/>
X

Join or Sign In

Register for your free ZDNet membership or if you are already a member, sign in using your preferred method below.

Use your email Use Linkedin Use Facebook

10 online attacks we could have easily prevented

Ten attacks on corporations and individuals by hackers and governments, and all of them could have been prevented if people had followed best practices.

|
larry-seltzer-thumb.jpg
|
Topic: Security
0tenattacksintro.jpg
1 of 11 Larry Seltzer/ZDNet

10 online attacks we could have easily prevented

Real zero-day attacks against which we're all helpless are actually quite rare. The use of best practices and defense-in-depth can almost always block, or at least warn of attempts to exploit systems. Even Stuxnet, perhaps the most sophisticated exploit ever, which used four zero-day vulnerabilities, could have been blocked if the Iranian authorities had used best security practices.

This is the main lesson of a webinar by security expert Troy Hunt for the IT educational site PluralSight, for which Hunt creates courseware. Many of the victims are large, well-funded corporations (and their customers), but those corporations didn't go to the trouble of following the OWASP Top Ten most critical web application security flaws, the leading guide for these things.

Some of these attacks are famous, such as the hack of the Sony Playstation network. Some caused real damage, including the bankruptcy of one company that was hacked, while some led to less dire consequences, such as spam campaigns.

Hunt has many other Pluralsight courses focused on best practices such as these, and the course catalog extends into many other computing topics, from IT issues to programming and computing architecture.

(Image ZDNet/CBS Interactive Inc.)

1bellcanadasqlinjection.jpg
2 of 11 Larry Seltzer/ZDNet

Bell Canada gets SQL-injected

In February of this year a hacker group called Nullcrew stole and leaked thousands of customer usernames and passwords from Bell Canada.

The attackers released a lot of detail about how they did it. The technique was SQL injection, which is where attackers insert SQL commands to a remote site's database through poor web site programming. SQL injection can be a devastating form of attack and alarmingly common. OWASP (the Open Web Application Security Project) rates injection attacks, such as SQL injection, as the most prevalent of theirTop 10 web site attacks.

The really irksome part of this particular attack is that SQL injection is one of the few attacks that we absolutely know how to prevent, through a technique called parameterized queries. Alas, Bell Canada was using very old technology on their site.

The image on this page is a screen grab of HackBar, a penetration-testing tool with specific capabilities for SQL injection.

(Image courtesy Hunt/PluralSight)

2matthonanepicapplehack.jpg
3 of 11 Larry Seltzer/ZDNet

Epic Apple Hack

In August of 2012, in the space of an hour, journalist Mat Honan's entire digital existence was stolen. They got his Google account, his Twitter account, his Amazon account and eventually his Apple ID, which the attackers used to remotely wipe his iPhone, iPad and MacBook.

It started with an attacker calling up Amazon and convincing them that he was Honan. At the time all you needed to do this was a name, email address and billing address. The attacker added a new credit card, then called back some time later to ask that the email address on the account be changed. This required a name, billing address and a credit card number. The next step was to have a password reset sent to the new address, and the account was completely pwned. And now the attacker was able to see the last 4 digits of Matt's legitimate credit card.

In the next step, the attacker called up AppleCare and provided a name, address and last 4 digits of the credit card, and this was enough to convince Apple that the attacker was Honen and give him access (through a temporary password) to Honan's me.com email address. That address was a secondary address on Honan's GMail account, so the attacker was then able to reset the password on that account. This allowed him to steal Honan's Twitter account.

Honan first realized something was up when he noticed that his iPhone was wiped. The attacker also wiped his MacBook and then sent racist tweets from his Twitter account. The only good news here is that it was Honan and not you or me.

Hunt takes several lessons from this example: Interlinked accounts are a great vulnerability; many companies have a weak approach to authentication by phone; 2-factor authentication is a critical tool for impeding attacks like these (Google, Twitter and Apple now support it); finally, social engineering remains one of the most important techniques for attack.

(Image ZDNet/CBS Interactive Inc.)

3samymyspaceworm.jpg
4 of 11 Larry Seltzer/ZDNet

Samy's MySpace cross-site scripting worm

MySpace? Who cares? That's not the point. This incident in 2005 was the first really big cross-side scripting (XSS) incident.

Samy wrote an XSS worm that got him a million MySpace friends in less than a day. This may seem frivolous, but it illustrates just how serious XSS can be.

What are the lessons? web developers need to validate data passed by the user and make sure it's encoded before displaying it. Nowadays, web frameworks usually check for this sort of stuff, but XSS is still a serious risk you need to consider.

(Image ZDNet/CBS Interactive Inc.)

4hbgary.jpg
5 of 11 Larry Seltzer/ZDNet

Anonymous pwns HBGary

HBGary is a security company providing security, services and products to many large clients including the Federal Government.

In early 2011, Aaron Barr, CEO of HBGary Federal (a division since closed), announced that he had infiltrated the Anonymous hacking group through social media and other such media and that he would expose their leadership. LulzSec, an affiliated hacktivist group, retaliated, breaking into the HBGary Federal site, releasing large numbers of emails, defacing the site and destroying a large amount of data.

How did they do it? It started with SQL injection, which we already encountered earlier in this feature and which any security firm should know is a major avenue of attack. Next, LulzSec was able to obtain the HBGary Federal password hashes. When passwords are well-hashed, this shouldn't be a problem, but HBGary had a poor hashing practice, and so all their passwords were exposed. Barr and a colleague had reused his password in many other places, allowing LulzSec to penetrate the HBGary Federal network and obtain superuser access through an unpatched software vulnerability for which a patch had been released months before. Game over.

The lessons? Many of the flaws exploited by the hackers are well-known problems, probably of the type HBGary Federal recommended to their clients. Yet they didn't bother to implement them. SQL Injection, poor cryptographic algorithms and storage, unpatched software and weak, reused passwords.

5playstationnetworkhack.jpg
6 of 11 Larry Seltzer/ZDNet

Sony PlayStation network hacked, data stolen

The compromise, in early 2011, of the PlayStation Network was a disaster for Sony. But users didn't know that yet; all they knew was that the network was down. Sony didn't tell them that 77 account records were stolen.

Then, a couple months later. the Sony Pictures site was hacked, exposing another 25 million records, and only then did Sony reveal the extent of the Playstation Network breach.

The song remains the same here, a SQL injection was involved and the cryptographic protection of the passwords was weak or nonexistent.

Hunt blames a general cultural problem with security at Sony. When attackers see sloppy practices at one part of a company, they can guess that maybe another part is also sloppy. When two parts are sloppy, it's open season on the company. Sony said that recovering from these attacks cost them $100 million.

(Image courtesy Sony)

6acai-twitter-spam.jpg
7 of 11 Larry Seltzer/ZDNet

Gawker hack leads to Twitter spam

In late 2010 the news/gossip blog Gawker's commenting system was hacked and about 1.3 million user accounts, including passwords, were exposed. Gawker had gone to some effort to encrypt their password database, but they didn't do a good enough job.

Not coincidentally, before too long a lot of spam for "acai berries" started showing up on Twitter; see the examples on this page. The victims were users who had weak passwords and reused them on multiple sites. In particular they used the same weak password on Gawker and Twitter. Twitter figured this out and told users to change passwords.

So the exploit of Gawker led to the exploit of Twitter, and multiple things went wrong. Gawker's password database was stolen, it was encrypted weakly, and users used weak passwords and reused them on multiple sites. Lots of blame to go around. Hunt specifically points a finger at Gawker's choice of password hash.

(Image courtesy Sophos Naked Security blog)

7facebookvs-tunisia.jpg
8 of 11 Larry Seltzer/ZDNet

The Tunisian government hacks Facebook

It was late in 2010 and early in the Tunisian protests that became what we called "Arab Spring." Activists were using Facebook to communicate and the government wanted to spy on them. Facebook communications were normally conducted over SSL/HTTPS but, at that time, the login page was in plain text HTTP.

In Tunisia, like many countries, the government owns and controls the ISPs, so they were able to manipulate the code on the Facebook login page silently and on the fly. The JavaScript they inserted in the page sent the Facebook username and password of every user who logged on to Facebook from Tunisia to the government. This story in the Atlantic describes the episode with a lot of background.

Facebook responded by putting their login page on to HTTPS. Leaving the home page in HTTP is much less common these days, and this incident was the spur to get many sites to go all-HTTPS-all-the-time.

(Image ZDNet/CBS Interactive Inc.)

8diginotar.jpg
9 of 11 Larry Seltzer/ZDNet

DigiNotar: Vulnerability = Bankruptcy

In 2011, DigiNotar was a certificate authority trusted by all the major platforms: Microsoft's, Apple's, Google's, Mozilla's and more. Then their systems were compromised, allowing hackers to issue trusted certificates for famous company names like Google, Skype and Twitter. The problem was discovered when it was noticed that large numbers of certificate revocation checks for Google sites were being sent to Iran where, needless to say, Google does not operate.

A problem like this threatens the whole public key infrastructure so the big companies acted fast: DigiNotar's trusted CA status was revoked by Google, Mozilla, Microsoft and (later) Apple. Less than two weeks later, their reputation shredded to atoms. DigiNotar was forced to file for bankruptcy.

The takeaways are SSL is profoundly important to security on the Internet and the security of certificate authorities is central to the credibility of SSL. There are some measures, moving forward in the industry, which can improve SSL security, like certificate pinning and Perfect Forward Secrecy. But the big lesson here is that a security compromise can have the most drastic of consequences, up to and including the death of the organization.

(Image ZDNet/CBS Interactive Inc.)

9ngetsstolen.jpg
10 of 11 Larry Seltzer/ZDNet

Twitter @N gets stolen

Naoki Hiroshima was an early Twitter user, early enough that he got the name "N". Now that Twitter is a big deal, a one-letter name like that is valuable, so that's why, early this year, a thief used a chain of social engineering maneuvers (not unlike the Matthew Honan Epic Apple Hack on page 2 of this gallery) to steal @N from Hiroshima. How valuable was it? He had been offered as much as $50,000 for it.

The main villain is the actual thief, of course, who also used blackmail as part of his scheme, but PayPal and especially GoDaddy also have plenty for which to be ashamed. GoDaddy used credit card numbers to verify identity of people calling in, so when the thief stole Hiroshima's GoDaddy account by knowing only the last four digits of the credit card number (which he had obtained by tricking PayPa into providing them to him) and immediately changed the credit card information, Hiroshima could no longer verify himself to GoDaddy.

The thief now controlled Hiroshima's domains and email accounts, both critical to his business, but he had changed his Twitter email address to one not controlled by GoDaddy, so the thief couldn't get it. So he decided to blackmail Hiroshima: Give me @N or I'll waste all your GoDaddy assets.

In the end, Hiroshima got @N back and GoDaddy changed their identity verification policies, but GoDaddy still cuts corners, for instance by having a non-SSL login page.

There are plenty of lessons to learn here, but one is that two-factor authentication blocks so many of these attacks, and would have blocked these.

(Image courtesy SiteTraining.com)

10heartbleed.jpg
11 of 11 Larry Seltzer/ZDNet

Heartbleed — catastrophic?

Hunt notes that  has been called "catastrophic," an 11 on a scale of 1 to 10, but that the world hasn't ended since. It turns out that it's not a simple matter to exploit, and a great many sites have been patched.

What are the lessons of Heartbleed? There were profound lessons for secure software development, but Hunt focuses on IT and users. Site admins should force users to reauthenticate before key actions, like when you have to enter your current password to change it; they should not allow idle users to stay logged on for long; they should be able to kill active sessions and force password resets, and more. For users, the main lesson is to use unique passwords for each site.

For more shocking vulnerabilities, read 

(Image ZDNet/CBS Interactive Inc.)

Related Galleries

First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

iVerify: Added security for iPhone and iPad users
iVerify

Related Galleries

iVerify: Added security for iPhone and iPad users

iStorage datAshur BT hardware encrypted flash drive
iStorage datAshur BT

Related Galleries

iStorage datAshur BT hardware encrypted flash drive

Netgear BR200 small-business router
Netgear BR200

Related Galleries

Netgear BR200 small-business router