Introduction
Those were the times when the company mainframe was locked up in the basement. To steal sensitive information the bad guy literally had to break into the building, find the room with the mainframe and copy the data. But then the network was created: the LAN and of course the network of all networks, the Internet, connecting every computer on the planet.
This has changed everything, especially the data security landscape. The recent denial-of-service attacks on sites like CNN.com showed how vulnerable Web sites are to malicious attacks from the Internet. And every new Web site represents yet another potential target.
At the Internet Security Conference in San Jose, California, security experts got together to discuss the situation. Marcus Ranum, CEO of Network Flight Recorder and former Usenet news guru, was one of the keynote speakers and delivered a somewhat controversial point of view. He was talking about cultural issues in Internet security. Hackers are not cute whiz kids, he said, but amateur terrorists who do not even have an ideology. In the past especially the press glorified the teenage-hacker as a computer genius, thus implying, that all the software engineers working on Internet security are idiots. In reality the hacker genius often downloads his tool from one of the hacker sites and gets lucky. He gets all the glory, the software engineer gets fired.
Of course there are the ‘friendly’ hackers who just want to help to make the Internet a safer place by finding bugs. But then they go ahead and disclose every detail, handing instructions on how to break into a site on a plate, compromising the company that operates the Web site even further. These guys, said Ranum, are either on an ego trip, flaunting their ‘brilliance’, or they are trying to sell their own security tools as counter-measures.
The right way to disclose a security bug on a Web site is to notify the vendor, and provide him, and only him, with details on how to reproduce the bug. Then ask the vendor when he will issue a bug fix. If the vendor does not come up with a fix in the appropriate amount of time, it is okay to publish the existence of the bug without fully disclosing it, however.
Ranum also appealed to companies not to hire any ex-hackers as security consultants – it is like using reformed wolves as shepherds. Why should we reward them for their criminal past? Ranum sees a wave of civil lawsuits rolling towards authors and distributors of attack tools. The big companies are really sick of getting hacked and will seek retribution. Unfortunately teenage hackers usually do not have a lot financial assets …
Insecure Code
The security problem often lies within the Web application itself, as Eran Reshef from Perfecto Technologies demonstrated in his talk. The company performed audits on 37 major Web sites and 36 had significant problems at the application level that could be exploited in a matter of hours. While heavily secured at the network level, these sites still allowed hackers to execute Unix shell commands, download source and even submit SQL queries.
Web applications are usually custom-built, using insecure code developed internally combined with insecure code purchased from the outside. The external code could for example contain a backdoor left by the original programmer, giving him full access to the Web server. Other application hacking techniques include manipulation of hidden fields, parameter tampering and cookie poisoning.
Hidden fields are often used to save information about the client’s session, eliminating the need to maintain a complex database on the server side. Normally a client does not see the hidden field, but it is relatively simple to display and change them. This method is for example used for ‘electronic shoplifting’ by changing the price of a product in an electronic shopping cart.
In case of parameter tampering, the failure to confirm the correctness of CGI parameters embedded inside a hyperlink can be used to break the site security. Reshef demonstrated how to display the database of an online pharmacy, revealing sensitive customer information. Cookies are not always cryptographically secure, and a hacker can modify them, thus returning information belonging to another user, basically stealing his identity while bypassing security measures like logins and passwords.
A far less sophisticated security problem lies in basic human error and negligence, according to Fred Avolio, independent security consultant and co-author of SENDMAIL: THEORY AND PRACTICE. In the beginning of the Internet, it was only used by scientists and engineers who were technically savvy. Today everybody has access to the network, from office administrator to CEO, and everything is ‘point and click’. And sometimes all it takes is only one click to infect the whole network and all the computers connected to it with a virus. Just remember Melissa.
And then, there is of course the almost comical situation of the company that insisted it had a really good firewall. When Avolio went in and wanted to test it, they pointed to an unopened box sitting next to the server. Nobody had actually installed the software. Or as Marcus Ranum put it: ‘You can design the best seatbelt in the world, and then your customer puts it around his neck’.