Hacking 2.0 by isp11018


									Article Title | Article Author Voice of Information Security
   ISSA            The Global                                                                                          ISSA Journal | July 2008

                                                  Hacking 2.0
 The security risks of a more
         interactive Internet
                                                                              By Ken Munro

      Hacking 2.0 takes a look at the constantly evolving world of hacks, exploits and security
                                                   vulnerabilities being offered as Web 2.0 transforms the Internet.

        he Internet is moving into the next stage of its de-          “real” lives as citizens online, there are also very real risks.
        velopment to become a place for the world’s citizens          We shall take a closer look at these risks here.
        to work, rest and play. As this happens, how will the
growing shadow community of hackers and cybercriminals                Not just the money
take the opportunities Web 2.0 offers and turn them into new          Increased Web functionality and the drive towards interac-
security threats? This article takes a look at the constantly         tivity means that it is now easy for someone with virtually
evolving world of hacks, exploits and security vulnerabili-           no technological knowledge to place contact details, family
ties.                                                                 relationships, dates birth and residence into the public do-
In April 2008, fifteen years from the date when CERN (Eu-             main. All this aids communication, but it has also provided a
ropean Council for Nuclear Research) first put the World              fertile environment for the rapidly growing industry of iden-
Wide Web into the public domain, the medium’s creator Sir            tity theft to the point where the UK Home Office estimates
Tim Berners-Lee2 announced that it was “still in its infancy.”       it costs the economy £.7bn a year. For example, phishing
First conceived when Berners-Lee, then a graduate student             attacks, which in the past were often derided for the primi-
at CERN, handed his boss a paper called “Information Man-             tive tactics they used to extract consumers’ bank details, have
agement: a Proposal,” the Internet has grown from a conduit           now been replaced with the more targeted “spear-phishing”
for non-commercial academic data into arguably the greatest           which uses personal information skimmed from social net-
revolution in communications technology since the inven-              working sites to create eerily plausible attacks.
tion of the telephone.                                                It is not only our money that is under threat either. Web 2.0
Berners-Lee contended in the same interviews “that really we          can also put our reputation and career prospects at risk. In
have only started to explore the possibilities of [the Web],”         2007, Tom Beech an employee of retailer, Argos, became the
contrasting the passive nature of the Internet only five years        first UK worker to be fired for making negative comments
ago with the mash-up applications, social networking and              about the company on Facebook.
social media that is now part of our daily lives. Yet, he also        As the medium’s inventor, it is therefore perhaps not surpris-
acknowledged that “you can find bad stuff out there,” allud-          ing that Berners-Lee has a somewhat Utopian vision of the
ing, albeit briefly, to the fact that while there are great com-      Internet, predicting that is will be used to build “new social
munication advantages to moving an increasing part of our             systems, new systems of review, and new systems of gover-
                                                                      nance.” Yet it is vital to remember that not everyone will ap-
                                                                      proach such a vast collection of useful data so altruistically.
2 http://www.w.org/People/Berners-Lee.
 http://news.bbc.co.uk//hi/technology/77660.stm.                   http://www.thesun.co.uk/sol/homepage/news/article267.ece.

Hacking 2.0 – The security risks of a more interactive Internet | Ken Munro                                                ISSA Journal | July 2008

                                                                                   ate. Our own research indicates that it would be very easy
     It is not only our money that is under                                        for a foreign power to implant spyware in the firmware of
                                                                                   seldom-tested communications equipment. Counterfeit
         threat. Web 2.0 can also put our                                          routers and switches, manufactured in unregulated plants in
    reputation and career prospects at risk.                                       the Far East and sold online for “too good to be true” prices,
                                                                                   are ripe targets for covert operations. They will form unob-
                                                                                   trusive parts of corporate networks, with the hardware itself
If the future of everything, including government, really is                       bypassing the operating system and acting as the malware.
online, what is there to stop a hacker from disrupting a G8                        They would also be undetectable to antivirus and malware
summit, or causing anarchy by hacking a minister’s email ac-                       scanners, which are not configured to scan to the depth of
count? We already live in a world where Clive Goodman, a                           individual devices.
journalist for The News Of The World, was jailed for hacking
into the mobile phone messages of aides to the Royal family.                      But is there any evidence that this concept has life outside of
                                                                                   doom and gloom predictions? We need look no further than
Another journalist, John Naughton, takes a pessimistic view                        what is already happening in cybercrime circles. Christmas
of the dangers of the “open” Internet. Writing in The Guard-                       2007 saw millions get a nasty surprise in their stockings as
ian (“Apple and Google rule a year to note in your facebook,” 0                   MP players, Flash memory sticks, and digital photo frames
December 2007) he suggested that “we may finally discover                          bought on Ebay turned out to be infected with keystroke log-
what the Storm botnet – the colossal network of compro-                            ging malware. Given that consumer-targeted products are
mised Windows machines someone has been covertly build-                            being tampered with, it is just as likely that corporate PCs
ing over the past year – is for. My hunch is that the net is                       and network components such as switches, routers, and fire-
headed for its own version of 9/.”                                               walls could be compromised and the data relayed across the
If, as Naughton suspects, the Internet can act as the breed-                       Internet. It is possible that these incidents were simply over-
ing ground and even the conduit for terrorism, it is also not                      sights in the manufacturing process, but it is equally possible
surprising that there is clear evidence that national security                     they were intentional.
agencies are using the Internet subversively. The first signs                      In search of commercial rather than political rewards (earlier
of this emerged when Virgil Griffith of the California Insti-                      this year the Conservative Party estimated that cybercrime
tute of Technology developed Wikipedia Scanner6 in summer                          costs the UK economy £0bn annually), this activity will be
2007. This tool, which cross-referenced the changes made to                        carried out by highly organized criminal gangs. Certainly
Wikipedia entries by user accounts against their IP address-                       recent exploits, such as the malicious Flash applets exposed
es, revealed that the CIA and other agencies, even including                       in May 2008 by Symantec, suggest that hackers have adopted
the Vatican, had been active in amending publicly available                        working methods that would not be out of place in a software
information sources.                                                               development house. What is perhaps more worrying, how-
                                                                                   ever, is that techniques such as the automation of data min-
State-sponsored attacks                                                            ing hand script kiddies, who were previously left to splash
Matters took a more serious turn in December, however, when                        around in hacking’s shallower waters, the tools they need to
a letter obtained by The Times showed that MI, the UK’s Se-                       do serious damage. This new breed of hacker will also have
curity Service, had written to warn 00 UK companies that                          different targets.
they were at risk from attack from state-sponsored Chinese
                                                                                   The Web Hacking Incidents Database (WHID), a Web Appli-
hackers.7 This incident was the first of its kind reported, with
                                                                                   cation Security Consortium8 project which reports on online
The Times revealing that Chinese attacks had already com-
                                                                                   hacking trends gives some indication of current hacker activ-
promised one of Europe’s largest engineering companies and
                                                                                   ity (it only covers reported attacks, so its findings are not con-
a large oil company. The same report also quoted an unnamed
                                                                                   clusive). In 2007, the report shows a rise in the total number
security expert who claimed that a Chinese group were using
                                                                                   of incidents, giving weight to the script kiddie argument. It
“custom Trojans” to hack the networks of even minor firms
                                                                                   also revealed that the second most popular type of attack af-
involved in Chinese-related deals and feed back confidential
                                                                                   ter SQL injection was unintentional information disclosure,
data. It was also related that the MI letter included a list of
                                                                                   suggesting hackers are now quick to exploit information that
known “signatures” that can be used to identify Chinese Tro-
                                                                                   was either poorly protected or unintentionally published in
jans and a list of Internet addresses known to have been used
                                                                                   the public domain. This effect is perhaps inevitable given
to launch attacks.
                                                                                   that, as servers and applications become more secure, the
Government infrastructure could also be jeopardized by the                         information that individuals disclose has become that much
effects of globalization that the Internet has helped acceler-                     more valuable to the hacker.
6 http://wikiscanner.virgil.gr.
7 http://business.timesonline.co.uk/tol/business/industry_sectors/technology/ar-
  ticle298020.ece.                                                                8 www.Webappsec.org.

Hacking 2.0 – The security risks of a more interactive Internet | Ken Munro                                        ISSA Journal | July 2008

Digging deep
                                                                         We can expect to see tools emerging
The wealth of information now being housed online can pro-
vide rich pickings and the ease with which deep Web searches              for mining information from social
can now be accomplished makes it even easier for the attacker                      networking sites.
to collate valuable data. These new sites index other sites and
other search functions, performing searches of the so-called
“deep Web.” For example, Pipl9 indexes the contents of online      comparatively rare, restricted usually to a few small groups
telephone directories and claims to dig through the contents       that have the high level of expertise and time to code them.
of other sites up to 00 pages deep for “personal profiles, pub-   As we have seen above, however, suspicions are growing that
lic records and other people-related documents stored in da-       some of these groups may be funded by foreign governments.
tabases and not on static Web pages. Most of the higher-qual-      The speed of deployment of exploits is still scary, but it is
ity information about people is simply ‘invisible’ to a regular    about to become a much more serious problem.
search engine.” Maltego0 is also an interesting site in that it
also performs this type of deep Web filtering too.                 Automated exploits
In the near future, we can expect to see tools emerging for        Recent research from David Brumley and Pongsin Poo-
mining information from social networking sites, and appli-        sankam of Carnegie Mellon University, Dawn Song of Univer-
cations will increasingly be written for these sites for hackers   sity of California at Berkeley, and Jiang Zheng of University
to use and abuse. Here Facebook users would be right to have       of Pittsburgh suggests that new techniques will allow hack-
privacy concerns, given the increased functionality given to       ers to craft exploits in seconds rather than days. A process
developers using the emerging Facebook Platform. A little          called Automatic Patch-based Exploit Generation (APEG)
lazy coding, which sacrifices security for functionality on the    puts Windows machines especially at risk in that the code
part of the developer, could potentially expose application us-    issued by Microsoft to patch vulnerabilities can be reverse
ers’ data and prove very difficult to fix. Even as vendors and     engineered to create new exploits in between six seconds and
Website operators put security controls in place, they will be     three minutes. These could then be used to attack unpatched
hard pressed to encourage users to lock-down their accounts        machines (which will include many corporate systems) af-
and stop giving out personal information. Nor does the em-         ter the patch has been made public. The research team have
phasis on individual identity theft mean that corporates will      reportedly already approached Microsoft with their findings
not be affected. The information gleaned from this type of         to put forward solutions to this problem. These include ob-
hacking will provide a convenient “way in” to organizations,       fuscating code, encrypting patches, waiting to distribute the
with employee details accessed and abused to infiltrate com-       key simultaneously, and utilizing peer-to-peer distribution
pany systems.                                                      to transmit patches faster, but the software giant has yet to
                                                                   take concrete action.
Escalation                                                         APEG also exposes the online world to fast propagating
The perpetual arms race between hacker and vendor will             worms. Automated injection worms – simple Web spiders
continue. This is nothing new. There has always been a kind        that attempt to inject code into any parameter they find –
of Moore’s Law that has seen hacking speeds correlate with         can cause chaos on a massive scale. In effect, the malware
increases in system processing. Security vendors have then         automates SQL injection attacks without the need for user
had to react to counter this increased threat. The danger is       interaction. Most Web and application servers go out to the
that complacency among vendors could allow the hacker to           Internet over HTTP/HTTPS and may not use rulesets to re-
get ahead of the game.                                             strict the servers they connect to. This is a real problem as
                                                                   these servers will be instantly infected and go on to infect
Advances in cracking speed will force encryption vendors to
                                                                   others if, as anticipated, there is a rise in the number of appli-
up the ante and improve security standards. Most encryp-
                                                                   cation-based worm attacks. These automated worm attacks
tion technologies make the assumption that supercomputers
                                                                   also have implications in cross site scripting (XSS), again a
are not available outside of central government and huge cor-
                                                                   hack attack that is growing in popularity. The WHID report
porations, but technology advances, botnets, and intuitive
                                                                   states that XSS “is the most common vulnerability found by
hacking are more than a match to break most methods of en-
                                                                   pen testers and tops the Open Web Application Security Proj-
cryption. For instance, we recently investigated the ease with
                                                                   ect (OWASP) top 0 2007 release.” If the automated injection
which it was possible to recover the encryption keys from a
                                                                   worms were to insert XSS code into databases that were then
PC simply by cooling down the device’s memory!
                                                                   viewed by a database administrators investigating the issue,
This increase in speed could eventually render the likes of        they could be automatically infected simply by viewing the
Patch Tuesday obsolete as more zero-day exploits emerge. Al-       very code they are trying to fix.
though much talked about, significant zero-day attacks are

9 www.pipl.com.
0 www.paterva.com.                                                 http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html.

Hacking 2.0 – The security risks of a more interactive Internet | Ken Munro                             ISSA Journal | July 2008

Of course, its not just fixed devices that will attract attacks.   eration, especially as we move into a world where online ap-
Mobile has escaped the attentions of the hacking commu-            plications and the Software as Service (SaaS) model become
nity by and large because the data housed on them was of           more popular.
little use. But the convergence of the Web, email, phone, and
                                                                   Ultimately, this more democratic online world will rely on in-
media over smart mobile devices such as the iPhone will see
                                                                   dividual users to become more responsible. If disclosing too
these become key targets in the future. It will certainly be
                                                                   much information not only impacts users’ own identities but
interesting to see if giving the previously “locked-down” OS
                                                                   also compromises the security of their employers, co-work-
X operating system used by the iPhone to third-party devel-
                                                                   ers and family, then we must definitely expect individuals to
opers will result in increased exploit generation. We can cer-
                                                                   learn to manage their Internet lives more sensibly.
tainly expect a few “humdingers” from the Windows Mobile
Platform as it grows in popularity, and who knows what to          Will the risks disappear? No. Will we see another Internet-
expect from Google’s Android smartphone operating system,          threatening worm or related zero-day appear over the next
whose launch is still penciled in for late 2008.                   couple of years? Probably. Our growing awareness of these
                                                                   risks, however, means we are probably a lot better equipped
Conclusion                                                         to deal with them than in the past.
The sheer extent of exploits and potential dangers outlined
here may seem dizzying, but it is important to remember that
                                                                   About the Author
                                                                   Ken Munro is director of SecureTest, the
while knowledge of risks may increase our fears, it also al-
                                                                   security and penetration testing divi-
lows us to mitigate them better. There are still hills to climb,
                                                                   sion of indepdendent IT specialist NCC
however, particularly as application development coding be-
                                                                   Group. Ken has a wealth of experience in
comes a more “democratic” process. Secure software devel-
                                                                   meeting compliance standards and in pro-
opment will need to be embedded more effectively in univer-
                                                                   viding business continuity using security
sity course syllabuses, and quality assurance processes made
                                                                   best practice. A regular contributor to SC
more rigorous. Coding simply for functionality must become
                                                                   Magazine, Infosecurity Today and FT Digital Business, Ken
a thing of the past, with security becoming a critical consid-
                                                                   has become well-known for his investigations into the security
                                                                   weaknesses of cutting edge technologies. For further informa-
                                                                   tion, please contact the author at ken.munro@securetest.com.


To top