This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year.
Reflected file download (RFD)
Let’s say that one morning you wake up and try to print some last minute work notes out on your home printer. Without luck, you decide to re-install the print driver. While browsing the Internet, looking for a driver, you find that someone has linked to a file on a forum that may suit your needs. As a good internet user, you check where the link really leads and find that it does point to a legitimate site. You click and run the file; however, your computer is compromised and an attacker gets in.
What happened?
The site was legit. There’s no way your manufacturer would host malware on their site, and you weren’t redirected to a malicious domain. Instead, you were hit by a reflected file download (RFD).
A RFD attack happens when an attacker can carefully craft a link that the server will read as input, and then output the contents of the link to any user that clicks the link. This is very similar to cross-site scripting where a browser accepts a link which contains malicious JavaScript commands and then redirects those commands into the web pages it serves up to users. Instead of JavaScript commands, a RFD injects files to be downloaded.
Simply put, the RFD allows attackers to use your servers to serve up their files without uploading a thing.
How to protect yourself
The good news is that RFD is an injection attack and remediation techniques may sound familiar if you have already prevented cross-site scripting, command injection, and log injection. Solutions include whitelisting, character encoding, and in some cases, CSRF tokens.
For more information, read “Reflected File Download a New Web Attack Vector” by Oren Hafif.
Autonomous carjacking
After getting tricked into downloading a file you shouldn’t have, you’re already late for work. During your drive, without warning, the AC turns up to full blast, the radio begins playing, and the transmission stops transmitting power. Your car just got hacked.
This is the new reality of ever-smarter cars. As cars stop resembling the mechanical carriages of years past and start looking more and more like fly-by-wire fighter aircraft, more and more systems are controlled by computers. With cars acting as mobile hotspots, the barrier to unauthorized entry is lowered dramatically.
What happened?
This isn’t a new technique, but it is a technique which deserves recognition in 2015 because old techniques applied to new targets have the potential to affect us in new ways. In the past, hackers threatened our banking details or personal photos—they tried to get information about us. Now, with smart cars getting smarter and regular cars continually advancing to keep up, the auto industry is in a continual state of modernization.
How to protect yourself
The only way to protect yourself is to hope that the automotive industry revises its standards for crash tests…
The POODLE attack
After somehow regaining control of your car, you drive into the nearest coffee spot and reflect on how it was once illegal to send encryption technology outside US borders. While there, you find that your prepaid coffee card doesn’t have enough funds. As you sip your grande caffé mocha macchiato half soy quarter skim quarter 2% extra grande double vanilla pump no-whip coffeestrocity, you open your smart phone to top-off your prepaid card. You check that the site is HTTPS enabled and the connection is encrypted before you enter your username and password. Now that you’ve got your caffeine fix, you’re ready to go about your day.
Later on, you decide to double check your coffee card balance just to make sure the transaction went through and find that you have not only topped off your own card, but five or six others.
What happened?
While setting up an encrypted connection via coffee shop Wi-Fi, your connection got hit with the ludicrously named POODLE attack. An acronym for “Padding Oracle On Downgraded Legacy Encryption," this is an attack that someone sitting at the coffee shop can use to intercept your connection request and force it to use older, easier-to-break, legacy encryption modes.
We are now in an age where the average person can buy enough hardware to break encryption that would have stumped governments 20 years ago. By default, most websites and devices will avoid these old algorithms, but an attacker can sit between a victim and a website and force the connection to default to these weak encryption schemes.
How to protect yourself
Although discovered in late 2014, like every good attack, this took time to gain momentum. In the last few weeks of 2015, most browsers and web servers are no longer vulnerable to these attacks and a healthy patch regimen should keep you safe. However, attackers know that just because a fix for something is out there doesn’t mean that it’s no longer an attack vector.
A good strategy to protect yourself is to avoid checking your bank balance, shopping online or undertaking other activities, which require you to enter sensitive information such as passwords and credit card information.
Everything else everybody should have fixed by now
After being exploited three times in one day, you decide you have had enough and you shut down your computer, unplug your modem, remove the battery from your cell phone, disconnect your fridge from Twitter, delete your cat’s Facebook account, trade your smart watch for a dumb one, wrap your house in tinfoil, and turn on your old tube TV. On the news, the anchor is talking about recent hacks that have compromised your health insurance company, your cell company, government agencies, and a particular scandalous website that you never heard of until it was breached.
No matter what you do, you’re realizing more and more that you just can’t keep your information safe. The companies that you rely on every day face the same issues that you do. They should have fixed their injection vulnerabilities. They should upgrade their encryption suites so they are NOT vulnerable to POODLE attacks. They should harden their hardware to prevent compromise from attackers sitting along the highway. They should, but they haven’t.
Cross-site scripting and SQL injection have been talked about since the late 90’s, almost 20 years ago! Buffer overflows have been discussed since 1972 and weren’t dropped from the OWASP Top 10 until 2007. Social engineering is an art that con men have practiced since the dawn of money and have applied it to computers from the beginning. We cannot stop worrying about old vulnerabilities because as soon as we do, history repeats itself.
The bottom line
Many companies are exploited by old attacks that they should have known about but didn’t patch. Security doesn’t happen by default. Everyone needs to work together to make security happen.
Want to protect your customers’ data?
Continue Reading
Introducing fAST Dynamic: Streamlining dynamic application security testing
Mar 19, 2024 / 3 min read
