Five Steps To Help Repel The 'Lulz'
Targeted attacks are a reality today, especially with the likes of hacktivist groups such as Anonymous
Face it: There's no way to stop a determined hacker, even if you're a security firm. This year's wave of attacks by Anonymous, spin-off LulzSec, and other indie hackers in the "AntiSec" movement of exposing security flaws and dumping exposed data, email spools, and other sensitive information have made that point loud and clear.
"The HBGary hack was the turning point for me," says Paul Henry, forensics and security analyst for Lumension. "That definitely got my attention: It showed me that anybody connected to the Net is a potential victim."
Karim Hijazi, whose security start-up was targeted by the now-defunct LulzSec in late May, says there's really no way to avoid being targeted by these types of attacks. "Considering the rampant nature of the attacks, unfortunately I am not sure anyone is technically off-limits for this group. I mean, you have the CIA public facing website DDoS'ed one day, and a gaming company the next -- not exactly patterned," says Hijazi, who is CEO and president of Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots.
"So that being said, it could be quite difficult to remove one's self from their radar. We certainly did quite the opposite, and I would urge others not to taunt them, per se," he says, referring to his firm's refusal to hand over botnet information, control, and money to the attackers. LulzSec retaliated by posting his email spools and other information online.
Members of LulzSec are also thought to have been behind the hack of HBGary Federal and, subsequently, HBGary proper's email spools, while the hackers were part of the larger Anonymous umbrella. That attack came in response to former HBGary Federal CEO Aaron Barr's research on unmasking members of the group.
Recently, leaked chat logs of conversations among LulzSec members have provided some insight into the types of attacks the group has used. Imperva, for example, analyzed the logs and concluded that the three main attack vectors used were remote-file include, SQL injection, and cross-site scripting (XSS) -- all common Web vulnerabilities. Google-hacking is another tool used by LulzSec members, according to researchers at Stach and Liu.
So what can you do to help defend against determined and inspired hackers like Anonymous and its followers? Here are some tips -- in no particular order-- from Unveillance's Hijazi and other security experts. 1. Go Google-hack yourself.
Turns out one of the first tools used by the LulzSec attackers was Google hacking, or Googling for vulnerabilities, such as SQL injection and remote-file include flaws on Web pages. Francis Brown, managing partner for Stach and Liu, has researched LulzSec's use of Google hacking, and says querying Google for vulnerabilities on websites was the first step in the group's recon efforts.
Most organizations don't bother to take that simple but often-revealing step. "We recommend you Google-hack yourself," Brown says. "Once you do that and find vulnerabilities, like some Cisco VPN configuration file, you have a flag in the sand going forward."
The Stach & Liu researchers offer free Google hacking tools, and Brown says he and fellow researcher Rob Ragan plan to release more Google-hacking tools for defensive purposes at the upcoming Black Hat USA conference in Las Vegas next month. "One of our largest Fortune 100 companies plugs them in, and using Google alerts and Bing RSS feeds, from now on, if Google ever indexes matches with these vulns, [the tools] send you real-time updates," Brown says. "It's an IDS, if you will, for Google hacking."
Among the new tools they will release are versions for the Android and iPhones. So if one of the so-called "Diggity Hacking" tools sees a SQL file with 300,000 of your organization's passwords indexed on Google, it sends you an alert, he says.
"You could have a whole host of traditional vulnerabilities. You don't want other people to find them so easily via Google because Google is kind enough to index all of your vulnerabilities for you," he says. 2. Use and enforce strong passwords and multifactor authentication.
Passwords are a pain, but they remain a reality for most organizations. Using the same password for more than one user account gives hackers a bonus and yet another venue to expose your email or other information.
Lumension's Henry has adopted an extreme password security strategy since the HBGary hack. "Here's what I did: I went through each and every online account I have, and changed my password for each, with a mix of upper- and lowercase letters, numbers,and symbols. They average 12 to 16 characters in length," he says. He also updates them every 30 days.
"I know this is extreme, but it's something I had to do," Henry says.
Of course, the trade-off of complex, unique passwords is that they are difficult, if not impossible, to remember. "So I've written them down in an order only I know and keep them on a laminated card in my wallet," he says.
He also uses phony answers to those secret questions for authenticating users online. "I have separate answers to secret questions from my primary accounts. My birthday is wrong, my mother's maiden name is wrong," etc., to further lock down his online accounts.
Steve Vinsik, vice president of global security solutions at Unisys, also suggests complex passwords for each account, and changing them up every 30 days. He also recommends multiple factors of authentication, not just the standard username and password: Admin and other accounts with access to sensitive data should use second factors like biometrics, he says.
Multifactor authentication is gradually becoming a more realistic option for most organizations, Unveillance's Hijazi says. "Multifactor authentication is becoming an increasingly obvious facet to a security operation no matter how small you might be," Hijazi says. 3. Eliminate SQL injection, XSS, other common website flaws.
Aside from Google-hacking for your vulnerabilities, vulnerability scans and assessments of your website and apps can go a long way in keeping some hackers out. Common, simple-to-exploit bugs like SQL injection and XSS are some of the first things LulzSec and other attackers look for in order to get a foot in the door of their targets.
Conduct penetration tests on your network to pinpoint holes as well -- and be sure to remediate them, Unisys' Vinsik suggests.
"If you are an organization with a substantial Web presence, it would behoove you to confirm your Web applications have been thoroughly checked for vulnerabilities -- specifically SQL injection in the case of LulzSec. In many cases, a good SDLC [software development lifecycle] program during development will find most bugs, but in never hurts to keep up to date on new patches or updates on your LAMP stack or Windows server environment," Unveillance's Hijazi says. 4. Have a third party host your website.
There's no way to actually prevent a major distributed denial-of-service attack (DDoS), but there are some methods of mitigating one, such as tarpitting or forcing the DDoS bots to send less traffic and blocking offending IPs. But most organizations just don't have the equipment and resources to fend off a DDoS.
"Denial-of-service attacks are notoriously hard to deal with, no matter how prepared you might be," Unveillance's Hijazi says. "Public-facing websites are, and will probably always be, subject to those types of attacks in that they are freely available for anyone to access. It is a juvenile form of attack, but to the layperson, it can be impacting. I know that a number of civilians found the attack on the Senate and CIA websites very disconcerting, as it was symbolic to them of a failure or indicative of unpreparedness.
"I can't say I have too much advice for organizations looking to defend against that type of threat -- look at the stature and capabilities of the victims so far," he says. "It may simply be a 'weathering of the storm' approach at best for most."
Another option is to farm out your public-facing website to a third party. That's what Lumension's Henry did. After hosting his blog on his own server for several years, he recently enlisted a third-party hosting provider to run it. "If someone attacked it, they would only get to the party hosting it, not to my internal network," Henry says. He uses an alert system to notify him if any content changes, and he "hashes" any file updates to it, he says.
Third-party hosting providers are likely better equipped to help fend off DDoS attacks than a small to midsize business, and even some large businesses. 5. Archive your older emails offline.
All of Henry's emails that are more than 30 days old get moved to an offline archive now. That approach can work for some organizations.
"If you can afford to simply delete your email once you have finished reading it or taking it offline, that would be another form of securing yourself," Unveillance's Hijazi says.
Henry says he just searches his old email from a machine that stores the archives. "I'd rather not have a year or more's worth of email online," he says.
For organizations such as law firms that need more than 30 days' worth of email to work on their cases, for example, he recommends keeping emails for only 90 days. That's what Lumension did for a law firm client. "One of the principals at the firm had over four years of email literally accessible from the Internet," he says. "Now they archive and remove mail from the server every 90 days, and it's stored where it's not reachable from the Internet, only from the intranet."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like