CHAPTER 6 Threats and Vulnerabilities

Overview

After the initial chapters that provided an overview of the risk landscape, in Chapter 4, we took an initial look at the components of the information security landscape – assets, threats, vulnerabilities, and controls. We then began a deeper look at these components. In Chapter 5, we looked at assets, including asset types, their classifications, and characterizations.

In this chapter, we will take a close look at threats. At the end of this chapter, you should have a clear understanding of the different aspects of threats including:

• Threat models, integrating the components of a threat
• The forces that could act upon an asset (agents)
• The methods by which these agents could affect an asset (actions)
• Vulnerabilities and their relevance to threats

Introduction

We have defined threats as the capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets. This is consistent with the NIST 800-30 definition of a threat as “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/or denial of service.”¹ Once the organization has identified and characterized its assets, the next step in the analysis of its information security requirements is an analysis of the threats faced by the organization. We saw in the last chapter how many of our daily actions revolve around the availability of assets, and how we take those assets for granted. What happens if access to these assets suddenly goes away?

As an information security analyst, you will routinely be asked to estimate the importance of emerging threats. Is the fact that Microsoft just found out that Internet Explorer is vulnerable to cross-site scripting attacks a serious-enough threat that all computers in the organization must be forced to upgrade within the next 24 hours? This is analogous to the estimation that Florida residents like us have to make every time we read about a hurricane developing in the Atlantic – is the threat this time serious enough that we should finally buy a generator in case the power fails for an extended period?

Threat models

Threats arise from motivated people (agents) taking specific actions to exploit assets. The interactions between relevant agents, actions, and assets constitute the threat model facing an organization. This is represented in Figure 6.1. In the rest of this chapter, we use part of the VERIS² incident classification model, the piece dealing with threat, as the basis for discussion. While some of the specific agents and actions discussed in this chapter are based on VERIS, the idea of threats being the actions of agents on assets is quite generic. We have already discussed assets. In this chapter, we focus on the remaining components of a threat – agents and actions.

The VERIS model is more general, allowing any threat including threats not yet discovered, to be modeled within the framework. It is also aligned with the academic literature on the topic as well as with standard risk models we consider later in the book. Hence our use of the VERIS threat model.

Threat agent

A threat agent is the individual, organization, or group that originates a particular threat action. Threat agents can be classified into three different types, each with different motivations, to initiate a threat:

• External agents
• Internal agents
• Partners

Figure 6.2 shows how the relative frequencies of the different threat agents classified by the VERIS system have evolved since 2004.⁴ It is clear that the number of internal attacks has reduced considerably since 2009 while external threat agents have increased during the same period.

External agents

As the name suggests, external agents are agents outside the organization, with no link to the organization itself. According to the VERIS 2012 Data Breach Report,⁵ 98% of the attacks in 2012 originated from an external agent. We look at the important external agents below. A quick list is given in Figures 6.3.

Activist groups

The Anonymous group has become popular in the last few years as a “hacktivist” organization, groups that mix political activism with hacking activities. A loosely formed group composed of hackers and other Internet enthusiasts, Anonymous members portray themselves as individuals who oppose all types of perceived oppression, Internet censorship, and surveillance by government agencies around the world. A brief listing of their latest exploits is included here.

Foreign governments

According to a report issued by the Office of the National Counterintelligence Executive in October 2011,⁶ “sensitive US economic information and technology are targeted by intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.” One well-publicized incident involved the suspected theft of the designs of military aircraft (Figures 6.4a and 6.4b).

According to the report, China is at the top of the list, with Chinese hackers attacking US private sector firms repeatedly. Russia's intelligence service also actively conducts cyber espionage against US targets to collect economic and technology information.

But that's not all. Even US allies and partners use their access to US institutions to access information using a multitude of threat actions. Loss estimates from economic espionage range so widely as to be meaningless – $2-400 billion or more a year.

Government involvement is widespread and not limited to attacks against the United States. The US government is involved in cyberwarfare as well. The New York Times⁷ claims that President Obama secretly ordered increased cyber-attacks against the computer infrastructure of Iranian nuclear facilities weeks after he assumed office. The same article alleges that US and Israel were involved in the deployment of Stuxnet, which temporarily took out 20% of the centrifuges operating in Iranian facilities.

Cybercrime

In the late 1990s, when the commercial Internet was in its infancy, hackers were primarily “script kiddies:” usually a teenager who found an exploit script somewhere and decided to deface a web page just to show that the hacker was capable of modifying a website. Many of these scripts recklessly destroyed data on affected machines simply as proofs of concept.

Somewhere down the line, the script kiddies got smart. Why destroy machines when you can make money out of the user of that machine? Why replace a web page when you can sit at home and monitor all activity until you see something you like? Enter what we now call cybercrime. Cybercrime is an incredibly lucrative business, offering a higher profit with a lower probability of being identified and prosecuted than traditional crime such as bank robberies.

One popular cybercrime threat agents are the hackers involved with the Nigerian Scam, also known as the “419 Nigerian Scam” referring to an article in the Nigerian Criminal Code dealing with fraud. What follows is a sample email.

Thousands of emails would be sent out at a time. Inevitably, the fraudsters would receive a couple of responses.

Government efforts to prevent financial cybercrime continue. In Nigeria, notices are pasted on walls of cafe owners, warning users of possible arrests for scammers who send fraudulent emails. But, generally speaking, users are learning to pay attention to the adage: “if it sounds too good to be true, it probably is.”

Organized groups

Some threats require the cooperation of multiple agents acting together. The organization of certain cybercrime groups is remarkable. For instance, websites exist that coordinate the sale and purchase of restricted information such as credit cards, social security numbers, bank account info, and more. These sites usually employ a large number of individuals, each with their own job duties.

• Admins: Run the escrow service and control membership
• Global Moderators: Supervise content and arbitrate any disputes
• Moderators: Monitor individual topic areas
• Reviewers: Evaluate quality of vendor products
• Vendors: Have permission to sell goods and services to forum members
• Members (fraudsters): Purchase the goods

In order to become a vendor you have to provide a set of credit card numbers to a reviewer. This person goes out and makes purchases using those numbers. If the cards are mostly valid, you are accepted as a vendor (Figure 6.5). Below is an example of a vendor being rated:

One example of such site was CarderPlanet. CarderPlanet was a criminal organization founded in 2001. It operated and maintained the website www.carderplanet.com for its criminal activities. By August 2004, the site had attracted more than 7,000 members. Although most of the postings on the forum were in Russian, and most of the CarderPlanet members were from Eastern Europe and Russia, the forum had a significant English-speaking component.⁸

The organization was set up in a manner similar to the mafia with the highest ranking members, or “the family,” having titles such as the Godfather and “capo di capi” (or boss of all bosses). It was shutdown in 2004 after the arrest of some of its senior members. According to the US Secret Service, “the network created by the founders of CarderPlanet … remains one of the most sophisticated organizations of online financial criminals in the world. This network has been repeatedly linked to nearly every significant intrusion of financial information reported to the international law enforcement community.”⁹

Competitors

Competitors are always interested in gaining advantage over the competition. This is true not only in private industry but also in politics. In 2003, internal memos from Democrat minority leaders were distributed to GOP-friendly media. “At first, the Republican majority denied any G.O.P. complicity after the memos were leaked and published. The documents detailed how Democratic senators had strategized and consulted outside interest groups dedicated to opposing some of President Bush's more conservative judicial nominees. But after the police moved in last week, Senator Orrin Hatch, the Utah Republican who is the Judiciary Committee's chairman, reversed himself and announced that he had been ‘shocked’ to find out that it was a member of his own staff who had hacked into the minority's computer files.”¹⁰

Customers

Customers can easily be agents as well, internal or external, depending on where you draw the boundaries of your service. With the Student Information System, for instance, IT has the student users as well as the administrators of the different modules of the SIS application: Financial Aid, Accounts Payable, Financial Aid, etc. These are normally known as “Functional Users.” As customers, these users at times also require functionality and privileges that, while could make their job easier, could also put the University at risk. Someone from Financial Aid, for instance, with access to student Social Security Numbers, could feel tempted to sell a list of those in the hacker market.

Natural causes and infrastructure failures

In the United States we have wild fires and earthquakes in the west. Tornadoes in the Midwest. Hurricanes and flash floods on the East Coast and along the Gulf States. Practically no area of the country is 100% safe. And you still have the human intervention: leaky pipes, accidental building fires, etc. All of these are external, natural disasters that could affect a business' IT infrastructure. When the IT infrastructure fails the financial damage can be considerable. That's what happened with Sears in 2013. “… the five-hour failure, in the rush just after the holidays, cost Sears $1.58 million in profit, according to the lawsuit. (Sears did $12.3 billion in sales during the fourth quarter but lost $489 million.) The server farm ran on generators for eight days, burning through $189,000 in diesel fuel.”¹¹

Former employees

Disgruntled employees are a particularly dangerous type of agent, since they oftentimes have insight on the internal workings of the company, and they are capable of using internally known vulnerabilities to gain access and damage the business.

In May 2013, a criminal complaint was unsealed on Thursday in federal court in the Eastern District of New York charging Michael Meneses – who was arrested earlier that day in Smithtown, Long Island – with hacking into the computer network of a company that manufactures high-voltage power supplies, causing the company over $90,000 in damage. “He employed various high-tech methods to hack into the victim company's network and steal his former colleagues' security credentials, including writing a program that captured user log-in names and passwords. He then used the security credentials of at least one former colleague to remotely access the network via a virtual private network (VPN) from his home and from a hotel located near his new employer, corrupting the network.”¹²

Internal agents

Internal agents are people linked to the organization, often as employees. They include your expected agents, the sys admins, the Help Desk assistants, the software developers. But other unexpected individuals such as janitorial staff can also be threat agents (Figure 6.5).

Help Desk

Help Desk employees may be assigned certain privileges that, either through error or misuse, could affect the operations of a company. It is not uncommon to allow Help Desk employees the ability to change passwords for users, after checking their identities. This privilege opens the door for potential bribery and blackmail of the employee, especially when the activity goes unchecked.

Human resources

The hiring and termination of personnel in an organization, normally handled by the HR department, kicks off a number of activities potentially including the assignment and removal of privileges in IT systems. These actions are usually known as onboarding and offboarding. If these are performed automatically, the consequences could be disastrous.

In 2005 a small community bank in the State of Florida had to retrieve all of its employees' emails from backup tapes after an entry error in the HR system laid off all of its employees and all their email accounts were deprovisioned.

Janitorial services

Server rooms and datacenters are normally off limits to anyone without a need to be there. However, not all servers go in server rooms. It is not uncommon in an University environment to have servers in common offices, without physical protection or redundancy.

Back in 2003 a helpful janitor at the University of South Florida, after noticing that a particular office was a bit dirty, decided to vacuum the room. He unplugged the UPS to plug in the vacuum cleaner and neglected to plug it back in when he was done. The UPS ran out of power and the College was left without email until the next day, when the local administrator came back into the office.

Internal auditors

Auditors come in a variety of different flavors. Some are willing to work with administrators and understand different priorities, resource allocation, and how IT processes fit in the overall mission of the organization. Others are simply interested in pointing out the perceived failures of the IT department. Some are fully prepared to discuss database schemas and network routing, as well as cash collection and financial aid. Some in the industry consider auditor to be the consummate generalist, the proverbial Jack of all trades, but not necessarily the master of any.

The primary concern of auditors is compliance. IT systems must be compliant with local, state, and federal laws. They also must ensure that all official policies and procedures adopted by the organization are followed. With that in mind, it is necessary to emphasize that compliance is different from security. And it is this difference that at times may turn an auditor into a threat agent.

For instance, assume your organization has a policy stating, “all employee ID numbers will be encrypted when stored electronically.” IDs are stored on a database server, which, for the sake of argument, is only turned on when data is needed. The server is inside an access-controlled facility, and you are the only person with access to the box. From your perspective, the risk of a leak or data loss is extremely small. However, as we will see in future chapters, regulatory compliance, federal and state laws established with the intent to protect users' privacy, are often single minded in their purpose and do not consider the overall system security as a whole, instead focusing simply on the piece it needs to protect. Therefore, any auditor, internal or external, will insist that the data still must be encrypted or the policy amended if the organization is assuming the risk. Even if your organization will have to spend thousands of dollars in order to encrypt the data.

Auditors may also affect IT operations. In the State of Florida, if your server room is not up to code because power is stringed through the use of extension cords, Fire Marshalls are authorized to disconnect the power immediately, even if critical processes are brought down because of the disconnection.

Upper management

Managers can be considered a threat agent in multiple ways. But perhaps the most threatening would be top management's lack of support for IT in general and lack of understanding of security concerns.

IT systems are ubiquitous to organizations nowadays, and yet people do not realize the dependency that creates. In a university, faculty paychecks, registration, transcripts, and financial aid, all depend on the fact that IT systems are available and operating properly.

Most of IT operates in a world where “no news is good news.” While that is nice from the operational point of view, it creates a disconnect with users. It is difficult to justify the expenses associated with purchasing a new server if, from the end user's perspective, services are still being offered with no impact on performance. In the long run, IT's success could potentially create its own downfall if management is not reminded constantly of the business dependency on services IT provides.

Partners

Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. Some level of trust and privilege is usually implied between business partners (Figure 6.6).

Consulting services and contractors

This category also includes installation services and maintenance services. These are services paid for by an organization in order to perform a specific job or to augment local staff.

Consulting organizations do their best to comply with any special requirements of their clients. However, clients with special needs may get blindsided if an overlooked detail is extremely important to the client. Consider the recent case of the security leak at the National Security Agency (NSA) involving Edward Snowden. Mr. Snowden was an employee of Booz-Allen Hamilton, a contractor that did a lot of technology work for the NSA and other sensitive federal agencies.

From June 5 to June 21, 2013, the Guardian newspaper revealed extremely confidential orders permitting the NSA to gather information about US citizens. Lawmakers and the public were surprised by the revelations. Reactions ranged from calling Mr. Snowden a hero for bringing the activity to light, to calling him a traitor for revealing security procedures that have kept America safe. At the time of this writing, his eventual fate is unknown. The US Govt. is working to have him brought to the US for trial (Figure 6.7).

However, from an information security perspective, the incident brought several things to attention. Given the nature of the institution, it is impossible to assert how Mr. Snowden got his data out of the NSA, until it is revealed in a court trial, federal testimony, or other similar outlet. However, it has been speculated that Mr. Snowden used a USB thumb-drive to save his data. Sensitive organizations typically disable these ports on computers to prevent such leakage. So, many experts are surprised at this possibility at the NSA. It is also remarkable how an employee of a partner had access to such sensitive documents.

Cloud services

Cloud services are a very large class of services. NIST¹³ lists five essential characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. It also lists three “service models” (software, platform, and infrastructure), and four “deployment models” (private, community, public, and hybrid) that together categorize ways to deliver cloud services.

These services were all considered “outsourcing” at one point in time. But since the word outsourcing is linked with people losing their jobs, the industry reinvented itself and was rebranded as services “in the Cloud.”

Normally when a company moves some of its services to the cloud there is an assumption of improved redundancy, reliability, with multiple servers hosting failover applications in multiple geographic locations. While that is the case in most situations, it is not always the case. Businesses should never make that assumption. When services are moved, here are a few things to check:

• Does the datacenter have the required security certifications?
• Where are the Center's geographic locations?
• What controls are positioned to protect the data?

It is also crucial to have an exit strategy from the get-go. Establish the methods by which, in an emergency, the data could be moved to another location. A failure in any of these points could move the outsourced service provider from a partner to a threat agent.

Outsourcing your server room infrastructure is a popular thing to do. It gets the physical worries out of the way and allows organizations to worry about the important part of their business. This is particularly true for news blog sites and certain social media venues.

In October 2012, Hurricane Sandy slammed the East Coast near Atlantic City. Readers woke up the next day disappointed that some of their favorite news sites were brought down, including The Huffington Post and Gawker. These sites used the ISP Datagram as their primary platform. Datagram's datacenter was flooded, and fuel lines feeding the generators failed, bringing the entire datacenter down (Figure 6.8).

Vendors and suppliers

When vendors or suppliers are not able to provide needed resources, or do not exercise proper quality control on devices, or do not properly evaluate the business relationships they maintain, the effect to a business may be considerable.

Threat action

The agent is the first part of the threat, but until an agent performs some actions to hurt an asset, no threat is created. The action is the activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset. Creating an exhaustive list of actions is futile since new threat actions are limited only by the ingenuity of the agents. However, most common threat actions may be classified into the following categories:

• Malware
• Hacking
• Social engineering
• Physical
• Error
• Environment

Malware

Malware is short for “malicious software.” It is software specifically designed to damage, disrupt, steal, or in general inflict some other “bad” or illegitimate action on computers. Viruses, worms, Trojans, and bots are all examples of malware.

The number of malware in the wild has increased tremendously, going from 1,300 in 1990 to 50,000 in 2000, then to more than 200 million in 2010.

Viruses

Viruses propagate with the use of a “host” file that requires human interaction for it to activate. The infected file itself may reside on a computer's hard drive, but the machine would not be infected until the file is executed. A virus propagates when someone transfers that infected file to a new machine and the file is executed on the new host.

The first piece of code considered to be a virus was created in 1971 by an employee of the so-called BBN, now Raytheon BBN. BBN built packet switching networks for ARPANET, the precursor for the Internet. The software called Creeper was designed as a proof of concept for a self-replicating software. It would jump to from one server to another, installing itself, then removing the previous copy and displaying the message “I am Creeper, catch me if you can” on the screen of the new host.

The Melissa Virus outbreak was the one of the first viruses to impair corporate networks. Melissa was different from other viruses because of the speed with which it spread. It disguised itself as an email with the subject “An Important Message From <someone you know>.” The email carried a Microsoft Word document with a macro virus, a virus that would execute automatically when the file was opened.

Machines infected with the Melissa Virus would present a couple of symptoms:

• Unexplained shutdown with the error message shown on Figure 6.9
• Word documents opened while the machine was infected would display quotes from episodes of the TV show “The Simpsons”
• Random files would be selected to be emailed out as the carriers of the virus to 50 users present in the computer's address book.

Besides the end user–centered problems, Melissa caused severe problems to the email infrastructure of corporations due to the load infected machines imposed on email servers. The author of Melissa virus was caught and sentenced to 20 months in prison and $5,000 in fines.

Worms

While infection and propagation of viruses depends on human intervention, worms use operating system or application vulnerabilities to infect and network access to exploit the same vulnerability on other machines.

The first Internet worm was the Morris Worm, released in 1988. Although like the Creeper virus this worm was intended to be a proof of concept, due to a coding error the software had a fixed chance to spawn multiple copies of itself on the infected machine, causing the host's load to increase and sometimes eventually crash.

The SQL Slammer worm, released in January 2003, is to date one of the fastest spreading worms in history, taking advantage of a buffer overflow vulnerability in Microsoft SQL Server 2000 to replicate. Results of SQL Slammer infections around the world were particularly visible:

• Many ATM Machines from Bank of America were unavailable when the Slammer virus hit.
• Continental Airlines had cancelled and delayed flights because ticketing counters were infected.
• The City of Seattle 911 system was inoperable.

The biggest culprit was not the infection itself, but the alarming rate at which the worm tried to propagate. A single infected machine had the ability to flood the network within minutes, effectively creating a Denial of Service Attack by using up all the network bandwidth available. Estimates are that 90% of all vulnerable servers on the Internet were infected within 10 minutes of the worm's release.

Bots

One of the latest botnets discovered by the security industry is known as ZeroAccess. As of September 2012, it is estimated that the ZeroAccess malware has been installed about 9 million times. Bots are general use software programs, empty husks, which contact a Command and Control server for their orders. The ZeroAccess bot uses a peer-to-peer like network to download plugins from the C&C servers. These plugins carry out tasks designed to generate revenue for the botnet operators. It accomplishes this task with two primary methods: Click Fraud and Bitcoin Mining.

Click fraud happens in connection with a business using Pay Per Click (PPC) advertising model. The motivation varies. Often hackers are hired to try to drain out competitors' advertising budget. The most frequent perpetrators of click fraud, though, are publishers themselves, many of whom run successful pay per click scams.¹⁴

Bitcoin is touted to be the new virtual currency to replace cash in the Internet. Much like the Federal Reserve is in charge of regulating our currency, regulation of Bitcoins is delegated to a peer-to-peer network composed of computers running a Bitcoin client, or a Bitcoin Miner. When you install a Bitcoin Miner on your computer, your machine essentially works as a Bitcoin bank, issuing the currency, validating transactions, etc. Individuals usually become part of a “mining pool” and receive payout bitcoins as part of their payment. Obviously, botnets are perfect for this activity.

Hacking

According to the VERIS Data Breach Report for 2011, 81% of the breaches in 2011 involved some type of hacking action. Some of the methods used to gain access to a computer are also used by malware code. The primary difference between a hacking breach and a malware infection is that malware infections propagate automatically, without intervention from a human. Although they both may use the same methods of penetration, a hacking breach is an attack targeted towards a specific host or organization, directed by a hacker.

Brute-force attack

Brute force is a method by which a hacker tries to gain access to an account on the target system by trying to “guess” the correct password. Usually this is an automated process that may take hours to complete.

Although the “made for TV” versions of this attack sound a bit far-fetched, with the hacker simply trying a few passwords and easily accessing to the computer, it is not too far from the truth. An analysis of the 450,000 passwords leaked with the Yahoo attack mentioned previously in this chapter brought up the following pearls of wisdom:

• 160 Yahoo accounts had the password “111111”
• “password” was used as the password 780 times
• “ninja” was used 333 times (not as “ninja” as they'd like it to be)

What follows is a sample of inadequate passwords, the 25 worst passwords of 2011 (Table 6.1) as extracted by antivirus vendor ESET:¹⁵

Default credentials attacks

Appliances designed to be connected to a network usually come from the factory with a default password. So do certain software applications and databases. Default Credential attacks refer to incidents in which a hacker gains access to the system or software protected by standard preset (and therefore widely known) usernames and passwords.

There are many websites that collect lists of default passwords. CIRT.net, for instance, maintains a database with 1937 default passwords, from 467 vendors like Microsoft and Verizon.

In July 2012, a major ISP from Holland discovered that costumer accounts were vulnerable due to default credentials. Their user id were set to be their zip code + their street address, and the initial login password was “welkom01.” When they performed a security check on the accounts they discovered that 140,000 customers never bothered changing the initial default password.

A slight variation on the theme is a Wireless Access Point (WAP), like the one you probably have at home. In order to associate with your home router and gain wireless network access, all you need is the SID (the name of the network), which is usually broadcasted and discoverable by your computer, and the router password. There are two popular passwords for WAPs as delivered by your Internet Service Provider: either the MAC address of the router or another hexadecimal value. Both can easily be found written on the underside of the WAP. All a hacker would need is quick access to your network, during a get together or a party, and voila, instant access.

Buffer overflow attacks

Let's start with an analogy. A buffer overflow is like dumping 1 gallon of water in a container that only holds one cup. The water will eventually overflow and use other spaces where it was not supposed to go. Usually the spill is wasted. But in the computer world, a precisely formed spill can yield the keys to the kingdom.

In computing, a buffer overflow happens when a program buffer or container is not dimensioned properly, and the content that was supposed to fit in the memory “spills over” other parts of the computer memory. If the contents of the spillover are crafted properly, the computer may be “tricked” into believing that the spillover is actually part of the program that needs to be run.

The Code Red worm used a buffer overflow by connecting to a vulnerable Microsoft IIS Server and sending it a large string of N's (capital letter N). At the end of this string, it would send a snippet of code to be executed by the web server. Simple and efficient!

user@server ∼/user $ gcc simple.c -o simple
/tmp/ccECXQAX.o: In function ‘main’:
simple.c:(.text+0x17): warning: the ‘gets’ function is dangerous
and should not be used.

Cross-site scripting (XSS) attacks

XSS is one of the most common web-based attacks. It occurs when a website allows a malicious user to enter information with malicious content in it. The content is usually javascript code executed on the client when other users are visiting that site. Common targets for these attacks are web-based forums. The software powering these sites often do not validate the user input, allowing users to enter html or java code. The code is then published on the forum for other users to see and execute (Figure 6.10).

According to Accunetix,¹⁶ a company that specializes in web-based vulnerability assessment tools, exploited XSS sites are commonly used to perform the following malicious activities:

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid-for content
• Spying on user's web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

<?php
$name = $_GET[‘name’];
echo “My name is $name<br>”;
echo “<a href=“http://xssattackexamples.com/”>Click to Download</
a>”;
?>

index.php?name=guest<script>alert(‘owned’)</script>

SQL injection attack

SQL injection is an attack technique used to exploit how web pages communicate with back-end databases. An attacker can issue commands (in the form of specially crafted SQL statements) to a database using input fields on a website.¹⁸ As you can see, SQL injection is remarkably similar to an XSS. The primary difference being that an XSS attack is executed at the web front end, whereas the SQL attack is executed at the server. The problem in both cases is that user input was never validated properly.

SELECT fname, phone FROM contacts WHERE lname = ‘doe’

doe’ OR ‘1=1’;

doe’ exec master.dbo.xp_cmdshell ‘iisreset/Stop’

In October 2012, the hacktivist group Anonymous used SQL Injection attacks against vulnerable web front ends to disclose information stored in database servers of 50 universities around the world, including Princeton, John Hopkins, and Rutgers.¹⁹

Misuse

Misuse involves the unauthorized use of assets. In most cases, misuse is a result of the absence of a common security principle known as “need-to-know.” With the need-to-know principle, an individual only has access to an asset if he or she needs access to that asset in order to perform his job. And that principle applies independently of the position the person has in the organization.

Abuse of privileges

Abuse of privileges occurs when an employee uses his or her position and/or access to assets in an improper manner, causing damage to the asset and/or the organization.

As an IT person, the first thing that comes to mind is a systems administrator misusing their privileges. Take IT contractor Steven Barnes, for example. Steve worked for Blue Falcon Networks, now known as Akimbo Systems. In 2008, Steven was ordered, by a court in California, to pay $54,000 restitution to Akimbo and spend 1 year and 1 day in jail. The reason? Steven used his access to log in to Akimbo's Exchange email server and remove restrictions set up on that server keeping spammers from using it as a spam proxy. The result was the equivalent of a Denial of Service attacks, with Akimbo's email system going down as soon as spammers found the opening. According to Steven, he opened the flood gates as retaliation after coworkers from Blue Falcon Networks, now known as Akimbo Systems, came to his home and took away his personal computers by force in 2003.²⁰

Fraud and embezzlement

The Counterfeit Access Device and Computer Fraud and Abuse Act (18 U.S.C.A. § 1030), passed by Congress in 1984, was the first attempt by the Federal government to deal with the issue of fraud in the IT arena. The act also criminalizes the use of computers to inflict damage to computer systems, including their hardware and software and was primarily tailored towards hackers. Since then, the CFAA has been used to prosecute employees who use their position and access to assets to defraud and embezzle money from organizations and their customers.

Fraud and embezzlement cases using IT resources are abundant, especially when individuals find themselves in financial hardship. This has led companies to require a credit check for those employees with access to assets that could potentially lead to fraud.

In August 2012, a Knoxville woman began to serve 5 years on probation after admitting she committed computer fraud while working as a retail operations manager for SunTrust Bank.²¹ Her job was to ensure branches in her region followed internal security practices, according to prosecutors. She had access to the financial records of SunTrust's customers through her work computer, according to the US attorney. Below are some more examples of computer fraud:

• Sending hoax emails intended to scare people (scareware or ransomware)
• Illegally using someone else's computer or “posing” as someone else on the Internet
• Using any type of malware or emails to gather information from an organization or a company with the intent of using it for financial gains
• Using the computer to solicit minors into sexual alliances
• Violating copyright laws by downloading and sharing copyrighted material without the owner's permission
• Using a computer to change information, such as grades, work reports, etc.

Use of unapproved software

Employees may become threat agents when they go against company policy and install software application on their computers. Software installed in desktops or smartphones may provide hackers a way into restricted company assets.

Allowing users to install software on their desktops is a particularly problematic issue for universities. By default, universities are supposed to be open, unrestricted, places where curiosity and research come together to foster innovation. On the other hand, that same openness could end up exposing research data and other information assets to threat agents with dire consequences to the department as well as to the individual.

In the late 1990s, a perfect example of the issues associated with these installations was Bonzi Buddy. The Bonzi purple gorilla was cute and adorable, a favorite of many university users on campus. It roamed around their desktops and kept users entertained. Unfortunately, it also gathered information about the user's surfing habits, store preferences (spyware), and displayed related advertisement on the screen (adware). Finally, it used up so much power from the CPU that all other applications would slow down to a crawl (Figure 6.11).

Because of their openness, most universities do not have a policy prohibiting users to install software on their computer, but many other organizations do. In August 2012, the US District Court for the Western District of Oklahoma held that an employee who downloaded shareware from the Internet in violation of company policy may be liable under the CFAA for using the downloaded software to obtain confidential company documents. In Musket Corp. v. Star Fuel of Oklahoma LLC, the court held that anyone who is authorized to use a computer for certain purposes but goes past those limitations is considered to have “exceeded authorized access” under the CFAA.

Social engineering

Social attacks involve conversations, a dialog with users convincing them to do something they would not ordinarily do. Even savvy computer users may be susceptible to social engineering attacks given the correct circumstances.

Pretexting

Pretexting is a technique in which the attacker uses a fictitious scenario to manipulate someone into performing an action or divulging information. Pretexting is also known outside the technical area as “con game” or “scam.”

One type of pretexting is phishing, in which the attacker uses an email to try to get the recipient to divulge information. Phishing emails can be made terribly convincing, visually appealing, and the senders can pose as a figure of authority or someone the user knows. Phishing is normally coupled with spamming, where the attacker sends thousands and thousands of emails in the hopes that a small percentage of the recipients will be convinced and open a file infected with malware or reply with an account number or password.

With the move phone communication is making towards Voice Over IP (VOIP), a new method of delivery for the pretexting attack is appearing. Spam over Internet Protocol or SPIT is bulk dialed prerecorded calls using a breached VOIP network. They usually instruct the person answering the call to “stay on the line” or answer to questions that will be recorded and passed on to hackers. Contrary to email delivery, where available controls stop most of the spam received by a user, there are no means to control the calls a person's phone will receive. While some carriers have “black lists” available for customers (for a small fee), the situation would be unmanageable when the source of the calls change periodically.

Physical

A physical action involves the tangible or palpable aspect of an asset. Unfortunately, many organizations do not consider the physical threat action enough of an issue to warrant the expense of protecting against it.

Unauthorized access

This is a common threat. Many organizations require to have certain areas protected by card access mechanisms. However, in an effort to be cordial and polite, employees in these organizations will hold the door open if they see someone else running to use the opportunity to enter the building without searching for their access badge. Employees will often not challenge other individuals if they handle themselves with certainty and conviction, with that air of “I am supposed to be walking around here without my badge.”

In an age where terrorism went from a relatively unknown threat agent to a serious concern, control of unauthorized access to areas and systems relating to the country's infrastructure, such as airports, power plants, and even electrical substations serving a limited region have become a critical issue. While fences and other access controls were initially primarily designed to keep people from gaining access and getting hurt by electrocuting themselves, now the concern is that unauthorized access will lead to serious shortage in critical infrastructure services. Organizations are reviewing their guidelines and standards for protection of assets, such as the Institute of Electrical and Electronics Engineers (IEEE) and their Standard for Physical Security of Electrical Power Stations,²³ focusing on these new and previously ignored threat agents.

Theft

Walk around campus, go to your university library or another study area. You will notice how easy it would be to take someone's laptop when they step out quickly to go to the restroom. That's plenty of time to close the lid, unplug the power and take off with the new device.

Error

The error category of threat agents includes everything done incorrectly and unintentionally. It includes omissions, accidents, trips, hardware and software malfunctions, etc. Errors do not include things left undone or done incorrectly but intentionally.

Data entry error

Data entry errors come in two varieties: omission or commission. With errors of omission, a value is not entered in the appropriate manner. Errors of commission refer to the integrity of the data entry.

Data entry errors are unfortunately common, but particularly dangerous in the Health area. Electronic Health Records are being put in place in hospitals and doctor offices around the country with the intent to facilitate the exchange of data between medical practices and other points of care. However, sharing data in this manner would also share any entry error on the data itself. While technology itself may be important, appropriate training and usability tests are equality critical to the proper operation of these systems.

Misconfiguration

Special care must be taken by system administrators when dealing with servers containing Personally Identifiable Information. Unfortunately, often hardware and software upgrades are done under tremendous pressure to bring systems back online, and the integrity of the system suffers because of it.

The most common incident involving misconfiguration seems to be related to these upgrades. In 2012, the University of North Carolina at Charlotte inadvertently exposed PII of more than 350,000 people due to the failure of administrators to properly migrate security settings from an old server being decommissioned to a new server. The same happened with the Northwest College in Florida just a few months later.

Environment

Threat actions in the environment category include:

• Natural disasters such as hurricanes, tornados, and flood
• Failures of environmental controls dedicated to supporting the IT asset, such as power failures, water leaks, air conditioning failures, etc.

Air conditioning failure

Level3 is a large, multinational telecommunications company based in Colorado. It provides network transport for data, voice, and content delivery for most large telecom carriers in the United States and abroad.

In 2011, the company suffered an AC failure at one of its datacenters located in France. Since real state in a datacenter is a premium, companies tend to pack as many servers as possible to minimize the support cost. As a result, keeping the air cool is a must. After a few hours, the ambient temperature in the server room reached 131°F. When the ambient temperature reaches that point, motherboard and integrated circuits start failing. Hard drives may still function after the temperature is back to normal, but problems with brittle heads or plates can lurk in the background for months before they show up in any diagnostic.

The culprit was clear. Air conditioning systems use a supply of chilled water to work. Earlier in the day, the line supplying cooled water to the AC systems of the French datacenter ruptured. Without a redundant source of chilled water, the AC systems could not operate and were shut down.

Hurricanes

The entry was posted by Michael Barnett, former Green Beret and consultant to Intercosmos Media Group, parent company of the web host company zipa.com. Barnett was hired specifically as a crisis manager for the approaching Hurricane Katrina. He was holed up with his girlfriend in the datacenter to protect the assets and hopefully ride out the storm.

Katrina proved to be a monster, with millions of dollars in damage. From his perch on the 10th floor, Barnett documented the mayhem, looting, and his struggle to keep operations going with dwindling resources. Unfortunately, this will not be the last hurricane. Every year, from June through September, organizations housed near vulnerable areas prepare for the winds and the floods generally associated with hurricanes. They are one of the most devastating threats to face datacenters and the assets they house.²⁵

Vulnerabilities

We have defined vulnerabilities as weaknesses in information systems that give threats the opportunity to compromise assets. Both terms, vulnerabilities and threats, are often used interchangeably in the industry, especially by vendors. However, it is particularly relevant to distinguish the two. By itself, a vulnerability does not present a risk to an asset. In the same manner, a threat does not present a risk unless there is a vulnerability in the system that can be exploited by the threat.

Not every vulnerability presents a threat to a network. Not all vulnerabilities need to be patched immediately. Only a vulnerability that can be exploited is a threat to business operations and information assets. It's common for administrative teams to receive reports of vulnerabilities with requests for immediate action to eliminate them. One source of these requests is an organization's internal audit team. Another common source of fix-it-now-because-the-press/vendor-says-it's-critical messages is management, including many IS Directors. But should all vulnerabilities be considered emergencies? Are all vulnerabilities worthy of your security budget dollars?²⁶

Threat agents use their knowledge of vulnerabilities to produce new threats against an asset. For information assets, the modifications to existing software code that will resolve vulnerability is known as a “security patch.” The Department of Homeland Security's National Vulnerability Database (NVD)²⁷ reported 3532 vulnerabilities in 2011, about 10 new vulnerabilities being discovered every day. This is actually an improvement compared with the figures from 2009 and 2010 (Figure 6.12).

Operating system vulnerabilities

Operating system vulnerabilities are those problems with the operating system which could grant a hacker access to operating system functions and accounts. Because the OS is the basic building block for all applications running on a system, administrators are usually required to apply OS security patches.

Microsoft issues their patches on the second Tuesday of every month. The date is known as Patch Tuesday or Black Tuesday, as an acknowledgment to the fact that administrators should ideally apply the patch on a test server and analyze its effects prior to applying the patch on production server. If a patch is deemed to be critical, Microsoft will release a security patch between Tuesdays. This type of patch is known as an Out of Band Patch.

Among the top 10 external vulnerabilities listed by the security vendor Qualys for August 2012, the following are Microsoft internal operating system vulnerabilities. Internal vulnerabilities are those that can be exploited once the hacker has a foothold on the vulnerable computer, usually through a compromised, non-admin account. Hackers then use these vulnerabilities to gain administrative access and control over the computer.

Microsoft XML core services remote code execution vulnerability (MS12-043 and KB2719615)

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, allowing remote attackers to execute arbitrary code or cause a Denial of Service via a crafted website.

A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles objects in memory. The vulnerability could allow remote code execution if a user views a website that contains specially crafted content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.²⁸

Microsoft Windows unauthorized digital certificates spoofing vulnerability (KB2728973)

Unauthorized digital certificates could allow spoofing. Certificates were issued irregularly by a Microsoft Certificate Authority and used to sign parts of the “Flame” malware. Flame is a malware apparently designed to target espionage much like one of its predecessors, Stuxnet. The malware was discovered by Kaspersky Labs in May 2012 but seems to be in the wild since 2010.

Microsoft Windows shell remote code execution vulnerability (MS12-048)

A remote code execution vulnerability exists in the way Windows handles file and directory names. This vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.²⁹

Microsoft Windows kernel-mode drivers elevation of privilege vulnerability (MS12-047)

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver handles specific keyboard layouts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.³⁰

Microsoft Data Access Components remote code execution vulnerability (MS12-045)

A remote code execution vulnerability exists in the way that Microsoft Data Access Components accesses an object in memory that has been improperly initialized. An attacker who successfully exploited this vulnerability could run arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.³¹

Web application vulnerabilities

Web applications insert yet another point of ingress to the underlying assets it exposes. The Open Web Application Security Project (OWASP) is a non-profit organization with a number of chapters and projects trying to make web-based applications more secure. As part of this effort, OWASP publishes a list of the top vulnerabilities found in web applications. We already discussed a few when we talked about threat actions.

Injection

Injection happens when the mechanism doing the interpretation of the commands sent by a client computer does not validate the commands before passing them to the application to be executed. When input is not validated properly, the web server may attempt to execute commands that should be restricted and never executed. In essence, the fact that the input is not validated gives the attacker a “pseudo shell” into the server and/or its database.

Preventing injection requires keeping data passed by outside sources (such as in a web form) separate from actual back-end commands and queries.

The preferred way to deal with this issue is to use an Application Programming Interface or API. With an API, the programmer restricts the type of input accepted from the client. For instance, a programmer may have an API that only accepts single, one-word commands such as READ, WRITE, and MODIFY. Anything other than these key words is ignored.

If this method is not available, the programmer must carefully examine the interpretation and clean any command that would allow a client to break out of the environment. For instance, if the command submitted by the client will be passed as a parameter to a SQL statement, the program should error out if any semicolon is passed by the client.

Attacks using the injection mechanism are the most popular and easy to use, such as SQL Injection or LDAP Injection.

Cross-site scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.³³ While the target assets for attacks using injection are servers, the primary targets for attacks using the XSS vulnerability are the clients connecting to a server.

Cross-site request forgery (CSRF)

When you sit down to use your computer, chances are you log in to many different sites: Facebook, MSN, CNN, and others. A hacker using the CSRF vulnerability uses this fact to send “requests” to these login services on your behalf.

While the XSS attack “bounces” the payload on the server back to the client, a CSRF attack simply executes the command on the server on behalf of the client. For instance, behind the scenes, unbeknownst to you, a hacker could send an HTTP request to the server in this fashion:

http://somesite.com/change-password.php&user=jdoe?new-pwd=ilikepie The web server receives this request, confirms “jdoe” is already logged in and changes his password to “ilikepie.”

Insufficient transport layer protection

Simply put, this translates to make sure your web server has appropriate encryption enabled. Not all web servers may require data encryption. Probably the number one reason for a HTTPS connection would be a website which requires users to login. Unless the login transaction is encrypted, the entire content of the transfer is visible to a hacker with access, including the user login credentials.

It is also vital to use a valid, current industry-standard algorithm for encryption. We will look at encryption in one of the next chapters.

Finally, a certificate signed by a recognized certificate authority and renewed as needed is essential, especially for production servers. A certificate signed by the CA indicates non-repudiation (the site is what it claims) and that the encryption is trustworthy.

Example case–Gozi

When you think of information security threats, you probably think of smart but crooked people trying to attack your computer for personal gain. But did you realize that there is also a nascent industry developing professional software tools to help novices become industrial-strength for-profit attackers? On January 23, 2013, US prosecutors charged three individuals – Nikita Kuzmin of Russia, Deniss Calovskis of Latvia, and Mihai Paunescu of Romania with creating and distributing the Gozi Trojan. This software was customized for each customer to attack the specific financial institution picked by the customer. All three individuals had been arrested in different parts of the world over the previous 2 years.

The Gozi virus was created in 2005 and distributed as a pdf file. When the file was opened, the virus would secretly install itself, but do nothing malicious, thereby avoiding scrutiny from antivirus software. Eventually, it was installed on over a million computers worldwide, including over 40,000 computers in the United States.

The creators of the Gozi virus were extremely selective about picking customers. When a customer paid the team, select infected machines would be made available to the customer. The customer could then pick a financial firm to target, based on the usage behaviors or the banking preferences of the set of victims made available to him. The Gozi team would then write the customized software for the customer, which intercepted web-banking communications between the victims and their banks, allowing Gozi's customers to harvest account credentials.

To facilitate money transfers, the Gozi team had also lured individuals through envelope-stuffing schemes. These individuals would receive money from banks and mail it to the customers, providing a level of anonymity to the customers.

If convicted, each of the three members behind the Gozi team faces over 60 years in prison.

[alice@sunshine ∼]$ su-
Password: thisisasecret

[root@sunshine ∼]# yum -y install openvas
Loaded plugins: downloadonly, fastestmir-
ror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* atomic: www4.atomicorp.com
* base: mirror.flhsi.com
* extras: mirror.cogentco.com
* updates: mirrors.adams.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openvas.noarch 0:1.0-5.el6.
art will be installed
--> Processing Dependency: openvas-admin-
istrator for package: openvas-1.0-5.el6.
art.noarch
--> Processing Dependency: wmi for pack-
age: openvas-1.0-5.el6.art.noarch
--> Processing Dependency: openvas-scan-
ner for package: openvas-1.0-5.el6.art.
noarch
--> Processing Dependency: wapiti for
package: openvas-1.0-5.el6.art.noarch

[root@sunshine ∼]# openvas-setup
Openvas Setup, Version: 0.3
Step 1: Update NVT's and SCAP data
Please note this step could take some time.
Once completed, NVT's and SCAP data will
be updated automatically every 24 hours

Updating NVTs....
Updating SCAP data...
[i] This script synchronizes a SCAP data
directory with the OpenVAS one.
[i] SCAP dir: /var/lib/openvas/scap-data
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured SCAP data rsync feed:
rsync://feed.openvas.org:/scap-data
OpenVAS feed server - http://openvas.org/
This service is hosted by Intevation GmbH -
http://intevation.de/
All transactions are logged.
Please report problems to admin@inteva-
tion.de

receiving incremental file list
./
COPYING            1493 100%      1.42MB/s
0:00:00 (xfer#1, to-check = 30/32)
COPYING.asc 198 100% 193.36kB/s
0:00:00 (xfer#2, to-check = 29/32)
debian.6.0.xml 980140 100% 652.02kB/s
0:00:01 (xfer#3, to-check = 28/32)
debian.6.0.xml.asc 198 100% 0.51kB/s
0:00:00 (xfer#4, to-check = 27/32)
...
Step 2: Configure GSAD
The Greenbone Security Assistant is a Web
Based front end
for managing scans. By default it is con-
figured to only allow
connections from localhost.

Allow connections from any IP? [Default:
yes] no
Step 3: Choose the GSAD admin users password.
The admin user is used to configure
accounts,
Update NVT's manually, and manage roles.

Enter administrator username: openvas-admin
Enter Administrator Password: 12345qwert
Verify Administrator Password: 12345qwert
ad main:MESSAGE:9806:2013-01-19 14h39.33
EST: No rules file provided, the new user
will have no restrictions.
ad main:MESSAGE:9806:2013-01-19 14h39.33
EST: User openvas-admin has been success-
fully created.

Step 4: Create a user

Using /var/tmp as a temporary file holder.
Add a new openvassd user
---------------------------------
Login: openvas-user
Authentication (pass/cert) [pass] : pass
Login password : secret
Login password (again) : secret

User rules
---------------
openvassd has a rules system which allows
you to restrict the hosts that openvas-
user has the right to test.
For instance, you may want him to be able
to scan his own host only.

Please see the openvas-adduser(8) man
page for the rules syntax.

Enter the rules for this user, and hit
ctrl-D once you are done:
(the user can have an empty rules set)
Ctrl-D

Login             : openvas-user

Password          : ***********

Rules             :

Is that ok? (y/n) [y] y
user added.

Starting openvas-administrator...
Starting openvas-administrator:  [ OK ]

Setup complete, you can now access GSAD
at:   https://<IP>:9392

[root@sunshine tmp]# /opt/book/threats/
scripts/finish_openvas_setup This pro-
gram completes the OpenVAS configuration
process.
Stage 1: Loading and processing plugins
Processing 57744 plugins. Please be
patient. This will take 15 minutes or
more depending on your hardware.
Starting openvas-scanner: base gpgme-
Message: Setting GnuPG homedir to ‘/etc/
openvas/gnupg’ base gpgme-Message: Using
OpenPGP engine version ‘2.0.14’

Stage 2: Building the OpenVAS-Manger
database
This will take 10-15 minutes depending on
your hardware.
done.

Stage 3: Starting services
Stopping openvas-manager:
Starting openvas-manager:       Stopping
openvas-administrator:
Starting openvas-administrator:

Setup complete. Please open Firefox and
go to https://www.sunshine.edu:9392