The Ease of Hacking Websites

Most web sites today use one form or another to generate their web site content. Some utilize the “offline” database back-ended approach, where pages are generated every so-often but the web site itself is made of static pages (HTML). Others utilize the “on-line” database back-ended approach, where pages are generated on-the-fly whenever a user requests them.

It is considered harder to hack an “offline” database back-ended web site, as you have no direct way to influence the content displayed by the web site if you send the web site malformed data. However as most webmasters would tell you the “offline” approach is harder to maintain, is slower to adapt to changes in content and requires greater thought into what is placed on-line – as content can take several minutes to hours to propagate into the static web site, that is why most of today’s web sites use the “on-line” approach.

This comes at a price – I will skip the hardware and software aspects – security wise of course. As the web site is built according to user provided data, this opens up the opportunity for the user in this case malicious in nature to manipulate the results returned by the server.

How common is it to see a web site get defaced via an IIS/Apache vulnerability? not very, and it usually occurs due to some newly discovered vulnerability in the mentioned products. How common it is to see a web site get defaced via a Windows/Linux vulnerability, it is roughly the same as seeing an IIS/Apache web site get defaced because of use of an old version of the software.

What is more common? web sites that get defaced due to improper usage of user provided data. These vulnerabilities are usually divided to the following categories:

  • Cross Site Scripting
  • SQL Injection
  • Code Execution

Would it be difficult to detect these vulnerabilities? no, would it be difficult to avoid having them in the first place? no.

Therefore why are these vulnerabilities still present in high profile web sites? I could name a few such web sites, major news agencies and broadcasting networks, but it won’t help the end-user or the web site’s owner. Everyone knows there are numerous solutions of preventing, detecting and stopping these vulnerabilities from happening, so why isn’t it happening?

Are web site vulnerabilities, such as those caused by bad usage of user provided data, considered low risk vulnerabilities? I don’t think these vulnerabilities can be regarded as low risk.

Take this example, I was able in a few minutes of wandering through one of these news agency, which utilizes the unbreakable Oracle database, to discover the complete structure of their articles table/schema as well as read any entry present in the table by utilizing columns such as author, date, priority and keywords – that would be otherwise impossible to use through their normal web access interface.

The next logical step for a hacker discovering this would be to insert or modify an article found in the database, insert into it some form of malicious content – I can name a few: Ad-Ware installing page, fraud related “donation” button, etc. Does this sound factious? nope, it has been done and there is nothing stopping anyone from doing this again.

As history has taught us, these kind of vulnerabilities would go unnoticed until someone will write a worm that would exploit these vulnerabilities to skip from one server to another, which like CodeRed, will create enough havoc to create an understanding by the security community to the importance of addressing such vulnerabilities.

Future NOTE: Even if I say that such a worm will be written, it doesn’t mean I wrote it 🙂

The Changing Face of Crime – What’s Out There?

what constitutes a crime?
what crime is more serious than another?

both questions of great magnitude that i fear to even begin and approach in this blog. still, whatever the answer is there is one thing i am sure of; it isn’t black and white.

in the changing world we live in with constant revolutions of a grand magnitude happening continually, with a global economy, internet society and many others, we all try and cope. our world is used to a major revolution in our way or life and how we think once every few dozens to hundreds years, allowing us time to adjust.

in today’s world we no longer have that luxury.

i often struggle with how law enforcement today operates. organizations whose business it is to keep the public safe are years behind on what’s actually going on. where they are not behind they often face policy from above that tells them not to work on “cyber”-issues (i hate “cyber-“) as there are far more pressing matters about.

that policy is correct. catching murderers and rapists is by far more critical than catching the kid next door in his latest “computer prank”. plus, petty theft is something the public cares about. “hackers”.. well. we are often proud of our overly intelligent kids and the feats the accomplish.

as i already said though – nothing is ever black and white unless it is how we view it. online crime is no longer about kids. it is not a bored employee who hates his boss and tries to hack the company’s servers after-hours. online crime is a business.

much like with every other society, the “attacker” may be a bored kid, a disgruntled employee or a small-time criminal. the “attacker” can also just as easily be the mob, a competing company (industrial espionage) and maybe even a nation.

who owns a gun in our world? who owns a gun in the “cyber-“world? the comparison is very acute.

today, this is not just fud. internet crime is no longer (only) about kids trading bots like candy. today it is about organized crime taking over and investing vast amounts of money in r&d of both their /technological/ and /operational/ capabilities.

we often do not see behind the scenes, but if we do take a few choice cases –
1. the israeli trojan horse scandal, where leading companies hired private investigation firms to spy on their competition using trojan horses. the price-tag was 17k uk pounds per computer being tapped, per month.
2. google it, but there were similar cases discovered in the last 6 months in both the uk and the us.

i’ve personally been approached about doing such illegal “thingies” two times, thus far. once by a middle-man and once by the ceo of a global private investigation firm. i didn’t take the jobs but it is pretty obvious that “hidden” world is very much alive. we just don’t hear about it _very_ often.

what we do hear about, see and get annoyed by every day is phishing. it is public and might give us some sort of an indication to what this is all about.

the apwg reports thousands on thousands of new unique phishing sites every month. losses from phishing in the us amount to 10-20 million usd for some banks.

in germany, there is a phishing attack every few days by several different scammer groups. in each such attack about 2000 people get fooled and about 6 people do not get their money back (banks are very good at moving money around).
on average, about 6k euro are lost per person. that’s 1.2 million euro per year, for one group. these numbers keep increasing.

it is estimated that globally, in the first half of 2005 roughly half a billion usd were lost for scammers from phishing alone.

all these numbers do not include damages, recovery and money paid for prevention.

what does this mean?

it means there is clear-cut roi (return on investment – bahh, management talk) to the bad guys. they are not going to stop as long as the economics of it are in their favor and the only way to change the economics is to make it not worth their while.
today they do not take much of a risk though, do they?

a second important point is that indeed, this is no longer just an online issue. money is real. the attackers are not bored kids, they are more often than not the russian mob.

as an example for a meat-space connection; earlier this year a woman got her account cleaned up at a branch of her bank in the west coast, following her account details being phished.
a week later a fedex package came in to a different branch of the bank – in the east coast.
that package held a fake check meant to re-fill that account.

law enforcement has made incredible improvements in both ability and willingness to cope with online issues, especially these past two years. still, they are under-staffed, often burdened by handling computers for meat-space cases over actual “cyber-” cases and the policy guys upstairs still do not see the problem for what it is.

that’s it in a nutshell. next time, as time allows, maybe we will go into what actually gets done, who the players are and where we are all headed.

gadi evron,

The most secure code in the world

I’m going to say some things, that might be the last thing I’ll ever be able to say (You’ll see why in the next paragraph :)). Open source is as secure as much as the developers made it secure. It is not more secure then close source, and it’s not better then closed code. It’s merely code !

Most of the open source community (Hey I also develop open source tools and programs) try to sell us that Open = Secure. When Internet Explorer had a lot of security risks one after the other, firefox developers came and told us that in Open source it would have never happen. there are 10000000 (I must have missed few O :)) eyes on the code so it’s can not be less secure, only more secure….

Ammm.. OK (I’m starting to look for a place to hide right about now :P)

The fact is, that for better, and more secure code, the first thing we have to do, is to educate people to think and be paranoid. Yeah! You can not trust any user input, any result of system function, and you must validate them over and over again.

You must check the input and see that it does not overflow the amount of memory you are willing to give your buffers.

You must sanitize (filter) any char you do not wish to see and have.
And escape anything that you must have, but may effect your program.

But wait, thats still does not give us secure programs and code, only start making us understand better the risks. For example, Off by one can happen to every one… specially after alcohol is involved 🙂

And what about the user control our function jumps (you know change hard coded our machine code of the program), or inject us with system functions of his like… We can sanitize the input we getting back form the function, but we can not control what happen on the function itself…

Or even bugs that we didn’t thought we had, and someone found them and exploit them. Or as Knuth one said: “I just proved that my claim is right, but I haven’t tested my code with a compiler” (I’m quoting from memory…)

But I just realize that thats not the thing I needed to start with… I should have said, that we are not educated to think in more secure manners. In high schools and universities we are taught to assume that the user input is somewhat correct, and all we need to do is focus on the functionality of the program.
We are also taught that there is only one “right” way to do thing and thats the professor way 🙂

So before every one starts jumping and accusing something to be more/less secure, lets start teaching people to do things in a more secure way… So how do we start ?

The Zen of Password Management

this was on networkcomputing, pretty funny:


the zen of password management

stage 1: denial
they don’t really mean that i have to change my password. it’s just a suggestion, really, more of a guideline than a hard and fast rule. really, that warning will go away if i ignore it.

stage 2: anger
i will not change my password. i can’t believe that the security of the entire company depends on me changing my password at this time. it’s just a silly policy that it uses to exercise digital control over the rest of the world.

stage 3: fear
but if i change my password i might forget it! i like my password the way it is – right now. i probably won’t be able to remember what i changed it to and then i’ll have to ::shudder:: call the help desk. oh god, why is this happening to me?

stage 4: acceptance
okay, i’ll change my password but i won’t like it. i guess maybe it really is important. after all, someone used mary’s password to hack into the corporate database yesterday and now we’re under investigation by like every agency with a three letter acronym. i’ll do it, but i hope they don’t think i’m happy about it.

stage 5: wonder
hey, that wasn’t so bad. i remembered what my password is and when i told bob and jim and the counter guy at starback’s about the phrase technique i use to remember it they thought i was pretty cool. i’m sure the guy at starbuck’s was writing down my method so he could use it himself.

stage 6: joy
wow, this new password is great! i wish i’d thought of it before. in fact, i’ve changed all my passwords to match the one i use at work! gmail, hotmail, paypal, ebay… everything! it’s such a great password! i love it! maybe i’ll name my first born after it!

two weeks later …

stage 1: denial
i can’t believe i changed my password and told the counter guy at starbuck’s about it. i can’t believe he used it to buy a giant cheetoh on ebay with my paypal account and spammed everyone at corporate hq from my hotmail accout. at least he didn’t…oh my, why are those men in suits with dark glasses coming my way? they aren’t, they’re just … out for a stroll. i’m sure of it. turn around and face the screen and whistle, they’ll just pass me by, i just know it!


gadi evron,