Security on the Internet

Posted by on Sep 2, 2015 in Insights | Comments Off on Security on the Internet

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.”

Helen Keller

With the recent hack attacks on Ashley Madison and the Federal Government I have been pondering Internet Security or the lack thereof. I am going to consider the large attacks that make the news in this article but I hope to discuss more personal attacks at a later date.

Historically there have been three goals of hackers:

  1. Defacement of the web site.
  2. Placing malware on the site to infect viewers PCs.
  3. Obtain sensitive information.

The first two goals are not an issue with the large sites because these are usually not the goals of the hackers that go after these sites. They are interested in the sensitive information: Social Security Numbers (SSN), Credit Card Numbers, Usernames and Passwords. The intention is to sell the data for monetary gain or to publish it to embarrass the users of the system.

You access the Social Security Site to register for Medicare or some other reason. The Social Security Administration collects your personal data, SSN, address, email, username and password, and saves it in a database, a database with millions of users data in it. There are many ways that a hacker could retrieve this data:

  • Break into an admin account.
  • Break into the database.
  • Use SQL Injection or Buffer Overrun to dump the data.

Break into an admin account

The hacker will try, repeatedly, to login to an admin account. With the right tools and lack of precautions, they will succeed. How this can be prevented:

  1. Do not use common administrator user names such as admin for the admin account.
    if it exists and you can, rename it. IF you can’t rename it, maybe you can set the password stored in the database to a plain text string. If the password is not encoded in some way, time to fix that.
  2. Do not use a common account for multiple administrator.
    Big issue here is that a disgruntled admin leaves. You end up with a nightmare changing the password as well as informing the other admins what the new password is. If you are using individual accounts, the account can be deleted though I would have the other admins change their password. This also allows two phase authentication which makes it much harder for the accounts to be hacked.
  3. Do not allow access to admin account from outside the local network.
    This is a matter of server side programming to validate the machine that is logging in is authorized. Another method would be the use of an alternate socket for admin access and to block that socket in the external firewall.
  4. Enforce strong passwords.
    The strongest passwords are generated passwords but ‘McYzYeUknyRA’ is not easy to remember. The use of a password vault will obviate the need to write it down somewhere.
  5. Enforce login retry limits.
    If the hacker has only three attempts to guess a password, their chance of success drops dramatically. I also feel that the hacker should never know how many retries they have or how long before the account is unfrozen. The best way to insure this is to always give something like ‘Invalid username or password’ as the error message on any login failure.

Break into the database

There are several precautions that can be done to prevent access to the database by hackers.

  1. Block the database socket in the external firewall.
    The databases that are used for websites allow access to the server from the network. If the socket the server is listening to can’t be accessed from the external Internet, the database can’t be hacked. Of course this means that physical security might be needed to prevent access to internal systems. Also, watch those kiosks in building lobbies. They can be connected to a router that is on the external Internet and would have to go through the firewall to get to the database.
  2. Use an non-default socket for database access.
    Just another item the hacker would have to guess.
  3. Control access to the database.
    Each login to the database should be limited to specific machines in the network.
  4. Lock or delete the default database account.
    Microsoft SQL Server and MySQL create a root account that carries full database privileges. If this account can be deleted or disabled, delete or disable it. If not, limit access to it to the database server and give it a strong password and then forget it. You should never need this account.

Use SQL Injection or Buffer Overrun to dump the data

SQL Injection is where the hacker will craft the input to a field and cause a database query to be performed. Almost every site has a contact us form where a user can input a question and it will be emailed to some person to answer it. In some cases, this data is stored in the database. The register form could also be used. Suppose the hacker enters the following into a field:

“;SELECT * FROM users;

Two things will happen, the first is that it is extremely likely that the programmed query will fail but the second is that a query will be run that will fetch all the user data from the database. The site will return the retrieved data thinking that it is part of the error message. The fix for this is to make sure that any data collected on the website is sanitized before the query is run. Most databases have functions to sanitize the data but the server side code may have to be updated to guard against this.

A Buffer Overflow is an anomaly when user input overruns the buffer’s boundary and overwrites adjacent memory locations.This can be done by entering a very large amount of data into a field on a form that is only designed to take a small amount of data. A result of this is that a memory dump will be displayed on the users PC and they can then search it for data that interests them. In some cases, the hacker could place executable script in the buffer and have the web server run it for them. The best defense is to insure that any textbox or textarea have the maxlength property set to limit the amount of data that can be entered. JavaScript can also be used to achieve the same purpose.

Sorry, the only defense against these is to insure that the website application takes the proper safeguards.

Other Issues

There are other issues that may arise.

  • Denial of Service (DoS) Attack
    DoS  is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. There is also Distributed Denial of Service (DDoS) attacks which is similar but uses computers in multiple locations to launch the attack.  The website management must be prepared to deal with these attacks if they occur. There are also applications that will help mitigate these attacks.
  • Remote Workers
    There are times when it is not possible to have the support staff resident at the same location as the servers. Some solutions available:

    1. SSL or HTTPS
      SSL provides encrypted access to the website though usernames and passwords may not be encrypted. With two phase authentication, this may be acceptable.
    2. Private Network
      Putting in dedicated lines between locations is difficult to hack. As an aside. the use of the Internet to transfer data between locations is ill advised.
    3. Virtual Private Network (VPN)
      VPN os like a private network but more secure than using the Internet.
  • User PCs
    Users inside the network can be attacked to place malware on their systems. This includes infected email and infected websites. This would come over the area of personal attacks that I hope to discuss at a later date. The one area that is relevant in the large system environment is email servers. These should have protection to prevent known malware and viruses from being inoculated before delivery.

 

Comments are closed.