.png)
The Wikimedia Server cluster in the sdtpa facility. (RobH, via Wikimedia Commons)
High-profile cyberattacks that have rocked companies and government over the last several months were carried out using the most basic tricks hackers have at their disposal, adding insult to injury.
The majority of attacks carried out by the hacker collective Anonymous Operations and the hacker group LulzSec are often launched using a combination of software and pre-written scripts, which has won them the “Script Kiddie” label by the more experienced hackers.
The fact that some of the most basic attacks are effective is sounding an alarm over the poor state of cybersecurity. Yet while companies and government are scouring for solutions, they often find security tools are more trouble than they’re worth.
“What used to happen, and this happened a lot, was that the intrusion prevention programs were too strict,” said Dan Kuykendall, co-CEO and chief technology officer of cybersecurity company NT OBJECTives.
This caused a backlash in the early 2000s. Companies were starting to adopt systems to block cyberattacks, known as Intrusion Prevention Systems (IPS). Yet, since they were blocking both good and bad traffic, many companies switched the security systems off and instead starting using systems that only detected cyberattacks—known as Intrusion Detection Systems (IDS).
That’s just the reality. In the business case, the features are going to trump security.
—Dan Kuykendall, NT OBJECTives co-CEO and CTO
“They got a bit ahead of themselves,” Kuykendall said. “That’s just the reality. In the business case, the features are going to trump security.”
Many of these companies lived to regret this move.
Attacks now being launched by groups like Anonymous Operations follow a common strategy. One team distracts a website’s security staff with minor cyberattacks, while a second team launches the real attack.
The less experienced hackers use software to launch attacks that can take websites offline by overloading them, known as distributed denial of service (DDoS) attacks. Anonymous mainly uses a DDoS program known as the Low Orbit Ion Cannon (LOIC).
While website security staff are busy dousing the flames from the DDoS, the more experienced hackers carry out attacks from the back. These often target a website’s database, which gives hackers access to internal documents, passwords, and files. Many target SQL databases, which hackers can breach by injecting code into the systems—an attack known as a SQL injection.
Guarding Against Cyberattacks
Beneath all the graphics, tools, and menus we see while browsing the Web and using services like e-mail, there is code—letters, numbers, and symbols—that different Web applications read and translate into different commands, telling what to present to the viewer, or what to do with various bits of information.
Yet, typing information into a Web application, such as e-mail, risks accidentally typing code the application will interpret as a command. Various systems protect against this—altering information in certain ways so its database can distinguish code from commands requested by users—but many software developers are unfamiliar with coding these parts while keeping security in mind, and so holes are often left in the applications.
Experienced hackers know how to speak directly to these applications by typing code into a website, and even lesser skilled hackers can do this by using software. They will try to cause errors in the code, and eventually find an access point. From there, they have full access to anything contained behind the scenes.
If a database misinterprets code from commands, “it would behave differently with that, and it could cause things to break. This is where things like SQL injection come up,” Kuykendall said.
“This is really what these attacks against Sony and such have been—these are basic SQL injection problems … They didn’t take input from what came in, and do the necessary things to protect it when it went into the database,” he said, referring to the numerous cyberattacks against Sony by hacker groups, including Anonymous.
The usual tool of choice is known as a Web Application Firewall (WAF) that can block suspicious traffic.
While people are using Web services, they are sending and retrieving data from the Web applications. A WAF watches this traffic, and will deny access to anything it deems harmful.
The problem is that each Web service tends to be starkly different from the next, and each is programmed to recognize different types of code. What may look like an attack against one application may be a normal command for another.
“Since it doesn’t know the application and how the application is protecting itself, or if the developer did the right thing or not, it often doesn’t know what to protect against, so it can only protect against very blatant attacks,” Kuykendall said.
Also, the WAFs often block too much good traffic when used at their full potential, and companies risk losing money from denied traffic and downed services. Many companies disable a WAF’s ability to block data altogether, and instead use it as a monitoring tool that will alert them after something goes wrong—just as with the switch from IPSs to IDSs in the early 2000s.
The real solution is closing the holes altogether or fine-tuning applications that can block cyberattacks.
This is where penetration testing comes into play. Companies will at times hire hackers to launch controlled cyberattacks against their services and networks. When a hole is found they patch it. Some companies, including Microsoft, pay hackers for finding these vulnerabilities, and there are even events, such as the annual Pwn2Own hacker contest, where hackers are challenged and rewarded by companies for finding these holes.
There are also applications that do this, known as Dynamic Application Security Testing (DAST) software.
NT OBJECTives, of which Kuykendall is the co-CEO, for example, has two such products: NTOSpider and NTODefend. The first will launch attacks against Web applications to find vulnerabilities, and the second will then patch the holes.
A Nov. 16 study from security industry expert Larry Suto, “Effectiveness of Web Application Firewalls,” found the best defense is to optimize WAFs—something few companies are taking time to do—and using this in conjunction with DAST software to ensure the system itself is secure.
WAFs are effective, but to work well they need to be tuned by security staff. It takes a professional around 3.5 hours to bring a WAF to an acceptable levee, but this is “significantly more time than what the typical organizations spends,” according to the study.
Once tuned properly, a WAF could block around 79 percent of the attacks used, and this number grows by 19 percent when a DAST program is also used.The study found that IPS tools, when used out of the box, “were not very effective at defending web application vulnerabilities,” but when used with DAST software, they were able to block an average of 89 percent of the attacks.
