eThreats: You’re Not as Safe as You Think
You eBay. They phish. You Google. They Google hack. You surf with free Wi-Fi. They shoulder surf, gleaning confidential information from your laptop.
It’s inevitable: As long as people use the Internet, others will think of new ways to exploit and profit from it. Somehow, they are able to defy technical security countermeasures, even those that are perfectly applied.
That’s the nature of "eThreats," as explored in eThreats and Countermeasures: Just When You Thought It Was Safe to Go Out (PDF, 3.1MB). This is the sixth of eight volumes in which CSC’s Leading Edge Forum (LEF) examines digital trust, a strategy for enhancing business value while addressing information risks.
 |
|
|||
|
||||
|
Related Information:
Download Digital Trust, Volume 6. Learn more about liquid security in Volume 5. Read the Digital Trust press release. Participate in the Digital Trust blog. Learn more about CSC’s Leading Edge Forum. Contact us and let our experience help you produce results. Subscribe to the Digital Trust report series (automatically receive all volumes). |
|||
|
||||
|
||||
The report explores why large, successful enterprises continue to suffer attacks and breaches despite extensive investments in digital trust technologies. "Even when our digital trust dollars are spent ’perfectly’ – we pass every audit, succeed at every development test, and eliminate all known vulnerabilities – ’there’s nasty things wherever you look,’" says the report. It highlights four of the nastiest: Cross-site scripting
Cross-site scripting (XSS) enables an attacker to send malicious script, manipulating the code of a Web page and changing how that page appears to the end user. The malicious script can access any cookies, clipboard text or other sensitive information retained by your browser and used with that site.
To make matters worse, XSS does not simply threaten the machine you use to surf. "Researchers have discovered ways to completely hijack your Web browser, forcing it to perform all sorts of offensive activities," notes the report.
"For example, simply browsing a Web page can be enough to force your machine to launch a scan against a government computer system."
Internet users are constantly plagued by phishing, a scam in which an attacker (phisher) masquerades as a trustworthy entity via e-mail (or some other enticement) to acquire sensitive information from a victim. Early attempts were amateurish and plagued with misspellings, but phishers have grown more sophisticated over time. Despite warnings, users are still falling for it.
"People are savvy. They know that phishing is spelled with a ’ph.’ But entire brands are still being hijacked," says Ron Knode, the report’s lead researcher and CSC IT security expert. The report notes that new phishing sites can be installed on compromised servers in as little as two seconds, and that new sites are popping us as fast as they are being shut down.
Public source information gathering (a.k.a. Google hacking)
Organizations and businesses need to publicize and promote themselves, and government agencies are required to post public records. The Internet is where they have to do it.
"Taken individually, these tidbits of information might not represent an eThreat. But when you are able to collect and combine enough microbits of data, an eThreat can quickly emerge," the report explains. Using a series of sophisticated searching techniques, Google hackers have already uncovered extremely sensitive information, ranging from passwords and credit card data to Web pages that allow them complete control of power systems. CSC’s Johnny Long, a security expert and contributor to eThreats, also explores public source information gathering in his bestseller, Google Hacking for Penetration Testers. Unfortunately, says Knode, there is no alternative to placing information on Web sites. "What’s the alternative? Not having a Web site?" Knode asks. "What you can do is make sure you don’t put dangerous information out there, and that you monitor search activity on your site."
Instead of elaborate electronic attacks, hackers resort to an old standby, such as dumpster diving (manually inspecting trash) or shoulder surfing (peering over a computer user’s shoulder to glean confidential information).
Long also examines the topic in his forthcoming book, No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing.
Digital Trust pain relief
The bad news: These four eThreats demonstrate the weaknesses of digital trust technologies. As new protections are developed, new variations of eThreats arise, starting the vicious cycle again. And, as first reported in the Liquid Security volume in the Digital Trust series, digital trust cannot always make up for bad practice.
-
XSS: Better coding practices and continual monitoring of Web applications for flaws.
-
Phishing: Mutual authentication techniques combined with user education.
-
Google hacking: Better review of data before posting, as well as monitoring and response to Google-hacking incidents.
-
No-tech hacking: Employee awareness programs, and less reliance on human factors and more reliance on digital authentication and control.
"There is no digital trust solution to these eThreats," Knode says. "But digital trust techniques can definitely relieve the pain a bit."