Monthly Archives: May 2014

29 05, 2014

eBay Security and the “Punching Bag of the Internet”

WebAttacks

Percentage of Breaches by Attack Vector from the 2014 Verizon Data Breach Report

Not only has eBay security been undone by their tolerance for what  The Register referred to as “Rubbish Passwords” — now there are reports of multiple Cross Site Scripting (XSS) vulnerabilities on eBay subdomains.

As the 2014 Verizon Data Breach Investigations Report chronicled, web applications were the top attack vector for successful data breaches in 2013. The report went so far as to dub web applications “the proverbial punching bag of the Internet.”

At 6Scan we block millions of attempts to exploit vulnerable applications every month. Currently XSS is the 4th most prevalent attack we see. While XSS does not pose an immediate threat like an SQL injection does, the security implications are highlighted in the OWASP.org XSS attack definition:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

The significance of the attack is not only in access to the vulnerable application, but malicious access to the trusted relationship between user and a given site (like eBay).  We recently wrote about an NFL team with an active XSS vulnerability -it’s in these situations with powerful brands that XSS vulnerabilities can do the most damage. So while eBay chose to downplay the vulnerability with the comment that it’s “not a new type of web application vulnerability on sites such as eBay,” the reality is that the severity of the threat is directly related to the trust of the brand.

Stay safe.

7 05, 2014

NFL Draft and the Cyber Kill Chain

Tomorrow, the unofficial start of the pro football season kicks off with ESPN’s broadcast of the 2014 NFL Draft. As in the past, hundreds of thousands of people will follow the drama via the Internet. Unfortunately, a vulnerability contained on the website of one NFL franchise may leave that team’s fans blindsided by hackers.

This team’s website includes a Cross Site Scripting (XSS) vulnerability, one that’s used as part of a nearly fool-proof cyber scam.

In these scams, attackers use emails about upcoming events as bait, e.g. “Find out who ‘Team X’ will take #1 in the draft…” These emails contain links directly to the team’s website. Each link is formatted correctly and looks 100% legitimate. Clicking the link executes a browser injection that lets the hacker display a pop-up window on top of the legitimate destination page. Pop-ups can display offers such as discount ticket promotions, new merchandise, etc. All information entered in a pop-up ends up in attackers’ hands.

While significant, the damage in such an attack — to the team’s on-line reputation and the victim’s credit profile — is still manageable. However, as 6Scan Co-founder Nitzan Miron points out, bigger issues are at stake.

“This is not a catastrophic vulnerability in terms of network or database access, but it is a critical link in the cyber kill chain,” Nitzan said. XSS can also be used to phish employees’ credentials, giving attackers direct access to a company’s network. Once inside a network, attackers can leverage advanced threats that are difficult to detect.

“Hacked websites have evolved into the number one attack platform. They are involved in 85% of attacks and have become a critical early link in the cyber kill chain,” Nitzan explained.

XSS scripting – which can only be found by a website or application scan – is one of the top 5 vulnerabilities 6Scan detects. Because such attacks take place at the browser level, website administrators never know they’re happening. This is just one of the threats that drive us to deliver automated scanning and remediation services that any business can deploy regardless of size or security expertise.

Stay Safe.