BreachExchange mailing list archives
You think you've nothing to steal? Hackers don't agree.
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 31 Mar 2015 19:53:03 -0600
http://www.scmagazineuk.com/you-think-youve-nothing-to-steal-hackers-dont-agree/article/403083/ The value to hackers of any single website is not widely understood. The information security and hacking industries follow the basic laws of human behaviour, and the latter exploit common human weaknesses, such as laziness or negligence. With Heartbleed the human factor was much more critical than any technological flaw. Very few hosting companies and data centres patched their systems in the 24 hours after the patch had become available, thinking that nobody would bother to exploit the vulnerability and break into their servers. But they did. When a global vulnerability becomes public, hundreds of hacking teams around the world immediately start exploiting it in automated or semi-automated mode, while IT teams are usually focusing on other tasks and ignoring the flaw. Thousands of crawlers and auto-exploit bots are constantly browsing the web looking for easy targets. Hackers usually don't target any particular system or company, they just try to compromise and backdoor as many large systems as they can, though systems with large amounts of personal data and credentials are the most attractive targets. Such systems may be web hosting control centres used by customers to manage their accounts, websites, personal clouds, and emails. A compromised hosting company can very be valuable to hackers. First they will dump the database with logins and passwords from all customer accounts. The more data they have, the more money they will make in the future. Usually, after a database is stolen - it will be sold to numerous teams and individuals specialised in collecting and re-selling Big Data on the Black Market. These people know whose data may represent value for various customers, from mafia to governmental entities, a point that ‘technical' hackers usually don't know and don't want to do. In addition to the obvious vectors of stolen data exploitation, such as credit cards, there are many risks that people just do not realise. Once cyber-criminals get access to your account on a hosting company, they can do plenty of nasty things. The most frequent problems are password re-use and the professional use of a personal email account. If you are working in a large company, hackers will search your inbox for professional emails that may help them to get into your company's network. Often network administrators send highly-sensitive data, such as corporate credentials or VPN access, to their colleagues' personal emails just because it is easier or faster, or a minor technical problem prevents them from transmitting the data in a secure way. Corporate security policies cannot really prevent human negligence or laziness. Hillary Clinton recently used her personal email address for critical state communications, clearly demonstrating that even the most robust structures are often powerless against common human weaknesses. Many people don't realise that their email account may be used for password recovery on numerous other accounts (eg e-banking or social networks). Web services still often send user credentials to their customers in plain text via email, and people don't think about removing such emails from their inboxes. A simple email address can be an Alibaba's cave for hackers who can directly or indirectly access gigabytes of valuable information from your inbox to sell on the Black Market. Your website, even if it's a small personal blog, may also represent high value for hackers. If you have important people in your business or personal environment (eg customers, partners, friends), your website in combination with your email address provide perfect attack vectors. An email will be sent from you to a VIP target, suggesting that they open a legitimate-looking URL on your website. Hackers will host an exploit-pack on the URL, so once the victim opens your website, it will try to exploit one of the numerous vulnerabilities in their web browser, Adobe or Java, and execute malicious code that will install a sophisticated backdoor on the victim's system. Such an approach is much cheaper, faster and more reliable than targeting the victim's corporate network which may be very well protected and thus expensive to hack. You will probably not even notice that anything is going on, nor will your hosting company. You and your data can easily become a pawn in someone else's big game without your knowledge. Globalisation, cloud technologies and outsourcing processes have sent everyone's data on hundreds of different systems, and thus made your systems, your mailbox and your website very attractive targets for hackers. And if it's easier for hackers to compromise you rather than somebody else to get what they are looking for, they'll soon come and take what they need. If they haven't done so already.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- You think you've nothing to steal? Hackers don't agree. Audrey McNeil (Apr 10)