By Jeff Kabachinski, MS-T, BS-ETE, MCNE
Are malware, data breaches, and general security vulnerability on the rise, on the decline, or about the same? The increase in cyber risks might be slowing in terms of annual growth rate, but it is growing nonetheless. Cyber attacks are also getting more focused and sophisticated. And of course, the trusty old methods of hacking and infiltrating are still widely in use.
Consider the information from the Open Source Vulnerability Database (OSVDB). It uses a system to rate vulnerability to breaches by using the common vulnerability scoring system (CVSS). On a scale of 0 to 10, ratings of 7.0 and above are ranked as critical. While the percentage of vulnerabilities ranked 7 or higher has dropped from 23% in 2011 to 20% in 2012, it still means that 1 in 5 are considered critical.
This month, I’ll examine some of the more common vulnerabilities. I’ll explain both what they are and how they work.
One of the most common application layer attack techniques in use today is called structured query language injection, or SQLi. In this process, the attacker inserts or injects SQL command lines into an existing command line string. The fields, available for user input, allow SQL statements to pass through and query the database directly.
For example, suppose a web application allows users to query its database like an online dictionary. This opens things up for all sorts of mayhem. The exploit can not only read sensitive data from the database but can also modify the database and execute administrative functions like a DBMS shutdown. The injected commands may even find a way into the operating system itself! SQLi also provides the ability to spoof identity, tamper with existing data, void transactions, and change balances. It can disclose all the data in the system, destroy it, or simply make it unavailable.
This exploit can also be used as a form of “ransomware.” With ransomware, once the system has been breached, admin orders are given to reset the data backup configuration to nil. Daily backups are still complete, but use a data range of zero. The legitimate system administrators see that the backups are running and conclude the system is in good health. But then, weeks later, the current database is made unavailable and a message pops up on screen saying something to the effect of, “Your data is sequestered and we will delete it unless you pay a ransom.” With no recourse available and no current backup of the data, the admins are stuck. Most will pay the ransom.
Often, the method of compromise or initial infection or exploited vulnerability may not seem very sophisticated, but the malware that is delivered can be very sophisticated indeed. It can stay hidden for months while it identifies the data mother lode or “honeypot.”
Another common exploit is to co-opt a computer into a botnet. A botnet is a network of controlled robots, or bots, that perform tasks on the web at the behest of the “bot master.” Probably the two most common types of attacks that botnets undertake are DNS Reflection and State Exhaustion Attack.
DNS Reflection is a type of Distributed Denial of Service, or DDoS. The attacker activates the botnet, perhaps temporarily extending the army with rented bots, for a DDoS attack. Each bot is instructed to send a Directory Name Service, or DNS, query to their default resolver servers requesting the DNS record for the bot’s IP address. However, the IP address requested is not the bot’s, but the victim’s. This is called spoofing. All the resolver servers in turn send the DNS information to the computer they think is the requestor—that is, to the victim’s computer. The result is many thousands of returned DNS records that flood the victim’s computer. Because it is busy dealing with those returned records, it cannot respond to any legitimate inquiries. This is also called an amplified attack in that the original queries are only 64 bytes in length, but the responses are 4,000 bytes, an amplification of more than 60 times.
DDoS’s have become so widespread and powerful that they often slow down traffic on major portions of the Internet. One attacker with a large botnet—Koobface, one of the largest botnets, has 2.9 million bots in its army—can slow things down for everyone as well as effectively shut down the victim. One DDoS attack against Spamhaus is thought to have peaked out at 300 Gbps of traffic or consumed bandwidth, as compared with typical attacks on financial institutions that peak out closer to 50 Gbps. But in any event, even just 11 Gbps of targeted traffic will overload a typical 10-Gbps web.
Another bot-enabled method to take a victim’s server offline is a state exhaustion attack. In this exploit, the botnet sends multiple SYN requests as part of a TCP three-way handshake. This establishes a TCP port connection, again spoofing the source address as the victim. The victim is busy responding (ACK) to the SYN requests, which leaves a TCP port with a half-open connection. Available TCP ports are quickly used up while waiting for the SYN-ACK reply—the third handshake—which never comes. Legitimate users cannot access the site because all TCP ports are busy in listening mode. Because there are no available ports, the victim must stop accepting connections. Again, with an army of bots, just one attacker can shut down a server.
How rampant are these types of attacks? Responding to the Worldwide Infrastructure Security Report survey, more than half of Internet data center providers claim to have been attacked. Of that group, more than 9 in 10 say that they’re attacked regularly. You can also purchase the entire attack event.
To perform either or these exploits, cyber criminals don’t need much technical knowledge. They can simply purchase malware-as-a-service from a cloud-based utility. The criminal gets this service for a fee and can launch and control attacks without knowing exactly how it’s done.
Committing a cyber crime can be as simple as filling out an online form. You simply enter the victim’s IP address, how long you want the attack to last, and when. After paying the resulting fee with a credit card, the victim is disabled. Costs are as low as $200 for a 24-hour attack on a small to medium-sized business. One such cyber-crime vendor charged as little as $9 for a DDoS.
By far the most popular method of infiltrating networks is phishing, now commonly in a more targeted form called spear phishing. Such attacks have quadrupled in 2012.
This approach takes advantage of human vulnerabilities and frailties to gain access to sensitive data and corporate information. Generally done via e-mail, spear phishing needs three conditions for success. The first is that the message comes or appears to come from a credible source, someone you know and trust. Dubbed the colonel effect, a spear phishing experiment sent e-mails to 500 cadets from a faked colonel at a well-known Army academy. The e-mail ostensibly provided a hyperlink to verify grades. Of those who received the e-mail, 80% complied. The lesson was that if this had been a real phishing attack rather than an experiment, they might well have downloaded spyware as a result.
The second condition for a successful e-mail malware download is that the content of the message comports with the source and what it’s asking you to do. For example, a message might include the line, “Click here to read the full report.” Once you click it, you are told that you need the latest service pack from Adobe to update your Acrobat Reader to 10.37 (or some other fictional update). The link provided, needless to say, is not to Adobe, but to malware. The link looks legitimate, but it fact, it leads not to Adobe, but to a cyber criminal’s site.
The third condition is the appearance of urgency. A typical phishing e-mail will encourage you to “act now!” because the offer terminates in 48 hours, or the free white paper expires in the next 24 hours.
The best defense against these exploits is awareness and a healthy skepticism. Before you click on a link in a friend’s e-mail, think twice. Is it really your friend, or is it a cyber criminal in an all-too-convincing disguise? 24×7
Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC. For more information, contact [email protected].