Cyber Criminal Technique #1: War Driving

War driving means “cruising” for WiFi signals. Once detected, cybercriminals use FREE password-breaking software to intercept the signal broadcasting from any home or business.

Monitoring WiFi networks over time, cyberthieves can establish a virtual private network and connect directly to a server or database.

Cyber Criminal Technique #2: SQL Injection

SQL injections are a popular way for cybercriminals to get inside “protected networks”. In a SQL injection attack, the hacker types random characters into a web form, such as a log in page. The attack may be carried out manually or using a robot to penetrate the form. Once inside, hackers can gain access to databases containing sensitive, personal information.

War driving and SQL injection attacks are the means to a cyber criminal’s end. Once the target server is breached, he or she implants a “sniffer” program. (Sniffers are widely available for free, and they are capable of logging all traffic moving across a network). Savvy hackers have devised and sell sniffers designed specifically to detect and record credit and debit card information.

Wade Baker, Verizon Business’ principal researcher told USA Today, it takes five to six months (on average) before companies detect cybercrimes of this nature. In the vast majority of cases he has researched, cyberthieves spent days after the initial breach to locate databases with the most valuable information, then methodically extracted the sensitive data for weeks or years before being detected. He warns, “Many organizations right now have breaches they don’t know about and won’t discover for some time to come.”

The Identity Theft Resource Center (ITRC) has investigated about 400 incidents consisting of over 220 million exposed records so far this year. The list of victims proves that lengthy and destructive breaches are not reserved for global enterprise. SMBs, particularly businesses that provide retail, financial, and healthcare services are prime targets.

“The highly available and free nature of the tools necessary to carry out war driving and SQL injection attacks means novice hackers are capable of producing devastating breaches. Achieving PCI Compliance and partnering with a hosting partner that provides security will help prevent you from making the ITRC’s list,” advises Chris Drake, CEO and Founder of FireHost.

Nidhi Shah, a research scientist at Purewire told SCMagazineUS.com, “It’s not clear how how hackers were able to break into the site, but it is possible that they obtained the credentials to an FTP account or exploited an SQL injection vulnerability.”

The exploit manifested as a pop up for visitors to authenticate their session with a username and password before viewing the site contents. When users canceled the message screen or entered the wrong credentials, an error page informed them that they had failed to login properly. That error page contained JavaScript code which loaded malware from an exploit site targeting a number of known software vulnerabilities in Adobe Acrobat Reader, AOL Radio AmpX and SuperBuddy and Apple QuickTime. Any user not patched against these bugs received the malware.

It’s undetermined how many people encountered the attack, but Kevin Dando, director of digital and education communications at PBS believes the exposure to be very low since PBS has not received complaints. Mr. Dando told SCMagazineUS.com that internal triggers had alerted them to the situation. They  addressed it quickly, and that the situation has been completely fixed as of last Friday.

In his closing comments, Mr. Dando warned “that this incident should serve as a reminder that any system can potentially be exposed to infection, and service providers must remain vigilant against threats and be prepared to act aggressively and be ready with pre-established procedures.”

The RideMatch.info flaw provides inadequate scrutiny of user-generated text entered in search boxes and fields throughout the website. Hackers exploit the SQL injection vulnerability by passing commands directly into the back end database.

The vulnerability was identified and reported in August by Kristian Hermansen, a security researcher who was required by his employer to sign up for the service. His report to The Register stated, “The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don’t even know that their employee’s personal and corporate information may be been compromised.”

To date, the exploit has exposed hundreds of employees’ sensitive information across several organizations in S. California, including at least one military entity.

The Ride Match website is a joint project between five regional transit authorities. The service pairs commuters based on home and office destinations as well as departure times. The Riverside County Transportation Commission, an agency responsible for the website, reported to have reached out to the Trapeze Group (a Canada-based development company that designed the software) right after the vulnerability was reported.

Once identified, SQL injection vulnerabilities can often be patched by changing a line or two of code, but The Register spoke to a Trapeze spokesperson on 9/8, and at that time she was unaware of any security bugs being reported on the software. She promised that any vulnerabilities brought to their attention would be investigated and resolved.

Security experts believe social networks like Twitter and Facebook are targeted because of the sheer number of users. Defacement is the most common motivation for ego-driven hackers, and these high traffic, high involvement communities are a great way to disrupt many victims at once.

A study by Webroot sheds light on a few other reasons why social networks make a ripe targets for hackers.

• 36% of social networkers admit they don’t hide personal information
• 33% admit to using the same password for all of their online accounts
• 28% accept “friend requests” from strangers

With such a high percent of social networking users being unaware of the dangers, “hackers lure users into taking actions they shouldn’t by making it appear as if a friend within their social netowrk has sent them a message – only the message is from a hacker who has hijacked the friend’s account,” warns Mike Kronenberg CTO of Webroot’s Consumer Business division.

The technique described by Mr. Kronenberg is known as phishing, and it’s one of the most preventable ways hackers obtain access to confidential information. SQL injections, Cross-site Scripting (XSS), and Cross-site Forgery Requests (CSFR) are more covert, technical methods that hackers use to get the infomation they need.

“As a web service or SaaS provider, you can help protect your users from these attacks by hosting your applications in a secure environment. Users need to be savvy, and when they can’t stay up to speed on all the risks, community users should be weary and overly cautious at all times,” suggests Chris Drake, CEO of FireHost.

In fact, websites that incorporate these features accounted for 21% of hacking incidents reported in the first quarter of 2009. The top threats to “socially enabled” websites are SQL Injections (21% of attacks), Authentication Abuse (18%), and Cross Site Request Forgery – CSRF (8%). You may download a full copy of Secure Enterprise’s report here.

“Businesses often use open source applications like Community Server, WordPress, and Drupal to integrate social features into their websites. Every enterprise deserves the ability to keep content fresh by using blogs and forums. It’s great for marketing and user retention. We help facilitate these mediums by addressing vulnerabilities in open source software all the way from module installation to hosting,” encourages FireHost CEO, Chris Drake.

FireHost CTO, Kevin Wall explains why a holistic approach to site development and hosting is important.

“Often the application itself isn’t unstable; it’s the add-ons and plug-ins site owners use to extend the installation that cause problems. Our engineers are well-versed in the nuances of open source platforms. We’re different because we can help you navigate thru the many open source options available and determine which will achieve your marketing goals. Finally, we install open source applications in a way that helps protect you from hackers.”

To learn more about how FireHost can help secure your favorite open source platform, visit our secure platform hosting page.

USA Today reports:

FireHost is in business to address website security needs of the “smaller guys” Mr. Neray mentions above. It’s imperative your company respond to the threat of cybercriminals swiftly and effectively because SQL attacks strike governments and credit card companies every day. FireHost can help your company avoid the negative spotlight.

SQL attacks are preventable when your website, email, databases, and other applications are hosted with a security-focused web hosting provider. We’ve taken industry-leading measures to make enterprise-level security attainable for every business because we know that the last thing you need to do with your time is mitigate a high-profile website attack on customer information.

Most hosting providers don’t invest the resources required to maintain a prevention-focused, secure hosting environment. If your company does business online however, you owe it to your customers and employees to make sure their most important information is protected.

Here’s just a sample of what puts FireHost secure web hosting in a class of its own:

Network Layer Security
FireHost runs dual Sonicwall internet security devices, providing firewall redundancy for every client. This layer safegaurds websites, emails, and databases from unauthorized intrusions, like SQL attacks.

Application Protection
We also run a web application firewall to close the holes within your website’s applications, the entry-point for SQL attacks.

Vulnerability Monitoring
FireHost partners with McAfee to provide you with web-based website vulnerability auditing and remediation mangement, completing scans every fifteen minutes.

Register here to have a FireHost Security Agent perform a vulnerability report for your website. We will contact you shortly with the eye-opening results.

SQL Injections are the number one vulnerability exploited by hackers, by far. According to security vendor Sophos, 16,000 new websites are hit by the attacks every day. WordPress, Joomla, Drupal, .NET, classic ASP, PHPBB websites have all been hit with SQL Injections. Do NOT roll the dice on this one! Every web site big or small is vulnerable to injection by automated scripts attempting SQL-Injections through your webforms, dynamic URLs, etc.

This video from Graham Cluley of Sophos discusses the impact of a SQL Injection that hit BusinessWeek.

What can you do NOW to help secure your website?

1. Ensure all logins use strong passwords
2. Employ web form validation and/or CAPTCHA
3. If you’re using a CMS or website platform, ensure it’s up-to-date (including all plug-ins)
4. Ensure all components are current (ASPupload, etc)
5. Use static URLs instead of dynamic URLs

FireHost takes SQL Injection protection to the next level by:

1. Analyzing your website and web applications to assess the potential for SQL Injections and other hacking vulnerabilities
2. Protecting your website using our secure and transparent Web Application Firewall
3. Monitoring your website for new vulnerabilities