Over the last several years a number of threats to information security have received more than their share of debate – starting with profiles on the distributed denial-of-service attacks of early 2000 and, alongside these stories, recurring news on a long list of high-profile web defacements.
Specific lists are even available on the Net, listing most web site graffiti every day. But what is now painfully clear, is that the attitude of those responsible for protecting systems from harm has been affected by these “most newsworthy” incidents and the subsequent press stories.
Notably, the idea has been raised recently in some business circles and even by at least one national law enforcement agency in North America, that it is in fact not the most sophisticated hackers that pose the greatest risk towards security, but instead the so-called ‘script-kiddies’ – meaning amateur hackers without a clue as to how much damage they can actually do. This notion is absolutely ridiculous.
As a matter of fact, the most newsworthy incidents of all may be those that never make the news.
It is unfortunate that the idea exists, because it indicates that many companies are judging the level of threat facing them by the few attacks that they actually notice. As a rule, companies won’t notice anything but the most brazen attacks. The idea that it is amateur hackers that pose the greatest risk of damaging a system, is evidence of the lack of observation on the part of most companies – or of the incorrect assumption, that the amateur hackers who make the most noise in attacking a site are the only threat facing a company, just because it is the only threat that is seen.
Unfortunately, this assumption is why the occurrence of theft, blackmail and extortion attempts is on the rise, as it continues to be incredibly simple to obtain critical data such as medical records, credit card numbers and many other things which shouldn’t be publicly available.
Take these two cases: in one, a bored teenager from Canada decides to shut down a number of e-commerce sites. In the second, a knowledgeable attacker infiltrates a bank, finds a mean to bridge to their internal network, finds the DES-encrypted PIN codes for all the bank’s ATM customers and finally manages to break the encryption.
In the first case, the company that gets attacked is very likely to notice that their web site is not working. The media is very likely to notice or pick up that the company’s web site is not working. It will be big news and other companies will take notice.
In the second case, the bank may not even notice at all.
The truth of the matter is, that the hacks most likely to end up on the evening news are of the least significance. Denial-of-service attacks in general are particularly insignificant as the companies hit rarely have anything time- or otherwise critical on the web (in most cases it was simply never designed for that purpose). This is changing, though, as Global Crossing and other major carriers start offering massive amounts of bandwidth combined with new services like “QoS services,” opening possibilities for time-critical data such as stock trading.
The point being: so what, if you cannot view www.yahoo.com for a couple of hours, locate the latest Britney Spears Pepsi commercial, and lower your IQ? So what, if you go to visit www.doj.gov, and find its content replaced with a pornographic picture for a few hours? Though it may be annoying and embarrassing, it is hardly crisis material.
On the other hand, it might be quite disastrous for a bank if money disappeared to some far away Russian republic. In the U.S., at least, it wouldn’t pose a problem for the customers of the bank (banking laws favor the customer quite nicely), but it could easily put a smaller bank out of business.
Less significant examples exist. It is becoming very common, actually, that online banking solutions and electronic commerce sites are discovered to be quite buggy (unfortunately, I have seen this so much over the course of my work, that I hardly trust any big name financial institutions anymore).
Amateur hackers should not be viewed as the biggest threat to companies, or even as a general indication of the threat level. Instead, they should be viewed quite simply as a reminder to companies that they need to have dedicated processes, people, and budgets intended to monitor and secure their infrastructure. They are a reminder to companies that they can’t consider security to be a one-time deal – but rather a continuous process that bodes for proactivity.
The growing trends of high-level attacks, while they seem very much like something from the X-Files, are quite real. Recently, I took a very cursory look at a handful of personal Internet banking sites which are provided by various banks in Scandinavia. Out of these five or so, I found one that would probably let me log in to another user’s account, knowing only their social security number. This flaw was obvious without my even trying to do anything which could be construed as hacking, merely by looking at the site in a web browser.
Unfortunately, it appears that the security level of business banking isn’t much better. More banks have started offering services so small to medium sized companies get more direct electronic control via the Internet over accounts and transactions. Of course, it makes sense to the people at the bank that they should reuse the same infrastructure as for private banking. The problem with this is, from a security standpoint, that private banking infrastructure may not meet the needs of business banking and now instead of merely being able to log into a private individual’s account, it will be possible to log into a business banking account. Moreover, these personal banking solutions may provide a gateway for an attacker to reach deep inside a bank’s network and prepare a truly expensive attack
Another example of blackmail or extortion is the attack against Playboy (the magazine). A malicious gang of criminals controlled their site and supporting infrastructure. Last year, these criminals mailed a very large number of Playboy customers with a threatening letter, which contained the user’s credit card number, and an extortion message to Playboy.
This made the news, as tens of thousands received the mail. However, it is absurd to assume that it is the isolated incident that it at first appears to be.
These are further reasons that it is critical to completely test one’s presence on every network one is attached to – to see just how much is possible, beyond what the amateur hackers will pick up, during the course of automated scanning. External assessment testing can provide a very good means of calibrating intrusion detection and firewalls.
Did your company even notice when the last SQL injection attack was performed, or the last sequence-logic flaw was exploited, allowing someone to log in without actually logging in? Most companies will have to answer simply, “I don’t know.” The only thing they do know – is the threat of amateur hackers.
Andrew Christensen is security testing engineer with VIGILANTe Security Services (www.vigilante.com) based in Copenhagen, Denmark.