NBS System: Cybersecurity, an unknown and underestimated stake
February 2015 by NBS System
With the events occurring in this beginning of 2015, cybersecurity becomes a subject a lot of people talk about. However, a huge majority of companies do not know the extent of the risks related to their website’s security.
They do not know, strictly speaking, what is implied within the word “hacking”. Many of them wrongly imagine that they are safe because their website is not famous or does not contains sensitive data…
But what people have to understand is that security affects everybody and that attacks do not only happen to others. If some of them are targeted (such as the one made on Sony, in 2014), most pirates act only for opportunistic reasons.
The following analogy can be made: the Internet is a huge parking lot where every website is a car. Ill-intended people need only walk among them and try to open their doors in order to find one that is not closed, and steal it. Few of them will use tools to target a specific car; they do no need technical knowledge to try and open doors. They will steal every open car they find, whatever the brand or price.
Hackers work in the same way. They will go through every website hoping to find a vulnerability in one of them, and use it.
They do not necessarily need technical competences
There are several tools (legal or not) enabling them to scan the web and to detect vulnerabilities very easily
They aim very largely to make sure they hit as many targets as possible
That is why the size or fame of the website do not matter much; if there is a vulnerability on your website, it will be hacked one day or another.
It is important for companies to realize that one can never guarantee at 100% the security of one’s website, and even less the quality of one’s code. Even if the code is written by very gifted professionals, they are scarcely security experts and remain, in spite of everything, humans: fallible beings. Thus, one must stay humble; there is no perfect code, and every developer is doomed to make mistakes. For instance, in 1996, the Ariane rocket exploded during its flight because of a programming error, ie a coding error. This is the proof that even the ESA (European Spatial Agency), whose members are among the very best of the world, is not infallible. Can your developer claim to have the same competences?
Today on the Internet there are millions, maybe billions, undiscovered vulnerabilities; it is a certainty! One, or many of them, might be on your website or one of those you visit regularly. The stake here is thus to become aware of this situation, and to protect oneself in order to avoid attacks which, we point out again, can hit any kind of website, and have important repercussions on the image of a company and its profits.
1. Hacking: how does it work?
It can be very easy to access the data of a website through a vulnerability. But accessing the data is accessing the server hosting the website, which means the machine containing all the information and resources used to make the website work. There are many ways to achieve this; here, we will detail one of these means, a very simple one, called identifiers enumeration.
Let us imagine the website “http://www.mywebsite.com”, the one of an insurance company. In order to use the interface, the visitor must log in and create an account containing his or her information (name, surname, address…). The database will then give this account an identifier, for instance 12345678.
Once he or she is logged in, if the visitor wishes to modify his or her address after a move, he or she will go to the page of his account’s settings. In many cases, perhaps yours, the website will put the client’s identifier in its URL: http://www.mywebsite.com/settings?i...
Let us imagine now that the visitor is a hacker. Thanks to the presence of the identifier in the URL, he will find on this page only the information about himself; he will then understand that for the other users, the process is the same. If he changes the identifier in the address bar, by turning the 8 into a 9 for instance, and that the source code of the website contains a vulnerability and does not block his request, then he will have access to information about the account corresponding to the identifier 12345679.
But if he has access to this account, this means that he potentially has access to all other accounts and, as follows, to the entire database. With only the address bar, it is thus possible to access a server and to bypass its security. It can be as simple as that. A teen, today, can have enough competences to set up this attack! Several tutorials are even available on Youtube, allowing anyone to acquire the basic knowledge necessary to set up such simple attacks.
Results for a Youtube search such as “hack a website”
Although there are numerous more complex techniques, the one described above is only one of the several trivial methods within everyone’s reach.
It is important to understand this because once the pirate has access to the machine, he can upgrade his privileges and obtain as much power as an administrator. It means that he will literally do anything he wants with the information and resources at his disposal. There are many kind of attacks, each one with different goals and impacts, but with serious consequences every time.
2. Different kinds of attacks
2.1. Website defacement
It is the most visible kind of attack, even if it is technically the less dangerous. The defacement of a website consists in modifying one or several of its pages, for instance the homepage, and replacing it with an image, some text… These attacks are quite simple to set up and do not require big technical competences. Hackers simply use a tool that scans websites, one by one, and detecting vulnerabilities in order to grossly exploit them.
Generally speaking, the replacement page used during the attack contains the name of the hacker, and a message. Indeed, by these defacements, hackers seek only visibility. They wish to broadcast a message, usually a political one, or seek recognition. More than 20.000 websites got hacked this way during the OpFrance operation. It started on January 18th, but to this day some of the affected websites are still down.
Even if these attacks are not dangerous in the long term, they have a huge impact in terms of image for the attacked website.
2.2. Exploitation of resources
The attacks we will describe in this paragraph and the following ones are much more dangerous, especially because they are not easily noticed by the attacked website. If you are under attack, in 90% of cases, you will only know it because a third party will tell you (source: 2012 data breach investigations report, Verizon, 2012); either the authorities or a client, partner or supplier who has been an indirect victim of the attack. It usually leads to an enormous drop of confidence toward the company. It is incidentally one of the reasons why more than half of the attacks are not discovered before months. Source : 2012 data breach investigations report, Verizon, 2012
In the case of a website’s resources exploitation, the title says it all. The hacker, having gained access to the website’s server, will use the resources of the targeted machine (processor, memory, bandwidth) for his own purposes. This way, he can stay anonymous and forearm himself against legal risks, since it is the hacked website that will be legally responsible for the actions made with its resources.
As it happens, the hacker will often sell them, for many uses: spamming, DoS (Denial of Service attacks), data decipherment and ghost shops.
One must know that each machine possesses a specific IP address, which is linked to the website(s) hosted on it. When too many emails are sent from a machine, it is labelled as malicious and the sending of emails will be blocked. By sending SPAM emails from the IP address of a hacked website, the sending will occur without being blocked. Hence, using the IP address of another machine by buying its resources is a way to bypass this blocking, until the hacked machine(s) also become(s) considered as malicious… If it happens to you, you will not be able to send any more emails from your domain name or your IP address. Your host will also be able to close your account. Moreover, legally, in France spamming can be punished with 5 years of prison and a 300.000 € fine.
In the case of DoS attacks, the use of an infected machine allows the anonymity of the person having ordered the DoS toward a third party, or to multiply the power of the attack by adding the resources of another, or many others, computer(s). Here, the goal is purely lucrative. There again, legal sanctions are significant: according to the article 323-2 of the French Penal Code, “the fact of hampering or falsifying the functioning of an automated data treatment system is punished by 5 years of prison and a 75.000€ fine”.
2.2.3. Data or password deciphering
It is also possible to use the resources of the infected server as a calculating power in order to guess passwords or decipher data, through the “bruteforce” method. It consists in having a machine test all possible combinations until it finds the right one. The more numerous the machines, the more important the resources, and so the shorter the resolution time. Here, the goal is mainly the collection of data, that can be used or selled (this kind of attack will be treated later in the article). In these three last cases, the goal of the hacker is to take control of as many machines as possible, in order to make money out of these resources.
2.2.4. Ghost shops
Finally, some hackers create, on an e-commerce website, ghost shops for their own purposes. They actually create a new page, invisible for normal visitors and for the company, where they set up their shop, generally selling illegal or illegally acquired products. Thus, only the people who know it’s there have access to this hidden shop, through the URL that they directly enter in the address bar. Here also, the goal is lucrative.
In any case, the owner of the hacked website is legally responsible, even if he or she does not know anything about what happens behind his back. It is very bad for the company’s image. To make it clearer, it is as if the owner of a luxury restaurant discovered in his cave a prostitution network. Even if he did not know that its cave was used in this way and that the organisers had a key made, he would be legally responsible and his restaurant’s image would suffer. To a lesser extent, the use of a website’s resources by a hacker can also slow the website down, since it would have less resources at its disposal to satisfy its legitimate visitors. It can also have very important consequences: a loss of credibility for an institutional website, an eventual loss of clients for industrials, a potential loss of revenue for e-retailers (57% of online buyers will give up a website on which they intend to buy something if the page takes more than 3 seconds to load).
2.3. Data and confidentiality attack
2.3.1. Website user attack
Once a hacker takes possession of a website, he can modify its source code. Thus, he also has the possibility to add, in the source code, a “command” that causes the uploading of a malware or a virus on website’s visitors’ devices (computer, tablet, smartphone…). This virus will allow the hacker to take control over these devices or steal their data. It is a good way for him to increase easily and quickly the number of machines under his control. There again, it gives a very bad image of the website, which will lose a lot of visitors, all the more if it is one of them who reveals the attack after a fraudulent use of his data. Moreover, a search engine such as Google will identify the website as malicious and will act consequently on its SEO. The search engine will warn visitors that the website might not be safe, or even not allow them to enter it if the connection is not safe.
2.3.2. Source code targeting Before exploring the subject of database stealing, let us stop at another kind of stealing, less famous: source code stealing. Indeed, some websites contain sensitive or highly qualified source codes, that they do not wish to see revealed or used by a third party; it is indeed the stealing of their expertise. A hacker can, for instance, create a copy of a website to use it for malicious purposes, simply mimic its page design… He will use a quality code without paying the code developer for the creation work, which can be very long. Even if this theft is not as serious as the one of a set of credit card numbers, it is still important to note.
2.3.3. Database theft
One of the biggest fear of companies, and rightly so, is the theft of their database. An incredible lot of information can be gathered: name, surname, family information, name of the children and husband/wife, age, credit cards and ID numbers, shopping habits… That is what happened to the American insurance company Anthem Inc, according to a press release from February 4th, 2015: hackers collected the names, birth dates, social security numbers, addresses, phone numbers, emails and professional information of about 70 million clients. We regularly hear of this kind of attacks, it is only the last officially divulged one to date.
For instance, it is very possible to find out, via a reservation website, when a family goes on vacation, and to go rob their house at the right time. This method is very used currently, and such information can be bought easily from hackers. Actually, by putting several sources together, one can easily know anything about anyone.
Moreover, if a user logs in on a hacked website through a social network account (Facebook, Twitter…), the hacker also will have access to this account, on which he will be able to publish unapproved content.
Hackers can also usurp the identity of the people whose information is in the database. They can, for instance, send emails in their name to their friends and try to infect and take control over the latters’ machines. There is no limit to what a hacker in possession of this information can do. There again, it is the image of the website that is affected, and beyond, the company. According the the French newspaper Les Echos, in France a company loses in average 4,5% of its clients when the news come out that an incident involved its data.
2.4. Payment fraud
When a pirate controls a machine, he can put in a program that watches and records everything on the corresponding website. This program is invisible without a thorough analysis of the source code; it is thus entirely possible that one of them is already on your website this way. The hacker will has access to the identifiers and passwords of any client who logs in (which is also a data theft).
He can also take a commission on every transaction, or even redirect some payments to his own account instead of the one of the retailer; it is pure theft.
It is also possible to shoplift: the hacker will use a vulnerability to pay a price he will have chosen himself instead of the one asked by the retailer. He will then be able to pay 1€ for a product that is worth 200€. The transaction being completed without any trouble because of the flaw, the e-retailer will receive a payment confirmation for 200€ and will realize the attack too late. A flaw of this kind involving Paypal payments under the Magento platform has incidentally been revealed in 2012. This flaw has of course been corrected since.
The goal here is very clear: money. It is the easiest way for a hacker to earn some.
It is possible to go even further and to not stop at actions targeting the website only. A hacker can easily reach the internal server of your company through the one of your website. It is what we call rebound attacks. Actually, the internal server of your company is often linked to the server hosting the website via a VPN tunnel. It is a connection (physical or virtual) transmitting encrypted data, allowing the website to access information contained in the internal server (for instance, the client database). Companies think that the encryption of their data is enough to protect their Intranet, and that in the worst case scenario only their website will be hacked.
But through many rebounds, it is completely possible to reach the internal server.
This risk is absolutely not hypothetical. For instance, Target suffered in 2014 a data theft, impacting about a 100 million clients through its air conditioning supplier. Indeed, this supplier had access to the internal server of Target, to regulate the temperature of the offices; it was the front door of the pirate. Hackers seek all the information about the company, its clients, its offices, its employees…
It can even go to the physical reaching of the company: beyond sensitive and private data contained in the Intranet, a pirate may, for instance, obtain the encryption key of the office badges and create new ones, leave the doors open, close the access for existing badges… It can also mean the control of the internal network: stranglehold of the phone service, access to the company files (confidential, strategic, HR data…)
All these attacks and, generally speaking, the control of a machine corresponding to an internet website by a pirate can cause a company to go bankrupt. That is what happened to MtGox, Bitcoin exchange platform, after an IT attack caused the disappearance of 750.000 bitcoins belonging to clients and 100.000 bitcoins belonging to the company itself. It filed for bankruptcy in February 2014.
3. Solutions to protect your company
We hope this article made you understand that every company and every website is vulnerable to attacks, and that security is no longer a “bonus” to deal with later, but indeed an urgent necessity.
Thankfully, there are solutions to protect yourself from these attacks. Let us take the example of CerberHost, a solution developed by NBS System. It is a very high security private Cloud, composed of 8 layers of protection both software and human, whose perimeter of protection extends from the website to the physical material, going through databases, applicative, the network… It guarantees a 99,9% IT security thanks to a continuous improvement enabled by the R&D team. Indeed, these solutions must always adapt to integrate the new attacks, in an always evolving context.
The aim, with these kind of solutions, is to protect websites against all possible cases through an optimal protection and by making the attacks too expensive, hard or complex in order to discourage hackers and make them change their target. It is important to put your website in the hands of competent people, specialized in security, for your company’s and your clients’ sake.