A Very (Un)Merry XSS-mas

As the holiday season nears, droves of shoppers will go online. Lying in wait, however, are online criminals. A look at why locking down ports and hoping for the best isn’t enough to keep users safe.

Port scanning? Why bother when you’ve already made it easy?

Read any enumeration document written in the last decade and each one will discuss port scanning as an integral part of carrying out an attack. Security professionals went to great lengths to thwart port scans by using a variety of techniques. You’d hear port knocking, packet dropping and various other methods of hiding or killing connection attempts and/or service enumeration.

Vendors also cashed in on this by offering tons of expensive products that would do all of this for you wrapped up nicely in a neon-colored appliance with tons of pretty lights.

Well those days are over. While you’ll continue to see port scans sloshing up against your perimeter devices, criminals and attackers have discovered much easier ways to steal from you or “own” your assets.

Making it easy.

Just about everyone has a web presence these days but not everyone follows good coding practices. Web sites have become extremely interactive and depend heavily on helper technologies, typically in the form of scripting languages. This breeds all kinds of cross site scripting (XSS) opportunities.

Of course, these are done on allowed ports and various techniques are widely published that not only show you how to perform XSS hacks, but also point you to a variety of canned tools that will assist in the process. One such tool, Metasploit, will even go so far as to provide anti-forensics, anti-IDS/IPS and pivot functionality to bounce from host to host in a compromised environment.

All of these nice features are baked in, and again, no port scanning is required.

Why not visit us?

XSS: cross-site scripting
Web sites have become extremely interactive and depend heavily on helper technologies, typically in the form of scripting languages. This breeds all kinds of cross site scripting (XSS) opportunities.
Many attackers and criminals don’t even put forth the effort to go to you; instead, they simply bait you into coming to them. JavaScript malware is on the rise and rely on browser scripting capabilities, not on specific browser vulnerabilities. JavaScript malware has many attack vectors and an equally plentiful payload capability. You’ll see things such as DDoS, data scraping and launching attacks against internal hosts.

Delivering malware to you has never been so easy. You’ll see malicious root certificates out there that instruct your browser to trust and execute anything published by the attacker/criminal. The import process is typically carried out by an existing spyware infection without the knowledge or participation of the user. Once this is done, there is no end to what the attacker/criminal can do with the host.

Another popular way to route users to a malware site is through the use of e-cards and various other pastime sites. It’s beyond simple to trick an end user into clicking on a malicious link by simply telling them that they’ve received an e-card from a secret admirer, please click here to view your e-card.

In addition to preying on ego and self-esteem as a way to lure users, you’ll also see fear and greed leveraged as well. For example, everyone receives invitations to make $5,000 weekly working part time. Enough people are greedy enough to actually believe this ploy and walk right into the hands of international crime groups. Most of the time, the user will end up as an unwitting mule. A mule simply carries the goods from the source to the destination and almost always assumes all the risk involved in carrying out the action.

Raising the bar

Because most crime groups have better cash flow than many legitimate businesses, they can afford to hire professional coders. Recent malware incarnations have been more advanced than amateur efforts in the past. Rootkits are on the rise and offer crime groups a utopia of opportunities that easily go unseen, undetected and unnoticed by the user. One of the more recent examples is the Blue Pill, which places a rootkit as a VM hypervisor that subverts the system far below the operating system.

Botnets are also evolving and have become extremely refined in the process of infection, payload and displacement of the command and control (C&C) host. Botnet operators no longer sit idle and have developed mechanisms for redundancy and redirection so that current zombie hosts will travel to the new location of the C&C host.

Add encryption, various dynamic DNS techniques and safe harbors in developing nations, and today’s botnets are a formidable threat. The more complex botnet operators have built-in protection from other rival botnets so that the zombie host cannot be hijacked and used for the benefit of the rival botnet.

The classics with a new shine

War driving was something done by kiddies who wanted free Internet access and perhaps to tag hosts that reside on the same network. Today, crime groups have refined the process and now go after wireless device drivers. This technique leverages buffer overflows which in turn allow the attacker to take over an active wireless interface even if it’s not associated or using a wireless access point.

Phishing schemes are also as prevalent as ever. With many people utilizing HTML capabilities within their e-mail client, infections can be distributed with just the act of opening the e-mail. Embedded links that lead to fraudulent fronts are typically modus operandi for this vector. Again, social engineering techniques based in fear and/or greed fuel the success of this vector.

“Surfing” no more

Surfing the Internet implies that you’re embarking on a pleasurable adventure with little chance of harm. Today’s Internet is not the same as it used to be. Blind surfing the net can land you with hundreds of malware infections delivered in a variety of ways, including, but not limited to zero-day vulnerabilities.

Surfing today should be compared to wandering unsafe inner city neighborhoods. You wouldn’t intentionally wander into these places because there is an expectation that it’s high risk behavior. Until people equate this to wandering the web, the attackers and criminals will continue to enjoy the seemingly endless stream of victims who almost always give away the keys to the castle.

So what can you do?

The bad news is that given the current legal and technical landscape plus the lax attitude of many, criminals and attackers certainly maintain the upper hand. The sad thing in all of this is that methods of protecting yourself have not changed all that much.

Awareness training should continue to pound the idea that you should only surf places you know are safe and only open things that you’re sure come from a trusted source. While this won’t work all the time, you’re now managing the risk instead of willingly exposing yourself. Continuing to patch, update AV signatures and running a firewall will also cut down on the probability that you’ll be victimized and further allow you to manage your safety while online.

IT shops should continue to maintain baseline configurations and remove the ability of end users to install software. Given that attackers and criminals know that the easiest exploit point is at the desktop, start looking into Network Admission Control (NAC) solutions to mitigate the vector. Imagine how much improvement can be gained if you knew that all hosts that connect to your network have passed the minimum-security requirements.

At the end of the day, it’s up to you entirely to protect yourself. Complacency is no longer an option if you hope to survive a wipeout while surfing today’s internet.

This article was first published on EnterpriseITPlanet.com.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.