During the 2004 presidential campaign, Jeremy Poteet watched as the candidates site he had worked to secure went up. Just 16 minutes later, the site was attacked.
But this high-profile site deftly deflected these attacks and the others that followed because Poteet had anticipated—and then protected against—the kinds of exploits he knew would be coming. How did he know? Quite simply, hes a hacker, and thinking like a hacker—and getting to know the tools that hackers use—is one of the most effective ways to protect your company from being exploited.
Poteet, chief security officer at AppDefense, is the type of hacker commonly referred to as a white-hat hacker or security researcher—someone who digs for system holes to point out where trouble could occur. Black-hat hackers are just the opposite—people who try to gain access to systems and the data on them for nefarious purposes. In the past, most hackers were in it for fun or for bragging rights.
Now, black hats are selling exploits for tens of thousands of dollars as the malware industry capitalizes on flaws to capture passwords, credentials for banking sites and personal information for identity theft and financial fraud.
Learning how black-hat hackers think, what theyre looking for and how they get it should be a fundamental part of any companys security strategy.
According to George Kurtz, author of “Hacking Exposed,” hackers targets have changed dramatically in the last few years.
“When I got into the game … it was, We dont have a firewall, we have a packet-routing filter. Fast-forward to today, and youve got very interactive applications: Youve got Web 2.0 tying in back-end databases and all the exposures around that,” said Kurtz, who is also the founder of Foundstone, an organization that teaches hacking and secure coding practices. Foundstone is now a division of McAfee, and Kurtz, of Mission Viejo, Calif., is senior vice president of McAfees enterprise division.
Indeed, applications are increasingly drawing hackers attention. According to research by Gartner and Symantec, close to 90 percent of software attacks were aimed at the application layer as of June 2006.
“Once you open Port 80, you have unfettered access to an application,” Kurtz said.
Application-level flaws arent new. In 2002, Poteet won eWEEKs OpenHack IV competition, in which people were invited to hack a test e-commerce site. Poteet was able to hack the version of the site tied to an Oracle database application.
Basically, the flaw that Poteet exploited was a screen in which users could edit their profile. The user name constituted one field—supposedly not an editable one. But as soon as input was accepted from the front end, with the Web server taking data from a browser, it didnt matter whether the field was designed to be editable or not—at that stage, everythings editable.
Poteet changed the name in the field to “A Smith,” and then he waited, like a spider for a fly. As soon as somebody named “A Smith” logged on, he pounced, immediately gaining access to all of A Smiths data.
The problem is, most application developers dont think the way Poteet did during OpenHack.
Poteet said he has consulted with many companies and has grown accustomed to seeing not just a vulnerability here or there, but a vulnerability in every field in every screen of every application in question.
And were not talking mom-and-pop shops—most of Poteets clients are Fortune 500 companies, and many of them are financial institutions. But, even in organizations within the financial realm—an industry known for being well-versed and experienced with security issues—those who work on code still leave well-known security holes that draw attackers like flies to honey.
Fool Me Once …
If theres one sure thing when it comes to security, its that people make the same mistakes—over and over and over. Its something that hackers have come to count on.
Common holes include data in error messages that can be used to access systems, SQL injections, XSS (cross-site scripting) and access control in J2EE (Java 2 Platform, Enterprise Edition) applications.
Hackers especially love SQL injection: A good SQL injection will elicit data from all the tables in your database. And if attackers gain edit capability in a user query, they can change data in the database.
These issues are among the top 10 most frequent mistakes made in application security, as outlined by the Open Web Application Security Project. Also included in that list is usable information provided in error messages.
Take this error message: “Microsoft OLE DB Provider for SQL Server error 80040e14 Column newsTBL.NEWS_ID is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. G:WEBSITESWWW.SAMPLECOMPANY.COM/internal/dbSys.inc, line 241.”
From that one error message, a potential attacker will learn that the application uses OLE DB to communicate to the database, that it uses SQL Server as the database, that SQL commands can be passed to the database and that theres a table called newsTBL in the database, among other things.
A newer trend that has been a boon to the malware profit machine is the rapid advancements being made in rootkit technology.
“Some rootkit technology we see at [McAfees] Avert Labs is unbelievable,” Kurtz said. “[We see] stuff not done in the past, [done] in new ways, [done] covertly to steal information and use it for financial fraud. From a [criminal] perspective, its moved from, Let me find a vulnerability, to, Let me find an application vulnerability and automate it and put it into a bot, load up pages and reinfect the client, which I can then use to populate my bot network.”
Security researchers are closely watching out for the weaponization of two new rootkit technologies that they fear will someday contribute to the stream of money feeding into the bot economy: virtual rootkits and evil hypervisors.
“We know that the bad guys are looking for more ways to stay on systems longer, unnoticed,” said Joe Telafici, vice president of McAfees Avert Operations, in Beaverton, Ore. “The longer you stay on a machine unnoticed, the longer you can rent out your botnet or whatever.”
Both evil hypervisor technology and virtual rootkits, seen only in proof-of-concept code to date, allow malware authors to stay on a machine, undetected, for a long time. Researchers until recently have grimly waited for black hats to weaponize the new technologies; its a question of when, not if, they believe. (On June 27, a group of researchers challenged the premise that such exotic new rootkits were undetectable, but the jurys still out on that question.)
Let It Bleed
Thomas Ptacek, principal, researcher and founder of security company Matasano, said its not only the duty of developers and system architects to assess the security of the products protecting their assets; its also their duty to rip the code underneath those systems to see if it bleeds—the same thing that hackers do. “[To do] due diligence, theyre going to have to strip open those applications,” Ptacek said.
Stripping open Microsofts Windows Vista, for example, will show that Microsoft has made what most consider to be significant security improvements in its newest operating system.
In its 64-bit form, Vista will take away some of the tools attackers now use.
The 64-bit version of Vista makes it harder for attackers to exploit insecure functions by assuming that the entry point is always in the same place. Vista also does away with the ability to inject code into the Windows kernel to watch what functions are being called by other running programs.
Then theres Vistas UAC (User Account Control), which redirects some files and registry keys to “sandboxes.” Malware can make changes, but the changes will go away when the process stops running or will at least not affect other users.
Rest assured, however, that these new security controls will not result in malware authors taking their ball and going home. Rather, security researchers are anticipating that Vistas new security profile will actually force attackers to innovate.
McAfee predicts that it will take about six months for a frustrated or ambitious malware author to turn his or her attention to rootkitting a machine and leveraging virtual technology capabilities of an Intel or Advanced Micro Devices chip.
Its all a cat-and-mouse game: As new security techniques arise, hackers poke holes in them and malware authors learn how to manipulate them for profit.
Scanners and other tools used by hackers are available to anyone with an Internet connection, and it would behoove developers and system architects to use these tools routinely. Just dont think for a minute that these tools will keep out the most sophisticated attacks—theyre most effective for low-hanging fruit or to accelerate testing.
The best advice echoes Ptaceks recommendation: Tear things apart as carefully and methodically as you put them together. Its better by far that you tear up your own systems to find the holes before someone does it for you.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.