eBay Security and the “Punching Bag of the Internet”

Not only has eBay security been undone by their tolerance for what  The Register referred to as “Rubbish Passwords” — now there are reports of multiple Cross Site Scripting (XSS) vulnerabilities on eBay subdomains.

As the 2014 Verizon Data Breach Investigations Report chronicled, web applications were the top attack vector for successful data breaches in 2013. The report went so far as to dub web applications “the proverbial punching bag of the Internet.”

At 6Scan we block millions of attempts to exploit vulnerable applications every month. Currently XSS is the 4th most prevalent attack we see. While XSS does not pose an immediate threat like an SQL injection does, the security implications are highlighted in the OWASP.org XSS attack definition:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

The significance of the attack is not only in access to the vulnerable application, but malicious access to the trusted relationship between user and a given site (like eBay).  We recently wrote about an NFL team with an active XSS vulnerability -it’s in these situations with powerful brands that XSS vulnerabilities can do the most damage. So while eBay chose to downplay the vulnerability with the comment that it’s “not a new type of web application vulnerability on sites such as eBay,” the reality is that the severity of the threat is directly related to the trust of the brand.

Stay safe.


Value of a Hacked Website

After our recent Data (In)Security post, we fielded many questions from owners of small sites and blogs that basically boiled down to one common theme – I’m not Target so why would anyone hack my site?

Thanks to news coverage there’s a common misconception that attackers are only after banks, large companies, or critical infrastructure. No doubt we live in a world where big names get big headlines. However, a more accurate account of the assault on small business websites comes from industry reports. Case in point, Verizon 2013 Security Report cited 71% of data breaches affected companies of 100 employees or fewer.

The attacks are driven, in large part, by an ever-growing number of websites. In the past 3.5 years alone, the number of active websites has doubled from 90 to 180 million (according to Netcraft). This rapid increase in the creation of individual and small business websites has produced a threat landscape that mimics that of the late 1990s and early 2000s. It was during this period that broad-band access boomed  – creating millions of new targets (PC owners) with limited time to understand the risks they faced.

In a snapshot, the above image illustrates time-tested reasons why criminals target small websites. The image is based on the infographic Value of a Hacked PC, created by Brian Krebs. If you’re not familiar with his work, check out his website, Krebs on Security. Krebs’ security coverage unwinds cyber-criminal activity in near real time and often reads like a Tom Clancy story.

Unfortunately, the number of ways criminals can monetize your company’s website is too vast to cover in one blog post. Over the coming weeks we will drill down on specific threats. For now, suffice it to say, no site is too small to be victimizied.

I’ll sign off with this friendly piece of advice:  To everyone using a cms, do yourself a favor and update to the latest version!


Automatically Blocks Shellshock Attack Vectors

Shellshock is out, and it’s exactly the type of threat that reinforces the importance of real-time, proactive, automated security.

6Scan has developed solutions to protect our customers’ websites against Shellshock attack vectors and we will continue to automatically update our active subscribers as new vectors emerge.

Through our patent-pending automated website security we are able to define common attack vectors and filter out malicious traffic designed to exploit websites that are exposed to this vulnerability. As new attack vectors emerge we will continue to update our security in real-time.

Shellshock details

The vulnerability comes from a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests. The vulnerability is summarized here.

The Guardian website has a good non-jargon write up and, as usual, Krebs on Security  has good coverage including this warning:

“The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.”

Stay safe.


Heartbleed’s Long Dangerous Tail

It’s been two weeks since the Heartbleed bug was disclosed, and, here at 6Scan, we’re encouraged that 99% of the sites we scan, and 100% of the sites we protect, are unaffected by this critical vulnerability.

Unfortunately, the 1% of sites we scan that are affected represents thousands of destinations with millions of monthly page views. We’ve researched these sites and grouped them by Alexa rank (see image below). The vast majority are part of the internet’s “long tail” small sites – ranking outside Alexa top 1,000,000 – that serve niche communities and special interests.

It’s tempting to marginalize these vulnerable sites because of their size, but don’t. Left unchecked, these small sites put everyone at risk.

Why? Breaching small sites is an essential part of the black-hat economy. They provide the resources for hosting phishing pages, infecting consumers, avoiding malicious IP black listing, launching DDOS attacks and many other nefarious activities. Protecting these sites, and their visitors, is critical for ongoing viability of the internet.

While Heartbleed had many of us primarily concerned with larger properties and institutions running vulnerable Open SSL versions, it’s important to remember that small sites pose a threat as well.  If you’re concerned about the smaller sites that you visit, there are a variety of tools available that claim to provide information on a website’s Open SSL status, including this one.

The chart below shows the breakdown of effected Heartbleed websites by Alexa rank. 1.3% of the vulnerable sites are within the top 100,000 most trafficked sites on the internet. As a reference point the 100,000 ranked site would average about 25,000 unique page views per month. What makes the long tail so dangerous is than over 90% of the sites still affected are outside the top 1 million.