quarta-feira, 18 de maio de 2016

Compromising Security using Online Products

A big Hi to the online world out there! Since I don’t write much, let me first introduce myself. My name is Bikramaditya Guha aka PhoenixX and I'm an Indian Computer Enthusiast. These days I mostly work with information security, with a special interest in Web Applications. If you let me, I'll find my ways into your site or application, hopefully before the bad guys do. You can find a little more about me by visiting my LinkedIn profile.

It's very common these days to find and exploit zero days. Some of them are really intriguing based on the popularity of the products and their usage.

It has been observed that a lot of costly products (and by that I mean really costly) sold to the general public/corporations are not tested for security or to say the least, tested with negligence. It's 2016 and security still serves only as a mean to fulfill compliance requirements. Everybody seems to be in a hurry to release the product to the end users. It seems like the value of money is still more important than an individual's personal data.

Today I want to share a tale about how I started pawning shells across multiple demo products (mostly PHP based). Like all good tales, this one also begins long time ago (actually about a year).

Given that every organization or individual are becoming increasingly dependent on a one-click solution for all their problems, multiple (small and big) vendors are spawning up with online solutions/products to ease the pressure out of big MNCs. Though it saves you a lot of money, it raises a troubling question.

Are the products really secure? Do they really care about the reputation you carry? Or is it just a sprint for money?

These questions really raise an eyebrow (being paranoid helps when it comes to personal data) and then I decided to explore these products from a security perspective. And guess what!!! I felt like I can train junior pentesters to be hackers by using these online demos, the vendors offer, as a training ground. Or in short, nobody gives a 'Fish' about security. There's an open vulnerable world out in the wild ready to be PWNED.

In my recent researches, I have observed that a lot of popular products (CMS, LMS, WMS, etc.) wildly used in the market are prone to some serious vulnerabilities. 6 out of 10 major organizations which use these products are vulnerable to flaws which include but are not limited to SQL Injection, Remote Code Execution, LFI, XXE, XSS, etc. This is just a small example considering the enormousness of the online world.

The web's architecture, having become so important that many confuse it with the internet itself, is also problematic from a security standpoint. The web uses client-server architecture on a peer to peer network. The web and the internet pass messages asynchronously, essentially a file transfer system.

Each time you visit a website you open the door to your computer through which the site can send files. All of these separate files have been used by criminals and other evil doers to harm computer users.
  • Your identity can be stolen for financial fraud.
  • You can be redirected to phony sites and sold fake products.
  • Your computer can be controlled for nefarious schemes using vulnerabilities in Flash and Java.
Worse, the peer to peer nature of the internet means that a network is only as vulnerable as its weakest link. Too often, network administrators and users are complacent about a computer or website because it is by itself insignificant. Why add SSL to a test website on a minor project? Why add a firewall to a computer that does not have significant data on it?

These questions are often answered the hard way. When hackers gain access to one computer on a network they can work their way onto other computers on the network. Drop a sniffer on one computer and you can eventually identify the login credentials to access other computers. With patience and persistence, hackers can move from a low priority computer with minimal access rights to more important computers with higher levels of access. Get root privileges, own the system/server. There's a hell lot of other things a hacker is equipped with to throw at your personally owned beloved system.

The main purpose of this article is to instill among the individuals the necessity and importance of security in whatever they do or try to do online. Be it using an online product, surfing on the internet, or playing online games, whatever. Being cautious doesn't harm. It definitely helps against such sophisticated and cleverly planned attacks.

In my work experience, I just don’t see organizations/individuals paying much of a heed to security. So in case you find this article interesting, I would recommend few things that might help you to improve security (only if you care enough).
  1. Protect your network with a robust hardware-based firewall, at the same time keep personal firewalls on all computers. A layered approach to network security is essential.
  2. Use remote management tools to ensure that all computers on your network have an up to date firewall and antivirus program correctly configured.
  3. Restrict user’s rights to install software. I hate this myself, but it is important. When you give everyone installation rights you are giving it to the malware they download!
  4. Use Firefox instead of Internet Explorer. It may not be practical to migrate away from Windows, but you can do a lot of good by using the much more secure Firefox.
  5. Identify and secure all access points, no matter how seemingly insignificant. Every web site, every ftp server that can be accessed via the public internet needs to be secured and monitored for compromises.
  6. Require strong passwords for your computers and applications. This is another one I hate, but weak passwords are the best friend of every hacker.
  7. Last but not the least! Watch over your shoulder.
Given the nature of the internet, network security is a never ending battle that requires constant vigilance. Best of luck….

Nenhum comentário:

Postar um comentário