There are so many news items about how this company got hacked or how someone hacked some government department. How do these attackers know what to do to break into a site or bring it down? Most hacks happen follow one or more of the following steps, not necessarily in that order.
The hacker tries to find out basic information about the target system. What OS it runs, is there a firewall? What ports are available? What Content Management System (CMS) does the system run? There are new sources of information such as Facebook, Twitter and Google that can be used to gather information about organization or persons that are being targeted.
There are several online resources that publish information about vulnerabilities that have been discovered in different systems. In a lot of cases, proof of concept attack code will be provided with the vulnerability disclosure. Each platform has its own strengths and weaknesses. Once the system is identified, it is a matter of trying out the different attacks for the system to see if any of them work.
These attacks are usually successful against misconfigured servers/applications, systems that have not had patches applied, networks that have not been properly closed off using firewalls, etc.
Attacks of this type will usually not work against systems that are maintained properly by the application of the latest security patches. That is why it is critical to keep track of all know vulnerabilities by subscribing to online sources such as SecurityFocus.
This type of attack works by manipulating the database queries that the web application sends. An application can be vulnerable if it does not sanitize user input properly or uses untrusted parameter values in database queries without validation. In 2010, approximately 14% of all breaches involved SQL Injection, including some of the attacks launched by LulzSec and Anonymous on Sony and other organizations.
Some of the ways of protecting against SQL injection are:
- Using parameterized SQL
- Sanitizing/validating all untrusted parameters before using them in database operations
- Using tested and code reviewed libraries for database operations
- Using least privilege for database access (never let application use administrator user for database access)
This type of attack has been around for ages. The usual technique is to send out spam email to thousands of recipients. The email will contain a link to a malicious site that has been set up to look like, say, a regular bank’s site. When the user enters thier credentials in the login form, it actually is captured by the malicious site and then used to impersonate that user on the real site.
The best way to protect against this type of attack is to never click on links in an email. If an email says that you need to reset your password or else and provides a link, you type in the link to the bank directly in the web browser and then verify the information on the bank website.
Another thing to remember is to never trust emails even from people you know. Their email account could have been hacked and an unauthorized person could be send that email.
This is a variation of the phishing attack and usually targets specific persons. The emails, instead of being sent to thousands of random people, will be sent to specific people about whom the attacker has obtained some information or at least the email-id. This kind of attack is usually launched by someone looking to target a specific organization in search of information. The RSA attack of 2011 started with a spear phishing attack.
This type of attack can originate from phishing attacks in which emails containing malicious files are sent out or a victim downloads and opens a file containing malware from some website. There have been several instances where perfectly legitimate websites have been broken into and download files replaced with files containing malware.
Once the malware is installed on the user’s computer, they can be controlled by the attacker and used to capture key strokes and look for documents on the computer. These compromised computers can also be used to attack other computers/networks individually or as part of a botnet network. Approximately 50% of attacks in 2011 involved malware. The RSA attack used a spear phishing email with an MSExcel file that contained malware.
This type of attack exploits poorly designed/implement authentication mechanisms. Weak authentication usually means one or more of the following:
- Weak, guessable passwords are allowed
- There is no lockout enforced after a certain number of invalid login attempts
- Password reset methods are not secure
There have been many examples of websites not forcing users to have strong passwords. Weak passwords can be easily guessed or are words in regular usage that appear in a dictionary. When the account is not locked out after a certain number of invalid login attempts, an attacker can keep on trying a huge number of passwords until the correct one is provided.
Password reset methods are also an important attack vector. Usually, if a user has forgotten his/her password, he/she can click on a “Forgot Password” link, answer some pre-defined security questions and get to reset the password. If the answers to the security questions are guessable or easily found online, the account itself can be taken over. For instance, a birthday, favorite color or the brand of someone’s first car can easily guessed or obtained.
This type of attack can be prevented by requiring strong passwords (minimum 8 characters, combinations of upper case, lower case characters, number and punctuation), account lockout after 6 consecutive invalid login attempts and strong security questions.
The above mentioned methods are just a few common ways in which hackers can break into websites or computers. There are so many other ways such as cross-site scripting, cross-site request forgery, HTTP header manipulation etc. that have not been included here. Even the ones described above have so many variations and levels of sophistication. Everyone needs to understand that they have to take responsibility for their and their organization’s security and keep up to date on the latest methods of attack. Web applications also need to use secure software development methodologies and deployment practices.