: Be extra careful opening email attachments! Technology is a dangerous world and it pays to be cautious. At a minimum, if you are sent an attachment from someone you don’t recognize, don’t open it!

For more technical info on the hack and how it was tracked down, check out http://www.f-secure.com/weblog/archives/00002226.html

Looks like the possible leader, or at least a senior hacker, of the hacking group “LulzSec” has been arrested in London. Lulzsec is the hacking group that hacked Sony and has been behind many of the recent high-profile hacks.

The arrest is particularly newsworthy because hackers these days are generally very hard to catch due to their use of multiple proxies for any hacking activity. That having been said, just like any site can be hacked if enough resources are poured into it, any hacker can be caught the same way:

http://www.cnn.com/2011/WORLD/europe/06/21/uk.sony.hack.arrest/index.html

It’s in the news, you can’t escape it. Hacks. Outages. Exposures. Compromises. Sony, Citibank, Sega, Amazon, the WTO, even the CIA. If the big guys can’t keep their stuff up and secure, is there any hope for the not-as-big guys?

The answer is fortunately yes. I will go into that more at a later date, but to start with I want to talk a little about the nature of the beast, particularly as it relates to WebSight Design and our clients.

For web sites, hackers basically have one or more of the following goals:

1) Site defacement – they want to replace your homepage with a message saying ‘hacked by the hustla’
2) Denial of service – they want to take your site offline so nobody can view it
3) Malicious content insertion – they want to insert links that send your visitors to security scam sites
4) Data theft – they want credit card info, or other info not intended to be available
5) Hijacking of resources – they want somewhere to store and share their pirated media

In order to accomplish their goals, they generally use one or more of four primary avenues of attack:

1) SQL injection – this is one of the most common ways to hack a site. Hackers take advantage of forms on a website that are coded in such a way that they can be used to perform database operations that are not supposed to be allowed, such as inserting malicious links into the database.

2) Application exploits – All websites run on web servers, and typically use either Apache or MS IIS as their web server software. For sites with more dynamic content, they also use an additional application software layer such as PHP, ASP or ColdFusion. All of the above applications have had security bugs in the past that could allow hackers to gain unauthorized access to a site, and while they are constantly being updated to close holes, new holes are always being discovered, and at any given time there may be holes that only a few hackers even know about, also know as ‘zero day’ exploits.

3) Password hacking – Another way hackers can get unauthorized access to a site is by getting ahold of a working username and password, such as FTP login information or a CMS admin login. They can get the login info in a variety of ways, including ‘brute force’ automated guessing, grabbing the info in transit when someone is using an insecure wireless connection, or even via a virus or trojan ‘keylogger’ surreptitiously installed on the computer of the person who uses the login legitimately.

4) Flooding – If a hacker wants to take a site down but doesn’t have any holes in it available to exploit, they can also take the site down, i.e. denial of service, by flooding the site or its network with so many bad requests that the good ones can’t make it through. And as an added bonus to the hackers, sometimes in the heat of a denial of service attack, actions are taken to try and track down and stop the flooding that may actually open up new avenues of attack.

By understanding the hackers goals and means, we can put up the best defense possible against them, as well as take measures to minimize the impact and/or downtime when a hack does occur. Some examples of this are keeping our servers and applications up to date with the latest security updates, coding all of our forms with ‘validation’ to prevent SQL injection, following best practices with regards to things like not storing credit card numbers in databases, and being fastidious about backups.

More to come…

—————————————————————————————————————–

Founded in 1995, WebSight Design offers business clients a range of web site design and development services, including web site programming, web site hosting, web site and search marketing, and colocation management.