Advertisement

Hack-proof website, why not?

Started by October 23, 2015 06:08 PM
93 comments, last by ronan.thibaudau 8 years, 11 months ago
Even if you did have perfect, "unhackable" software, there's always social engineering, a.k.a. Meat hacking.
Or physical intrusion, or corruption, bribery...
Many big "hacks" have only been possible thanks to human error, some other famous ones relied on trespassing.
e.g. the Valve hack only occurred because an email scam was successful in tricking a senior employee into installing spyware. The early phreaking scene (that's phone network hacking, to you youngins) unlocked the secret of free phone calls by trawling through the garbage of phone companies to steal documentation and manuals. Some even went as f as as impersonating maintenance workers to get into their offices and steal files from their archives (a ladder and high-visibility work clothing will get you anywhere).

Even if you did have perfect, "unhackable" software, there's always social engineering, a.k.a. Meat hacking.
Or physical intrusion, or corruption, bribery...
Many big "hacks" have only been possible thanks to human error, some other famous ones relied on trespassing.
e.g. the Valve hack only occurred because an email scam was successful in tricking a senior employee into installing spyware. The early phreaking scene (that's phone network hacking, to you youngins) unlocked the secret of free phone calls by trawling through the garbage of phone companies to steal documentation and manuals. Some even went as f as as impersonating maintenance workers to get into their offices and steal files from their archives (a ladder and high-visibility work clothing will get you anywhere).

But most social engineering exploits are IT department issues, why do those people who got tricked have any rights on the network to begin with? Proper security doesn't trust it's own network anymore than the internet

Advertisement

But most social engineering exploits are IT department issues, why do those people who got tricked have any rights on the network to begin with? Proper security doesn't trust it's own network anymore than the internet

Gain access to a programmer and you can steal their code. That in itself may be a prize, or it may be a tool to search for exploits in their servers.
Gain access to a manager and you can steal all sorts of sensitive information, plus you can now use their credentials to do further meat hacking. If you work in IT and the CEO demands the root password to allow for a security audit, there's a chance you'll hand it over.
Gain access to IT and you can steal lots of information on operations, plus you can now perform social engineering company wide - if you're the CEO and IT tells to to urgently install a bit of "security software", you probably will.
If you get the IT person who has credentials to the email server, you can steal the internal communcations history and mine that for more credentials. Maybe you just need to find out where the off-site backups are stored and then burgle a storage locker :lol:

Then there's the more nefarious -- blackmailing, bribing or extorting the head of IT is a whole other ballgame.

Then there's physical attacks. If you can physically get to the servers, all your software security is moot.

e.g. the Snowden leaks revealed the NSA has a lot of physical taps across worldwide internet infrastructure, for the purpose of performing MITM attakcs. When your PC requests a SW update, the MITM can observe your request and engage in a race against the legit server. If they reply first, they can deliver their own infected update, which your PC will accept just fine.
Encryption/SSL helps, if you assume the attackers haven't already stolen the private keys (in this case, they usually have). If you can get spyware onto every PC in the company, eventually you'll be able to steal something of use.

The heavy handed solution is to air-gap your entire network (some game companies do this!), but even that doesn't provide 100% protection from human stupidity or malevolence.

If anyone in your company can access your data, it's hackable. Hackproof means nobody can access it, including yourself and your own customers.

Every security measure, including TLS, is meant to deter potential hackers. Just a lock on your door doesn't fully guarantee your house is safe. It prevents curious people from getting in, but someone with the right tool, the right skill, and the intent, can still get in.

But most social engineering exploits are IT department issues, why do those people who got tricked have any rights on the network to begin with? Proper security doesn't trust it's own network anymore than the internet

Gain access to a programmer and you can steal their code. That in itself may be a prize, or it may be a tool to search for exploits in their servers.
Gain access to a manager and you can steal all sorts of sensitive information, plus you can now use their credentials to do further meat hacking. If you work in IT and the CEO demands the root password to allow for a security audit, there's a chance you'll hand it over.
Gain access to IT and you can steal lots of information on operations, plus you can now perform social engineering company wide - if you're the CEO and IT tells to to urgently install a bit of "security software", you probably will.
If you get the IT person who has credentials to the email server, you can steal the internal communcations history and mine that for more credentials. Maybe you just need to find out where the off-site backups are stored and then burgle a storage locker laugh.png

Then there's the more nefarious -- blackmailing, bribing or extorting the head of IT is a whole other ballgame.

Then there's physical attacks. If you can physically get to the servers, all your software security is moot.

e.g. the Snowden leaks revealed the NSA has a lot of physical taps across worldwide internet infrastructure, for the purpose of performing MITM attakcs. When your PC requests a SW update, the MITM can observe your request and engage in a race against the legit server. If they reply first, they can deliver their own infected update, which your PC will accept just fine.
Encryption/SSL helps, if you assume the attackers haven't already stolen the private keys (in this case, they usually have). If you can get spyware onto every PC in the company, eventually you'll be able to steal something of use.

The heavy handed solution is to air-gap your entire network (some game companies do this!), but even that doesn't provide 100% protection from human stupidity or malevolence.

You air gap your network, then they infect a worker's phone/memory card and gain access that way.

The concept represents nearly the maximum protection one network can have from another (save turning the device off). It is not possible for packets or datagrams to "leap" across the air gap from one network to another, but computer viruses such as Stuxnet[4]and agent.btz have been known to bridge the gap by exploiting security holes related to the handling of removable media.

https://en.wikipedia.org/wiki/Air_gap_(networking)

But most social engineering exploits are IT department issues, why do those people who got tricked have any rights on the network to begin with? Proper security doesn't trust it's own network anymore than the internet

Gain access to a programmer and you can steal their code. That in itself may be a prize, or it may be a tool to search for exploits in their servers.
Gain access to a manager and you can steal all sorts of sensitive information, plus you can now use their credentials to do further meat hacking. If you work in IT and the CEO demands the root password to allow for a security audit, there's a chance you'll hand it over.
Gain access to IT and you can steal lots of information on operations, plus you can now perform social engineering company wide - if you're the CEO and IT tells to to urgently install a bit of "security software", you probably will.
If you get the IT person who has credentials to the email server, you can steal the internal communcations history and mine that for more credentials. Maybe you just need to find out where the off-site backups are stored and then burgle a storage locker laugh.png

Then there's the more nefarious -- blackmailing, bribing or extorting the head of IT is a whole other ballgame.

Then there's physical attacks. If you can physically get to the servers, all your software security is moot.

e.g. the Snowden leaks revealed the NSA has a lot of physical taps across worldwide internet infrastructure, for the purpose of performing MITM attakcs. When your PC requests a SW update, the MITM can observe your request and engage in a race against the legit server. If they reply first, they can deliver their own infected update, which your PC will accept just fine.
Encryption/SSL helps, if you assume the attackers haven't already stolen the private keys (in this case, they usually have). If you can get spyware onto every PC in the company, eventually you'll be able to steal something of use.

The heavy handed solution is to air-gap your entire network (some game companies do this!), but even that doesn't provide 100% protection from human stupidity or malevolence.

You air gap your network, then they infect a worker's phone/memory card and gain access that way.

The concept represents nearly the maximum protection one network can have from another (save turning the device off). It is not possible for packets or datagrams to "leap" across the air gap from one network to another, but computer viruses such as Stuxnet[4]and agent.btz have been known to bridge the gap by exploiting security holes related to the handling of removable media.

https://en.wikipedia.org/wiki/Air_gap_(networking)

I'm not talking about air gaping (spliting networks) but not trusting even your own network, there's no reason why infecting 1 node through physical access would give you ANY access on ANY other node.

On a properly secured network, getting access to the CEO's laptop through a usb hack and having him plug into the local network should give you ZERO access to the rest of the network aside from files the user has access to. So it is an issue of giving way too many rights to people who may be unwillingly corrupted.

CIOs often give way too many network rights to high profile people in the company, while they should do the reverse, the higher someone is placed, the more important a target he becomes, the more you should make sure you restrict his rights to the minimum he needs to do his work without being annoyed, and that minimum never includes silly things you see everyday like having his account being an enterprise administrator.

Advertisement

If anyone in your company can access your data, it's hackable. Hackproof means nobody can access it, including yourself and your own customers.

Every security measure, including TLS, is meant to deter potential hackers. Just a lock on your door doesn't fully guarantee your house is safe. It prevents curious people from getting in, but someone with the right tool, the right skill, and the intent, can still get in.

Well no, that's a gross simplification and is simply not true, things aren't just hackable magically, there are only so many categories of entry points, off the top of my head:

- Just flat out bad security (making sure the way you access it isn't secure, like guessable or stored passwords)

- OS / software Security exploits (which aside from the rare 0 day exploit you should have no issue preventing)

- Your own software security exploits (and this is on your side)

- Physical access to the hardware

- Social engineering

All of those can be mitigated or flat out prevented given appropriate effort in such a way that hacking a website (both gaining access to it to change it or simply getting access to it's private data) is virtually infeasible, it's simply a matter of effort and as someone nicely said in this thread security is a cost center not a profit one and all of that costs quite a bit.

If anyone in your company can access your data, it's hackable. Hackproof means nobody can access it, including yourself and your own customers.

Every security measure, including TLS, is meant to deter potential hackers. Just a lock on your door doesn't fully guarantee your house is safe. It prevents curious people from getting in, but someone with the right tool, the right skill, and the intent, can still get in.

Well no, that's a gross simplification and is simply not true, things aren't just hackable magically, there are only so many categories of entry points, off the top of my head:

- Just flat out bad security (making sure the way you access it isn't secure, like guessable or stored passwords)

- OS / software Security exploits (which aside from the rare 0 day exploit you should have no issue preventing)

- Your own software security exploits (and this is on your side)

- Physical access to the hardware

- Social engineering

All of those can be mitigated or flat out prevented given appropriate effort in such a way that hacking a website (both gaining access to it to change it or simply getting access to it's private data) is virtually infeasible, it's simply a matter of effort and as someone nicely said in this thread security is a cost center not a profit one and all of that costs quite a bit.

You could do basically everything perfect, and then get screwed over in an instant because of an NSA exploit to your hardware being exposed.

http://www.theregister.co.uk/2015/06/09/nsa_firmware_sighted_ctb_ransomware/

The only way to guarantee security, unfortunately, is keep the servers off in a faraday cage. And even then I'm not certain.

The early phreaking scene (that's phone network hacking, to you youngins) unlocked the secret of free phone calls by trawling through the garbage of phone companies to steal documentation and manuals. Some even went as f as as impersonating maintenance workers to get into their offices and steal files from their archives (a ladder and high-visibility work clothing will get you anywhere).

My fav: an AT&T office got socially hacked by the perpetrator calling the technicians and telling them that their old manuals were out of date, and that new ones were being mailed to them, so would they please leave their "old" manuals on the street curb to be collected? Kthnxbai.

My fav: an AT&T office got socially hacked by the perpetrator calling the technicians and telling them that their old manuals were out of date, and that new ones were being mailed to them, so would they please leave their "old" manuals on the street curb to be collected? Kthnxbai.

Have you read the art of deception? This book is full of these social engineering hacks and is a great read...

This topic is closed to new replies.

Advertisement