This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year.
Let’s say that one morning you wake up and try to print some last minute work notes out on your home printer. Without luck, you decide to re-install the print driver. While browsing the Internet, looking for a driver, you find that someone has linked to a file on a forum that may suit your needs. As a good internet user, you check where the link really leads and find that it does point to a legitimate site. You click and run the file; however, your computer is compromised and an attacker gets in.
The site was legit. There’s no way your manufacturer would host malware on their site, and you weren’t redirected to a malicious domain. Instead, you were hit by a reflected file download (RFD).
Simply put, the RFD allows attackers to use your servers to serve up their files without uploading a thing.
The good news is that RFD is an injection attack and remediation techniques may sound familiar if you have already prevented cross-site scripting, command injection, and log injection. Solutions include whitelisting, character encoding, and in some cases, CSRF tokens.
For more information, read “Reflected File Download a New Web Attack Vector” by Oren Hafif.
After getting tricked into downloading a file you shouldn’t have, you’re already late for work. During your drive, without warning, the AC turns up to full blast, the radio begins playing, and the transmission stops transmitting power. Your car just got hacked.
This is the new reality of ever-smarter cars. As cars stop resembling the mechanical carriages of years past and start looking more and more like fly-by-wire fighter aircraft, more and more systems are controlled by computers. With cars acting as mobile hotspots, the barrier to unauthorized entry is lowered dramatically.
This isn’t a new technique, but it is a technique which deserves recognition in 2015 because old techniques applied to new targets have the potential to affect us in new ways. In the past, hackers threatened our banking details or personal photos—they tried to get information about us. Now, with smart cars getting smarter and regular cars continually advancing to keep up, the auto industry is in a continual state of modernization.
The only way to protect yourself is to hope that the automotive industry revises its standards for crash tests…
After somehow regaining control of your car, you drive into the nearest coffee spot and reflect on how it was once illegal to send encryption technology outside US borders. While there, you find that your prepaid coffee card doesn’t have enough funds. As you sip your grande caffé mocha macchiato half soy quarter skim quarter 2% extra grande double vanilla pump no-whip coffeestrocity, you open your smart phone to top-off your prepaid card. You check that the site is HTTPS enabled and the connection is encrypted before you enter your username and password. Now that you’ve got your caffeine fix, you’re ready to go about your day.
Later on, you decide to double check your coffee card balance just to make sure the transaction went through and find that you have not only topped off your own card, but five or six others.
While setting up an encrypted connection via coffee shop Wi-Fi, your connection got hit with the ludicrously named POODLE attack. An acronym for “Padding Oracle On Downgraded Legacy Encryption,” this is an attack that someone sitting at the coffee shop can use to intercept your connection request and force it to use older, easier-to-break, legacy encryption modes.
We are now in an age where the average person can buy enough hardware to break encryption that would have stumped governments 20 years ago. By default, most websites and devices will avoid these old algorithms, but an attacker can sit between a victim and a website and force the connection to default to these weak encryption schemes.
Although discovered in late 2014, like every good attack, this took time to gain momentum. In the last few weeks of 2015, most browsers and web servers are no longer vulnerable to these attacks and a healthy patch regimen should keep you safe. However, attackers know that just because a fix for something is out there doesn’t mean that it’s no longer an attack vector.
A good strategy to protect yourself is to avoid checking your bank balance, shopping online or undertaking other activities, which require you to enter sensitive information such as passwords and credit card information.
After being exploited three times in one day, you decide you have had enough and you shut down your computer, unplug your modem, remove the battery from your cell phone, disconnect your fridge from Twitter, delete your cat’s Facebook account, trade your smart watch for a dumb one, wrap your house in tinfoil, and turn on your old tube TV. On the news, the anchor is talking about recent hacks that have compromised your health insurance company, your cell company, government agencies, and a particular scandalous website that you never heard of until it was breached.
No matter what you do, you’re realizing more and more that you just can’t keep your information safe. The companies that you rely on every day face the same issues that you do. They should have fixed their injection vulnerabilities. They should upgrade their encryption suites so they are NOT vulnerable to POODLE attacks. They should harden their hardware to prevent compromise from attackers sitting along the highway. They should, but they haven’t.
Cross-site scripting and SQL injection have been talked about since the late 90’s, almost 20 years ago! Buffer overflows have been discussed since 1972 and weren’t dropped from the OWASP Top 10 until 2007. Social engineering is an art that con men have practiced since the dawn of money and have applied it to computers from the beginning. We cannot stop worrying about old vulnerabilities because as soon as we do, history repeats itself.
Many companies are exploited by old attacks that they should have known about but didn’t patch. Security doesn’t happen by default. Everyone needs to work together to make security happen.
Jamie Boote is a security consultant at Synopsys. He works with organizations to ensure their developers understand how to write secure code. Jamie believes that software security doesn't happen in isolation and needs effective communication between all levels of a company. When he's not advocating for the dinosaurs in any Perl vs. Python argument, Jamie can be found chasing his sons around Southern Florida.