Blackhat Search Engine Optimization (SEO) Injection

Today my boss couldn’t get to a website. Turns out, our WebBlocker service classified it as a Compromised Website. Great! Our WatchGuard Firebox was doing a good job. However, my boss knew the site, and the people behind it, so he wanted to know what was wrong with it.

A quick check on our Security Portal confirmed the classification, and csi.websense.com provided the reason: Injection.Black_SEO.Web.RTSS.

I’ve seen this before, so I knew what to expect. I created a WebBlocker exception for myself, allowing me to get to the site for a little research. It didn’t take too much time to find what I was looking for:

Viewing the HTML source code on the site’s home page, I quickly found some additional code that the site owners probably aren’t aware of. The injected code is designed to “invisibly” open certain links without visually displaying much to a visitor. The goal of this type of attack is to falsely improve these links’ search engine results, since every user visiting this site will unknowingly open these injected links as well. This attack technique is some times called blackhat search engine optimization (SEO).

While this is a relatively harmless example of HTML injection (since it’s not trying to execute code on a victim’s computer), the presence of the unwanted code certainly means that someone has unauthorized access to this site. Unfortunately, until the site owners clean up this injected code, WebBlocker will continue to prevent users from visiting it. You could create an exception to allow the site, but I don’t recommend it.  While the attackers have only exploited this site for SEO Injection today, tomorrow they could use it to redirect visitors to a drive-by-download, maybe even leveraging underground toolkits like the Angler Exploit Kit.

Without knowing exactly how the attackers injected this code, I can’t give web masters specific secure development tips (other than visit OWASP.org for general web development best practices). However, I can share one universal tip. Don’t consider your web site “build and forget.” You need to at least control access to your site’s code, and regularly monitor it for code changes so you can identify this sort of malicious injection quickly.

— Rob Collins 

Password Reuse Botnet – Daily Security Byte EP. 265

Botnets are best know for DDoS attacks, where they generate huge floods of traffic that overwhelm their victims. However, newer botnets are slowing down their attacks to try stolen passwords on banking and e-commerce sites. Watch today’s video for a reminder of why not to reuse your password everywhere.

(Episode Runtime: 1:44)

Direct YouTube Link: https://www.youtube.com/watch?v=59U-9N597Lg

EPISODE REFERENCES:

• Botnet reuses credentials to log into banks – The Register
• Why you shouldn’t reuse passwords – ZDNet
• ThreatMetrix report detailing this credential botnet – ThreatMetrix

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Technologies Named Gold and Silver Winner in 2016 IT World Awards

It has been a great year for industry validation of our network security solutions. This week, WatchGuard received two awards from Network Products Guide, the industry’s leading technology research and advisory guide.

In the 11th Annual 2016 IT World Awards, the Firebox T50-W brought home the Gold for ‘Unified or Integrated Security’ and the Firebox M5600 took Silver in the ‘Security Hardware’ category. WatchGuard is honored to receive continued industry and peer validation for our network security products for the SMB and distributed enterprise markets.

Network Products Guide’s goal is to keep decision makers and end-users informed about the choices they can make in all areas of information technology. The annual IT World Awards is part of the SVUS Awards recognition program, the same organization that recognized WatchGuard with a Grand Trophy and five Global Excellence Awards in March.

LinkedIn Loses 117M Credentials – Daily Security Byte EP. 264

In the middle of 2012, LinkedIn warned that attackers had stolen millions of their users’ credentials. That leak was bad enough, but it turns out the breach was much bigger than first reported. In today’s video, I share just how many passwords criminals are selling on the underground, and what LinkedIn users should do to protection their accounts.

(Episode Runtime: 2:31)

Direct YouTube Link: https://www.youtube.com/watch?v=z1Xvx_XODGU

EPISODE REFERENCES:

• Hackers selling 117 million LinkedIn credentials – The Register
• Official customer blog post on the LinkedIn credential breach – LinkedIn

— Corey Nachreiner, CISSP (@SecAdept)

Apple’s May Updates – Daily Security Byte EP. 263

It time to update your OS X software before hackers take a bite out of your Apple. This week, Apple released five software updates fixing security flaws in many of their most popular operating systems and products. Watch the “traveling edition” of my Daily Security Byte for the details. 

(Episode Runtime: 1:33)

Direct YouTube Link: https://www.youtube.com/watch?v=dRI7-CxTtRw

EPISODE REFERENCES:

• Apple security alert summary page – Apple

— Corey Nachreiner, CISSP (@SecAdept)

Decrypting Ransomware

Ransomware works by encrypting a victim’s files and then convincing them that the only way to retrieve their files is to pay a ransom. The attackers further this appeal to fear by setting a short deadline for payment, and telling the victim that their files will be gone for good if the deadline is missed. Ransomware is so successful because victims continue paying these ransoms.

The Cyber Threat Alliance reports an estimated $325 million in payments for the CryptoWall 3 ransomware alone during 2015. These payments provide both incentive and financing for further ransomware development by the bad guys. A recent report by McAfee shows a sharp increase in detected ransomware samples over the last two years.

Taking steps to prevent ransomware infections will always be the best defense strategy. Unfortunately, no protection is perfect, which means your systems may eventually fall victim to a successful attack. If you find yourself infected and without proper backups, you may think that paying up is your only option. Thanks to a few cyber security organizations, there may be another way out.

This week, Emsisoft launched a webpage dedicated to ransomware decryption. The webpage helps ransomware victims identify which flavor of ransomware infected their system and then provides a free downloadable decryption tool. Emsisoft is not the only one providing these tools. Kaspersky also maintains a page full of ransomware decryption utilities (and other malware removal tools). If you need help identifying exactly which version of ransomware locked your files, ID Ransomware is another tool you can use.

Ransomware decryption is a cat and mouse game. These utilities typically exploit errors in the ransomware encryption code to decrypt the affected files. When the attackers fix these errors and update their ransomware, the decryption utilities are no longer effective. Because of this, you should not rely on ransomware decryption utilities as your only protection. Instead, they should be treated as an option of last resort.

The best defense against ransomware remains a three-pronged approach of prevention, recovery, and education. You should take steps to prevent the initial infection by using a multi-layer security approach. Network-based AV scanning and APT protection along with host-based endpoint protection remain a must. You should also regularly create and test offline backups to recover from a ransomware infection. It is important that your backups be offline to protect against ransomware that locates and encrypts networked file shares. Finally, you should educate your employees on how to spot phishing attempts, which continue to be the most common attack vector for ransomware. If all of these steps fail though, you may still have hope with a decryption utility. – Marc Laliberte

Mr. Robot Hacked? – Daily Security Byte EP. 262

The popular TV show, Mr. Robot gets hacking so right. Unfortunately, the folks that made the show’s web site haven’t gotten the message. In this video, I share the ironic story of this web vulnerability, and talk about how you can protect your site from cross-site scripting (XSS) flaws.

(Episode Runtime: 2:39)

Direct YouTube Link: https://www.youtube.com/watch?v=DS_Km38nu7g

EPISODE REFERENCES:

• Researcher finds XSS flaw in Mr. Robot web site – Forbes
• A great XSS prevention cheat sheet for developers – OWASP

— Corey Nachreiner, CISSP (@SecAdept)

May Day, May Day, Patch Day – Daily Security Byte EP. 261

Do you want to stay safe online? Then you need to keep your patches up-to-date since most Internet exploits target old flaws. Tuesday’s Byte video covers Microsoft and Adobe’s security bulletins for May. Watch below, but more importantly, go update.

(Episode Runtime: 2:38)

Direct YouTube Link: https://www.youtube.com/watch?v=tbmSGgL3TzY

EPISODE REFERENCES:

• Summary of Microsoft’s May 2016 Patch Day – Microsoft
• Adobe’s main security summary page – Adobe
• A good write-up of Microsoft Patch Day – Ghacks

— Corey Nachreiner, CISSP (@SecAdept)

Not So SmartApps

I’m a big fan of the Internet of Things (IoT), in theory. I like the idea of using small, purpose-built gadgets to make my life easier. The problem with current generation IoT devices though, is that they typically trade security for convenience. As a security professional, this is a tough compromise for me to make.

If you follow the blog, you likely saw my article on IoT cameras delivering malware last month. Having a brand new IoT device infect you with malware is probably the most extreme example of poor IoT security. Whereas, IoT devices shipping full of exploitable security holes is much more common.

Last week, researchers at the University of Michigan (UM) shared their findings around a security audit they performed on Samsung’s SmartThings home automation systems. At a high-level, they found four attack vectors that all stemmed from permission problems with the SmartThings Android app.

The SmartThings Android app includes its own SmartApps store where third-party developers can create widgets to add functionality to SmartThings devices. The researchers leveraged these SmartApps to launch their attacks.

In one attack, the researchers created their own application, disguised as a battery level monitor. When installed, the application only asked permission to monitor battery level, as you would expect. However, in reality the app had enough privileges to listen for newly entered door lock PIN codes, capture them, and send them to the researchers (or would be attackers) in a text message.

In another attack, the researchers remotely exploited another popular SmartApp to program an additional PIN into a connected door lock, giving them a literal backdoor into the house. The vulnerable SmartApp wasn’t even designed to program PIN codes into locks.

For the last two attacks, the researchers abused permissions in one SmartApp to turn off “vacation mode” and exploited another SmartApp by injecting false messages to make a fire alarm go off.

There will always be tradeoffs between security, functionality and ease of use when it comes to IoT devices. Depending on the embedded platform, remote code execution on an internet-connected toaster might not be the end of the world; that is, until it burns down your house I suppose. On the other hand, if I plan to replace my door locks with ones that I can control with my phone, I can reasonably demand the vendor delivers a properly secure system.

The Internet of Things market is still young and growing. Until security becomes a priority, you should remain mindful of the impact a compromised IoT device might cause on your network. – Marc Laliberte

Pen-Tester Arrested – Daily Security Byte EP. 260

A security researcher was arrested in Florida for publicly disclosing a SQL injection (SQLi) vulnerability in an election web server. Should we be up in arms that they’re demonizing someone helping organizations patch flaws, or upset that the “hacker” is poking his nose where he shouldn’t? Normally, I side immediately with researchers, but this case is a little gray. Watch today’s video to learn why.

(Episode Runtime: 3:51)

Direct YouTube Link: https://www.youtube.com/watch?v=ekX6BYNdGw4

EPISODE REFERENCES:

• Video disclosure of the Lee County server vulnerability – YouTube
• Article about the researcher’s arrest – ZDNet

— Corey Nachreiner, CISSP (@SecAdept)