In the last weeks, the hack of the Federal Office of Personnel Management (OPM), apparently tied to Chinese sponsored hackers, raised the discussion about the potential catastrophic damage caused by the exploitation of a cyber-security vulnerability. Part of the cyber-security community has considered this last incident the equivalent of a cyber-9/11. Millions of data belonging to the Government personnel were compromised and there is the concrete risk that the stolen data could be used by threat actors in further cyber-attacks against Government agencies.
The Office of Personnel Management (OPM) hack must serve as a wake-up call for reorganizing cyber security posture of the country.
To do this it is essential to profile the threat actors, understand their motivation, learn the way they operate and adopt the necessary countermeasures, a very simple strategy to theorize, but very difficult to achieve.
Let’s try to think which could be the Top Five security vulnerabilities, in terms of potential for catastrophic damage.
Before listing the Top Five security vulnerabilities, let’s try to understand the possible motivation of a potential attacker. Hackers act to steal sensitive data (i.e. corporate secrets, personal information, and intellectual property) or to sabotage. Recent events demonstrate that cyber espionage is still considered the most dangerous threat for Governments; APT groups worldwide constantly search for vulnerabilities to exploit on a large scale in order to gather sensitive data.
We cannot underestimate the action of cyber terrorists and cyber criminals, financial firms, retailers, and companies in the health care industry are constantly under attack. Early this year, a criminal ring dubbed Carbanak cyber gang was discovered by the experts at Kaspersky Lab, the hackers have swiped over $1 Billion from banks worldwide
The financial damage to the world economy due to cybercrime exceed 575 billion dollars, the figures are disconcerting if we consider that are greater than the GDP of many countries.
Another danger posed by group of hackers on a global scale is represented by the possibility of cyber-attacks against critical infrastructure, such as gas pipelines, water facilities, and smart grids.
The majority of processes in modern infrastructure are controlled by SCADA systems that were exposed on the Internet for maintenance purposes without the necessary attention to the cyber security.
It is not a problem of maintenance of SCADA components, instead the lack of security by design for these systems expose the entire infrastructure to the risk of cyber-attacks.
Let’s analyzed the top five cyber security vulnerabilities
Injection vulnerabilities occur every time an application sends untrusted data to an interpreter. Injection flaws are very common and affect a wide range of solutions. The most popular injection vulnerabilities affect SQL, LDAP, XPath, XML parsers and program arguments.
As explained in the OWASP “Top 10” guide, the injection flaws are quite easy to discover by analyzing the code, but frequently hard to find during testing sessions when systems are already deployed in production environments.
The possible consequences of a cyber-attack that exploits an Injection flaw are data loss and consequent exposure of sensitive data, lack of accountability, or denial of access.
An attacker could run an Injection attack to completely compromise the target system and gain control on it.
The business impact of an Injection attack could be dramatic, especially when hacker compromise legacy systems and access internal data.
SQL injection vulnerabilities are among most exploited flaws, despite the high level of awareness on the various techniques of hacking that exploit this category of bugs the impact of such attacks is very serious.
A study released by the Ponemon Institute in October 2014 titled “The SQL Injection Threat Study” investigated on the reply of organizations to the SQL injection threat.
The study revealed that despite about one-third believing that their organization has the necessary technology to detect and mitigate the cyber threat, the success rate of SQL injection attacks is too high.
Injection vulnerabilities could affect various software and their impact depends on the level of diffusion of the vulnerable application.
A classic example of the possible effect of the presence of injection flaws is the critical vulnerability dubbed Bash Bug affecting the Linux and UNIX command-line shell. The flaw, coded as CVE-2014-6271, is remotely exploitable and affects Linux and Unix command-line shell potentially exposing to risk of cyber-attacks websites, servers, PCs, OS X Macs, various home routers, and many other devices.
The vulnerability has existed for several decades and it is related to the way bash handles specially formatted environment variables, namely exported shell functions. To run an arbitrary code on affected systems it is necessary to assign a function to a variable, trailing code in the function definition will be executed.
The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3, a threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.
Such kind of vulnerabilities could have a dramatic effect on a large scale, let’s think for example to the dangers for the Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software affected by this category of flaws.
A buffer overflow vulnerability condition exists when an application attempts to put more data in a buffer than it can hold. Writing outside the space assigned to buffer allows an attacker to overwrite the content of adjacent memory blocks causing data corruption, crash the program, or the execution of an arbitrary malicious code.
Buffer overflow attacks against are quite common and very hard to discover, but respect the injection attacks they are more difficult to exploit. The attacker needs to know the memory management of the targeted application, the buffers it uses, and the way to alter their content to run the attack.
In a classic attack scenario, the attacker sends data to an application that store it in an undersized stack buffer, causing the overwriting of information on the call stack, including the function’s return pointer. In this way, the attacker is able to run its own malicious code once a legitimate function is completed and the control is transferred to the exploit code contained in the attacker’s data.
There are several types of buffer overflow; most popular are the Heap buffer overflow and the Format string attack. Buffer overflow attacks are particularly dangerous; they can target desktop applications, web servers, and web applications.
An attacker can exploit a buffer overflow to target a web application and execute an arbitrary code. He can corrupt the execution stack of a web application by sending specifically crafted data.
Buffer overflows affecting widely used server products represent a significant risk to users of these applications, in the last years, many buffer overflow vulnerabilities were discovered in a number of SCADA components.
Considering that the number of cyber-attacks against SCADA is increasing even more it is likely that these buffer overflow vulnerabilities will be exploited with increasing frequency.
A number of crimeware kit could be sold in the underground ecosystem to attack this particular category of targets causing serious damages.
Sensitive Data Exposure
Sensitive data exposure occurs every time a threat actor gains access to the user sensitive data.
Data could be stored (at rest) in the system or transmitted between two entities (i.e. servers, web browsers), in every case a sensitive data exposure flaw occurs when sensitive data lack of sufficient protection.
Sensitive data exposure refers the access to data at rest, in transit, included in backups and user browsing data.
The attacker has several options such as the hack of data storage, for example by using a malware-based attack, intercept data between a server and the browser with a Man-In-The-Middle attack, or by tricking a web application to do several things like changing the content of a cart in an e-commerce application, or elevating privileges.
The principal sensitive data exposure flaw is the lack of encryption for sensitive data, but even if encryption mechanisms are implemented, other events concur to the exposure of information. The adoption of weak key generation and management, and weak algorithm usage is very common in many industries and applications.
A number of incidents recently occurred have demonstrated the critic of this category of flaw, let’s think to the wrong implementation of encryption algorithms and the lack of encryption for mobile and cloud solutions.
In September 2014, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) published the results of the tests conducted by its experts on popular Android applications that fail to properly validate SSL certificates.
The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.
The CERT confirmed that the problems is widespread, the circumstance was confirmed by another study conducted by security experts at FireEye that evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play.
Ethical Hacking Training – Resources (InfoSec)
FireEye provided shocking results. 68% of the apps don’t check server certificates and 77% ignore SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries. For this reason, Android users are exposed to the risk of attacks. Despite the fact that FireEye the developers about the flaws, the CERT pointed out that only a few companies took steps to secure their products.
As highlighted by the numerous studies of the topic, attackers typically don’t break crypto directly; they operate to exploit a sensitive data exposure flaw. This means that threat actors operate to steal encryption keys, run man-in-the-middle attacks, steal clear text data off the server, while in transit, or from the user’s browser.
The exploitation of sensitive data exposure flaw could be dramatic for every organization in every industry, the principal losses for data breaches are related to the business value of the compromised data and the impact to the reputation of the victim organization.
Sensitive data exposure attacks could be run by any category of attackers, including cyber criminals, state-sponsored hackers and hacktivists, in the majority of case this kind of attacks are part of a first stage offensive that involve also other hacking techniques.
Every organization that manages sensitive data (i.e. healthcare and banking data, personal information) is potentially exposed to the attacks that could involve a large number of users; millions of users are already open to cyber-attacks.
Broken Authentication and Session Management
The exploitation of a broken Authentication and Session Management flaw occurs when an attacker uses leaks or flaws in the authentication or session management procedures (e.g. Exposed accounts, passwords, session IDs) to impersonate other users.
This kind of attack is very common; many groups of hackers have exploited these flaws to access victim’s accounts for cyber espionage or to steal information that could advantage their criminal activities.
As explained by the OWASP, one of the main problems is related to the custom implementation of authentication and session management schemes, in the majority of cases these schemes result flawed and hackers are able to compromise them. This category of flaws affects web applications, in the majority of cases functionalities such as the logout, password management, remember me, timeouts, secret question, and account update are affected by broken authentication vulnerabilities.
The bad news is that once this kind of flaw is successfully exploited, the attacker can impersonate the victim doing anything he could do with the privileges granted to his account.
Unfortunately, the exploitation of a broken Authentication and Session Management flaw is hard to mitigate due to the large number of authentication schemes implemented by each victim. Not all authentication and session management systems are equal, complicating the adoption of best practices on a large scale.
There are several ways to bypass authentication mechanisms, including “Brute-forcing” the targeted account, using a SQL Injection attack, retrieving a session identifier from an URL, relying on the session timeout, reusing an already used session token or compromising a user’s browser.
The most popular attack scenario relies on the session, authentication mechanisms are usually based on tokens associated with each session on the server side. An attacker that is able to retrieve the session identifier could impersonate victims without providing login credentials again.
The possible business impact of broken authentication and session attacks is severe because an attacker could takeover users account and impersonate him to conduct various malicious activities.
Such practice is very common in both cyber-criminal ecosystem and state-sponsored hacking.
I consider this category of vulnerability the most common and dangerous. It is quite easy to discover web servers and applications that have been misconfigured resulting in opening to cyber-attacks. Below some typical example of security misconfiguration flaws:
- Running outdated software.
- Applications and products running in production in debug mode or that still include debugging modules.
- Running unnecessary services on the system.
- Not configuring problems the access to the server resources and services that can result in the disclosure of sensitive information or that can allow an attacker to compromise it.
- Not changing factory settings (i.e. default keys and passwords).
- Incorrect exception management that could disclose system information to the attackers, including stack traces.
- Use of default accounts.
The exploitation of one of the above scenarios could allow an attacker to compromise a system. Security misconfiguration can occur at every level of an application stack. An attacker can discover that the target is using outdated software or flawed database management systems.
In many cases, it is quite easy for an attacker to search for this kind of vulnerability. The availability of automated scanners on the market allows the detection of systems not correctly configured or correctly patched.
Security misconfiguration vulnerabilities could have a dramatic impact when systems targeted by hackers are widely adopted. For example, the presence on the market of routers with hardcoded credentials or network appliances using default SSH keys that allow an attacker to establish remote and unauthorized connection to the device.
These kind of vulnerabilities could have a severe impact for the new paradigm of the Internet of Things, poorly configured IoT devices could be exploited by hackers to compromise the software they run and recruit them in large “thingbot.”
Recovery cost could be very expensive and the impact on the organizations that are using flawed devices could be severe.
Security misconfiguration is very insidious for any organization and cause incident difficult to mitigate that can have catastrophic impact.