Thursday, August 9, 2007

The Game Is Not Over -- Security for your web site

  1. Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
  2. Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
  3. If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

  • Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)

  • Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can

  • Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card

  • Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help

  • Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!

No comments: