The most recent Verizon Data Breach report states:

• Of the 174 million records lost, 100 million (or 58%) were the result of hacktivism against large organizations.
• No losses had been attributed to hacktivism in previous years.

Will 2012 be any different?  So far, it seems the answer isn’t just no, but rather “hell no.”

Last year, we described with precision how the first instantiation Lulzsec performed their attacks using common application vulnerabilities such as SQL injection, cross site scripting, directory traversal, remote file inclusion/local file inclusion (RFI/LFI) coupled with DDoS.  This year, we detailed how Anonymous attacks using SQL injection, cross site scripting, directory traversal and DDoS.  With the “new” Lulzsec announcing operations, the question is:  how will they attack?  Answer, so far, isn’t different from Lulzsec’s forefathers.  One of their first victims?  Militarysingles.com, a dating site for military personnel.  We cannot know for certain – but with high probability it was by using Local File Inclusion (LFI) / local code upload. 

Our first Hacker Intelligence Initiative (HII) report described RFI/LFI and warned it was a favorite exploit among hackers but neglected by the security community.  Today, we released another HII report on RFI/LFI to reiterate exactly the same message:  RFI/LFI is a favorite among hackers but is neglected by the security community.  For more on why RFI/LFI gets no respect, see our explanation here.  

But here’s the gist:

The main reason we don't see LFI/RFI in code review is because many website owners/security officers are not necessarily aware of the underlying tech that powers their website. For example, if you install Wordpress, the most popular content management system on the Internet, you get PHP on your server.  Not surprisingly, no one is paying attention to PHP code—especially when it comes to code scanning.  This is because most organizations who invest in code review technologies (or serious web scanning) are not using PHP for their core application. On the other hand, PHP applications are the most prevalent (in terms of absolute numbers) in the web, hence a strong interest by attackers.

How many of the internet’s websites are written in PHP?  Nearly 70 percent.

To make the point again, we've redone our report on RFI/LFI and it can downloaded here.  Not coincidentally, hacktivists are using RFI/LFI again.  With the rebirth of Lulzsec (we use the term “rebirth” with caution, only time will tell if they’re successful), exactly how was militarysingles.com hacked by Lulzsec II?  Here’s how we think the RFI/LFI attack went down…

The web app, a dating site, allows the upload of profile picture, a crucial functionality for a modern dating site.  In order to prevent rogue uploads a filter exists to allow only picture files:

This filter has two flaws

• It validates picture format by extension only.  For this reason, we can upload a currupted file:

• The filter seems to trust the content type as passed by the browser which is a client side control instead of checking it on server side.  So by using a proxy we can change it to be an "image."  And our arbitrary file gets uploaded

An attacker could do the same – but change file extension to be php – and therefore executable on victim's machine.  We found record of such uploads:

That's the probably the how "LulzSec" attacker has obtained control over the server.  The info that was leaked  was around 150K  user's data that included real names, usernames, e-mail addresses, IP addresses, MD5 hashed passwords, real world addresses (for some users full address) , phone # (some users), birthday (some users).

Great article on Havij, a tool designed to execute SQL injections.  Ericka at Dark Reading deserves major kudos for writing about the topic and bringing attention to it.

As the piece states and, as we highlighted in our hacktivism report, Havij is a major tool in hacker's arsenal.  We detailed how Havij was used to breach PBS last year.

Essentially, Havij is an automated SQL injection tool.  Hackers use it in conjunction with vulnerability assessment (VA) tools such as Acunetix or Nikto.  VA scanners find vulnerabilities but stop short of an actual exploitation—and that’s exactly where Havij starts.  In other words, VA gives you a list of targets, Havij takes the shots.

What does the process of using Havij look like?  It’s hardly complicated (click image to BIGGIFY):

Note some of the key functionality:

• Get DBs:  Hmm, wonder what that does.
• Get Tables:  Hmm, wonder what that does.
• Get Columns:  Hmm, wonder what that does.
• Get Data:  No idea.

You’ll also note in the above the picture, Havij reconstructs the database’s contents.  It can perform many types of SQL injections to achieve that task.

How do you stop Havij?  We detailed the steps for stopping SQL injection here.  It’s one of the most read blogs we’ve ever written and is always worth reviewing.  Its also worth noting that traditional network firewalls as well as next-generation firewalls can't block Havij.

Here’s what our WAF looks like when hit by Havij (see the green box):

Here’s what Havij looks like when blocked or unable to find an exploit (see red at the bottom of the picture):

Several years ago during the second Bush administration, heated debates were taking place over reforming American immigration policies.  One of the best political cartoons of the time captured the conundrum beautifully.  On the American side, builders assembled a 20-foot fence.  On the Mexican side, Raul was renting 21-foot ladders:



In many ways this is a nice analogy for what is a (hopefully) growing epiphany among cyber security professionals.  Though hacking and immigration have very different moral motivations, the rhetorical parallels are interesting.

Example #1:  Shawn Henry of the FBI said in the Wall Street Journal 28 March edition, “In many cases, the skills of the adversaries are so substantial that they just leap right over the fence and you don’t ever hear an alarm go off.”  Companies, he added, “need to be hunting inside the perimeter of their network.”

Example #2:  "We've got the wrong mental model here," said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. "I don't think that we would think that we could keep spies out of our country. We've got this model for cyber that says, 'We're going to develop a system where we're not attacked.' I think we have to go to a model where we assume that the adversary is in our networks. It's on our machines, and we've got to operate anyway." [Emphasis ours.]

Example #3:  The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years. Such principles might be antithetical to the military mind, but Dr. Kaigham Gabriel, current head of the DARPA, said that the cost of perimeter control would be huge and most likely ineffective anyway. [Emphasis ours.]

The question, however, is what to do.  For more on that, read our blog.

Incapsula published a great report breaking down the traffic of 1000 different websites.

Automated bad guy traffic:

• 5% is hacking tools searching for an unpatched or new vulnerability in a web site.
• 5% is scrapers.
• 2% is automated comment spammers.
• 19% is from “spies” collecting competitive intelligence.

Automated not-bad guy traffic:

• 20% is from search engines - which is non-human traffic but benign.

Non-automated traffic:

• 49% is from people browsing the Internet.

For more, you can more details from Incapsula here.

Of course, when your site is under attack, the amount of traffic will go even higher.  We detail those numbers here.

*Updated: Blog entry updated to correct stats that were incorrectly reported in the original post.

Anyone attending this year’s RSA conference couldn’t help notice one thing:  the security industry is awash in guilt over the failure to stop hackers.  RSA chairman Arthur Coviello said “security vendors and practitioners need to shift their strategies beyond signature and perimeter-based defenses and collaborate to develop and adopt new intelligence-based approaches to information security.”  And this mea culpa follows another one from McAfee who wrote in an August 2011 report, “The security industry may need to reconsider some of its fundamental assumptions, including 'Are we really protecting users and companies?’

One reason for the guilt trips?  The inadequacy of antivirus.  Today, the enterprise desktop security software spend is $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year.  However, new virus detection remains quite low.  For example, one of the most prominent virus kits—the Blackhole Exploit—was missed by 30% of antivirus packages.  In other words, out of nearly $8B in spend, at most around $2.4B is spent with some efficacy—but $5.6 billion isn’t.  That’s a lot of wasted money.

As many of us in security know, evading antivirus is not complicated.  In fact, virus evasion is a growing industry unto itself.  In 2010, the Verizon Data Breach report observed, “This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen.”  Translation:  malware/virus writers know that evasion is the name of the game.  (For more on this, see my colleague Noa Bar Yosef’s detailed, excellent explanation in an SC Magazine column.)  The individual behind RankMyHack.com had this interesting perspective on antivirus—from a hacker (!):

The big money comes from silent espionage, viruses that do NOTHING but silently record your keystrokes and send them to a remote location, or viruses that in one blast steal all the information stored in your browser cookies.

To be clear, antivirus is needed.  But the important thing is to stop wasting so much time and—more importantly—money on products whose rate of return is so poor.  

So what should companies and consumers do?  Rebalance their portfolios.  In finance, when stocks over or under perform, you dump them for other investments to adjust your risk.  Today, antivirus is an underperforming asset that deserves rebalancing.   We can’t speak for everyone, but we see more customers operating on the assumption that antivirus will fail.  One of our customers relies on database security controls to monitor and block aberrant access to sensitive data (e.g., malware accesses databases at inhuman speeds so that should be blocked).  How many more such companies exist?  Not sure.  But it’s a safe bet that their numbers increase daily.

What if companies took some of the billions spent on antivirus and put it towards employee education? Companies could also consider newer technologies.  Our report on Anonymous highlighted the successful role a web application firewall played in thwarting data theft and DDoS.  What if just a small fraction of companies with transactional websites rebalanced a portion of security spend on WAFs to minimize data breaches?  (Yes, I work for a WAF vendor but I don’t need to visit a confessional having made the previous statement).

The security industry—companies and analysts—prefer inertia to keep antivirus spend exactly where it is.  But their motivations aren’t sinister.  It’s much more complicated than that.

In 2010, Harvard Business School professor Richard Tedlow published a book, Denial, about companies who fail to see critical shifts in their markets. In it, he explains that “Denial is more endemic to older firms because it so often results from stubborn adherence to a once-accurate perception of reality that has gradually become obsolete. In the words of John Kenneth Galbraith, one's view of the world ‘remains with the comfortable and the familiar, while the world moves on.’”  One security analyst gives us a perfect illustration:

Yes, we need new layers of defense but we would be well served to take better advantage of the technologies already in place before running for the new security thing.

Meanwhile, the world moves on.  Our Anonymous report explained how hacktivists don’t rely on malware.  Nonetheless, I was criticized for “hyperbole” when I called antivirus “useless.”  In the case of hacktivism, however, antivirus is useless.  As we point out in the report, hacktivists merely mimic the approach deployed by for-profit hackers.  And when it comes to private hackers and malware, the 2010 Verizon report explained how customized evasion has been commoditized and become “more accessible to an ever-increasing pool of criminals by an extensive ‘malware-as-a-service’ market. We find it hard to foresee anything but trouble here for the good guys.”  [Emphasis mine.]

What we are seeing reminds me of Keith Richards during the height of his drug addiction: “I've never had a problem with drugs. I've had problems with the police.”

Tedlow’s book details denial with mostly “old school” companies, such as Sears.  Denial in the security industry, however, is exponentially more complicated.  Sears only had to deal with fickle consumers.  In security, in addition to buyers, we must throw adversaries into the mix who are—by definition—early adopters and innovators.  This dynamic makes any stock volatility look downright docile. 

If our stocks performed this badly, financial advisors would be lightning quick to suggest shifting investments.  

Time to rebalance your software security portfolio.

Tons of news with the Lulzsec arrests.  Which articles should be read?  We've assembled a reader's guide of our favorites.  The criteria?  They are educational, illuminating or just plain funny.

Here's the top reads:

#1:  Alleged Stratfor hacker no stranger to law enforcement

Source:  Network World  

Why is it worth a read?  This story is about arrested Lulzsec hacker Jeremy Hammond.  

The best line?

Hammond also is a freegan, an individual who reclaims and eats food that has been discarded by others, as part of an anti-consumerist movement. "Dumpster diving is all good I'm a freegan goddess," he says in one online chat conversation with another alleged hacker. Federal agents conducting surveillance on Hammond reported seeing him going into dumpsters for food.

I had no idea freegans even existed.  Here's a great overview from Bloomberg.

#2:  The one tiny slip that put LulzSec chief Sabu in the FBI's pocket

Source: The Register

Why is it worth a read?  Great overview of how Sabu was found by the FBI.

The best line?

They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address," Graham claims. "This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know.

#3:  Stop calling Anonymous activists!

Source: Kings of War (a blog)

Why is it worth a read?  Great perspective on what truly drives hacktivism.

The best line?

The anonymity of the groups not only hampers on their political accountability but also blurs any of their messages, as one cannot judge their motives. In other words, they lack transparency as much as their targets allegedly do.

So, in the end, one should be careful about not giving too much credit for such actions. Anonymous seeks to achieve more personal fame and maybe the media shouldn’t give in to that. Recently, Cyberwarnews.com released an interview of a hacker that allegedly defaced '80 Brazilian Government sites’. Hacktivism, again? The hacker was 13 (this should already cast a doubt about his political judgement). When asked about his motives for hacking, he answered: ‘I hack to take part in the latest operations and to get better at hacking’. How can we know that Anonymous has not got exactly the same strong sense of political action to help the larger community? (sic)

 #4  Hackers Arrested as One Turns Witness

Source: Wall Street Journal

Why is it worth a read?  Best overview of the entire Lulzsec crowd and history of the hacking spree.

The best line?

Louis Monsegur, a family member of the man accused of being Sabu, said Tuesday his relative was "into computers" from a young age, but that he was surprised by the breadth of the allegations against him. "I never knew the kid was into stuff like that," he said of Hector. "He's a smart kid."

#5 Disillusioned ex-Anonymous first outed Sabu last year

Source:  CNET

Why is it worth a read? Another good read on the role of understanding IP addresses when it comes to identifying hackers.

The best line?

It was February 2011 when she and her partners at Backtrace Security compiled a list of identities they believed were tied to the hacker handles associated with the HBGary Federal hack and others. Her break with discovering Sabu's identity came to her from a friend in the group in the form of log files from an Internet Relay Chat room in which Sabu and other LulzSec members discussed the HBGary Federal compromise, she said. One of the log files contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site. That led to a YouTube video that had information that allowed Emick to eventually find Monsegur's Facebook page using a Google search.

#6:  What Do the LulzSec Arrests Mean for Anonymous?

Source:  New York Times

Why is it worth a read? Good perspective on the impact the arrests will have on Anonymous.

The best line?

It will be difficult for Anons to work collaboratively now that their ranks are undoubtedly infiltrated by feds, security contractors and rival hackers.

In Forbes, an article recently appeared, Anonymous is winning its war on Internet infrastructure. By contrast, our report on Anonymous put forward something a little more hopeful, highlighting a breach attempt that wasn’t successful using a web application firewall.

Down below in this blog you’ll find a partial list of Anonymous victims--some successful, some not.  It’s a long list. How many of these organizations have anti-virus, IPS and so-called Next Generations Firewalls (NGFW)?   Why are the attacks successful when these technologies claim to prevent them?  It is probably a safe bet to assume that many of the companies listed below had IPS, NGFW and anti-virus.  So why did these defenses fail?

First, anti-virus is completely useless.  As mentioned in our report, Anonymous mimics for-profit methods of hacking.  But there are some key exceptions, notably there was no reliance on malware as well as no phishing or spear phishing.  This means anti-virus is totally irrelevant.

Second, what about IPS and NGFW vendors who claim to protect applications?  Fundamentally, network-based technologies can’t be effective when it comes to protecting an application.  Don’t confuse “application aware” with actual application protection.  Application aware simply means "I know we are using Application X."  But it knows nothing about how the application works to put in place effective defense.  Here’s one (important) illustration:  how do you protect web applications that contain thousands of URLs each with dozens or hundreds of input parameters?  IPS may require an equal number of mitigation rules or policies when integrating with scanners, making their management very cumbersome if not impossible. Web applications firewalls (like ours) offer a simpler built-in protection of the entire application through the combined use of positive and negative security models. Through learning of application usage, WAFs know what characters are allowed and supported in every parameter and URL across the application. The impact:  A very high number of false negatives. 

Recently, some IPS/NGFW vendors claim that by integrating with vulnerability scanners (like Nikto), you’re left sitting pretty.  Not so.  Why?  By integrating the two technologies has several issues:

• You only protect vulnerabilities you know about which leaves out anything the scanner did not know about.
• You are not aware of attacks accumulating in parts of the application that were not found to be vulnerable.
• You are not protected against attacks published after the scan.
• You are not protecting resources introduced (or changed) after the scan.

Once again, you’re left holding a big basket of false negatives.

Partial List of Anonymous Targets

Amazon

AU Department of Communications

AU House of Parliament

Austria Federal Chancellor

Austria Ministry of Economy

Austria Ministry of Internal Affairs

Austria Ministry of Justice

Banco de Brazil

Bay Area Rapid Transit

BMI

Caixa

Catholic Diocese of Orlando

Church of Scientology

CIA

Citibank

Egyptian Government

Egyptian National Democratic Party

FBI

Fine Gael

French Presidential Site

Greek Department of Justice

HADOPI

HBGary Federal

Irish Department of Finance

Irish Department of Justice

Itau

Malaysian Government

Mastercard

Mexican Chamber of Deputies

Mexican Interior Ministry

Mexican Senate

MPAA

Muslim Brotherhood

New Zealand Parliament

Office of the AU Prime Minister

Orlando Chamber of Commerce

PayPal

Polish Government

Polish Internal Security Agency

Polish Ministry of Culture

Polish Ministry of Foreign Affairs

Polish Police

Polish President

Polish Prime Minister

RIAA

Rotary Club or Orlando

Slovenia NLB

SOHH

Sony

Spanish Police

Swiss bank PostFinance

Syrian Central Bank

Syrian Defense Ministry

Syrian Ministry of Presidential Affairs

Tunisia Government

UMG

US Copyright Office

US Department of Justice

US Senate

Various Pornography sites

Visa

Warner Brothers

Zimbabwe Government

Below you'll find a graphical summary describing the attack sequence used by Anonymous in the attack we recorded.  

The view the full report, please click on this link to download the PDF (no registration required).

Click image below to BIGGIFY:

Forbes reports that YouPorn's was breached.  In all, 6,433 credentials (comprised of an email and password) were breached and posted online.  No word on the motivation behind the breach.

However, there are some possibilities:

• Free stuff?  They wanted access to free "content."  Reasonable possibility.
• Altruism?  On Valentine's Day, a hacker announced he had breached a porn site.  "The hacker said he was motivated by the desire to highlight a security vulnerability on the adult site, rather then anything overtly political. He did, however, claim allegiance to hacktivist collective Anonymous in an email exchange with AP."  Not likely.
• Mob war?  Could it be that there was a war of porn platforms or the closure of some sites? Probably the least likely and we have no evidence, but such theories are fun to think about.

On a different note, eyeballing the 6,433 credentials, its interesting to see that many users had to good sense to use emails that didn't give or indicate their actual names.  Certainly some did and are probably being ridiculed by co-workers as you read this.  Porn surfers, it seems, may be fairly sophisticated when it comes to protecting their identities.

Apparently, legislators in DC are considering tax breaks for bolstering cyber security.

Does this make sense?  Probably not.

In the physical world, tax incentives help businesses compensate for investment deficiencies.  For example, a business may hire extra employees in response to a tax break.  The result, hopefully, is a decline in unemployment.  Theoretically, business lowers its costs, government reaps higher revenue from lower unemployment and society doesn’t need to deal with the social strain posed by people not having jobs.

The issue with cyber security tax breaks is this:  if enterprises make the wrong investments and a breach occurs, business, government and society all fail to benefit.  Today, businesses spend billions of cyber security and breaches continue to occur daily.  Companies already spend a lot on security—but are they spending on the right things?  With a tax break, the only differences is that tax payers will indirectly foot the bill.

How could a tax break could make sense?  If legislators mirrored a prescriptive approach, such as what PCI pushes, then we could expect to see cyber security spending go in the right direction and witness a drop in breaches.