Five Steps To Help Repel The Lulz

  /     /     /  
Publicated : 22/11/2024   Category : security


Five Steps To Help Repel The Lulz


Targeted attacks are a reality today, especially with the likes of hacktivist groups such as Anonymous



Face it: Theres no way to stop a determined hacker, even if youre a security firm. This years wave of attacks by Anonymous, spin-off LulzSec, and other indie hackers in the AntiSec movement of exposing security flaws and dumping exposed data, email spools, and other sensitive information have made that point loud and clear.
The HBGary hack was the turning point for me, says Paul Henry, forensics and security analyst for Lumension. That definitely got my attention: It showed me that anybody connected to the Net is a potential victim.
Karim Hijazi, whose security start-up
was targeted by the now-defunct LulzSec in late May
, says theres really no way to avoid being targeted by these types of attacks. Considering the rampant nature of the attacks, unfortunately I am not sure anyone is technically off-limits for this group. I mean, you have the CIA public facing website DDoSed one day, and a gaming company the next -- not exactly patterned, says Hijazi, who is CEO and president of Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots.
So that being said, it could be quite difficult to remove ones self from their radar. We certainly did quite the opposite, and I would urge others not to taunt them, per se, he says, referring to his firms refusal to hand over botnet information, control, and money to the attackers. LulzSec retaliated by posting his email spools and other information online.
Members of LulzSec are also thought to have been behind
the hack of HBGary Federal
and, subsequently, HBGary propers email spools, while the hackers were part of the larger Anonymous umbrella. That attack came in response to former HBGary Federal CEO Aaron Barrs research on unmasking members of the group.
Recently, leaked chat logs of conversations among LulzSec members have provided some insight into the types of attacks the group has used. Imperva, for example,
analyzed the logs
and concluded that the three main attack vectors used were remote-file include, SQL injection, and cross-site scripting (XSS) -- all common Web vulnerabilities. Google-hacking is another tool used by LulzSec members, according to researchers at Stach and Liu.
So what can you do to help defend against determined and inspired hackers like Anonymous and its followers? Here are some tips -- in no particular order-- from Unveillances Hijazi and other security experts.
1. Go Google-hack yourself.
Turns out one of the first tools used by the LulzSec attackers was Google hacking, or Googling for vulnerabilities, such as SQL injection and remote-file include flaws on Web pages. Francis Brown, managing partner for Stach and Liu, has researched LulzSecs use of Google hacking, and says querying Google for vulnerabilities on websites was the first step in the groups recon efforts.
Most organizations dont bother to take that simple but often-revealing step. We recommend you Google-hack yourself, Brown says. Once you do that and find vulnerabilities, like some Cisco VPN configuration file, you have a flag in the sand going forward.
The Stach & Liu researchers offer free Google hacking tools, and Brown says he and fellow researcher Rob Ragan plan to release more Google-hacking tools for defensive purposes at the upcoming Black Hat USA conference in Las Vegas next month. One of our largest Fortune 100 companies plugs them in, and using Google alerts and Bing RSS feeds, from now on, if Google ever indexes matches with these vulns, [the tools] send you real-time updates, Brown says. Its an IDS, if you will, for Google hacking.
Among the new tools they will release are versions for the Android and iPhones. So if one of the so-called Diggity Hacking tools sees a SQL file with 300,000 of your organizations passwords indexed on Google, it sends you an alert, he says.
You could have a whole host of traditional vulnerabilities. You dont want other people to find them so easily via Google because Google is kind enough to index all of your vulnerabilities for you, he says.
2. Use and enforce strong passwords and multifactor authentication.
Passwords are a pain, but they remain a reality for most organizations. Using the same password for more than one user account gives hackers a bonus and yet another venue to expose your email or other information.
Lumensions Henry has adopted an extreme password security strategy since the HBGary hack. Heres what I did: I went through each and every online account I have, and changed my password for each, with a mix of upper- and lowercase letters, numbers,and symbols. They average 12 to 16 characters in length, he says. He also updates them every 30 days.
I know this is extreme, but its something I had to do, Henry says.
Of course, the trade-off of complex, unique passwords is that they are difficult, if not impossible, to remember. So Ive written them down in an order only I know and keep them on a laminated card in my wallet, he says.
He also uses phony answers to those secret questions for authenticating users online. I have separate answers to secret questions from my primary accounts. My birthday is wrong, my mothers maiden name is wrong, etc., to further lock down his online accounts.
Steve Vinsik, vice president of global security solutions at Unisys, also suggests complex passwords for each account, and changing them up every 30 days. He also recommends multiple factors of authentication, not just the standard username and password: Admin and other accounts with access to sensitive data should use second factors like biometrics, he says.
Multifactor authentication is gradually becoming a more realistic option for most organizations, Unveillances Hijazi says. Multifactor authentication is becoming an increasingly obvious facet to a security operation no matter how small you might be, Hijazi says.
3. Eliminate SQL injection, XSS, other common website flaws.
Aside from Google-hacking for your vulnerabilities, vulnerability scans and assessments of your website and apps can go a long way in keeping some hackers out. Common, simple-to-exploit bugs like SQL injection and XSS are some of the first things LulzSec and other attackers look for in order to get a foot in the door of their targets.
Conduct penetration tests on your network to pinpoint holes as well -- and be sure to remediate them, Unisys Vinsik suggests.
If you are an organization with a substantial Web presence, it would behoove you to confirm your Web applications have been thoroughly checked for vulnerabilities -- specifically SQL injection in the case of LulzSec. In many cases, a good SDLC [software development lifecycle] program during development will find most bugs, but in never hurts to keep up to date on new patches or updates on your LAMP stack or Windows server environment, Unveillances Hijazi says.
4. Have a third party host your website.
Theres no way to actually prevent a major distributed denial-of-service attack (DDoS), but there are some methods of mitigating one, such as tarpitting or forcing the DDoS bots to send less traffic and blocking offending IPs. But most organizations just dont have the equipment and resources to fend off a DDoS.
Denial-of-service attacks are notoriously hard to deal with, no matter how prepared you might be, Unveillances Hijazi says. Public-facing websites are, and will probably always be, subject to those types of attacks in that they are freely available for anyone to access. It is a juvenile form of attack, but to the layperson, it can be impacting. I know that a number of civilians found the attack on the Senate and CIA websites very disconcerting, as it was symbolic to them of a failure or indicative of unpreparedness.
I cant say I have too much advice for organizations looking to defend against that type of threat -- look at the stature and capabilities of the victims so far, he says. It may simply be a weathering of the storm approach at best for most.
Another option is to farm out your public-facing website to a third party. Thats what Lumensions Henry did. After hosting his blog on his own server for several years, he recently enlisted a third-party hosting provider to run it. If someone attacked it, they would only get to the party hosting it, not to my internal network, Henry says. He uses an alert system to notify him if any content changes, and he hashes any file updates to it, he says.
Third-party hosting providers are likely better equipped to help fend off DDoS attacks than a small to midsize business, and even some large businesses.
5. Archive your older emails offline.
All of Henrys emails that are more than 30 days old get moved to an offline archive now. That approach can work for some organizations.
If you can afford to simply delete your email once you have finished reading it or taking it offline, that would be another form of securing yourself, Unveillances Hijazi says.
Henry says he just searches his old email from a machine that stores the archives. Id rather not have a year or mores worth of email online, he says.
For organizations such as law firms that need more than 30 days worth of email to work on their cases, for example, he recommends keeping emails for only 90 days. Thats what Lumension did for a law firm client. One of the principals at the firm had over four years of email literally accessible from the Internet, he says. Now they archive and remove mail from the server every 90 days, and its stored where its not reachable from the Internet, only from the intranet.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Five Steps To Help Repel The Lulz