Recently, a friend of mine, owner of a small online web store, had his website compromised. He asked me lots of questions about why this had happen (he didn’t really have much sensitive information on his website), and how to avoid such security incidents in the future.
Many website owners don’t even realize that they were compromised. The majority of the attacks remain undetected and unperceived today because of the high level of sophistication of these attacks, as well as the low level of security awareness among the victims. This is why I decided to write a short and simple piece about web application security to help small online merchants secure their websites and avoid security breaches and data leakages.
Why do web security incidents happen? Targeted, semi-targeted and untargeted web attacks
I’d highlight three main types of attacks: targeted attacks, semi-targeted and untargeted attacks. The concept of a targeted attack is very simple – the final target of hackers is your website (or any other technical infrastructure) and nothing else. In the sector of SMB, e-commerce targeted attacks are fortunately quite rare, as they are quite time-consuming, complex and expensive to conduct, while the outcomes from a targeted attack against a small e-commerce website can hardly cover its cost. Hackers are good economists, and will rarely spend more money on the attack than the benefit they can get from it.
However, don’t get excited too fast. Many website owners have a false feeling of safety being convinced that, due to the small size of their business [website] or due to an absence of known enemies, nobody will ever try to hack their website. Let’s have a look on semi-targeted attacks to demonstrate that this presumption is wrong.
A semi-targeted attack is when hackers target you (quite often among a dozen other resources), but you are not their final target. To become the victim of a semi-targeted attack it’s enough that your web server is hosted in the same subnet of a large datacenter where that large company’s server [the final target] is located as well. I am not even speaking about shared web hostings, where one web server has hundreds of different websites, and quite often it’s enough to compromise just one to get access to the others. Hackers always follow the most efficient way: compromising the weakest link in the security perimeter, and your website or web server may perfectly fall into the weakest link category in many cases. Sufficient that a person hunted by the hackers has an account on your website, shop, forum or blog: for hackers it’s much easier to compromise your website and try to reuse his or her password on other resources rather than attacking front-end of Gmail or PayPal to get access to his or her account there [the final target].
Don’t think that if your users’ passwords are encrypted this will demotivate hackers, as the majority of hashing algorithms used in web applications are not strong enough against bruteforce or dictionary attacks; a good hacker may simply backdoor your login form and collect all user credentials in plaintext. In the most unlucky case, you may simply become an accidental victim of hacktivists, even if you are far away from politics, big corporations and banking institutions.
It’s enough that your web resource belongs to a specific country or just mentions products of a company targeted by the hacktivists, and they may come to vandalize your website, expose your customers or delete your database and backups. Why? Simply because your website was one of the most unprotected from their “to-attack” list. Unfortunately, it’s much easier to compromise a hundred of small websites to protest and create a media buzz, rather than deface Gazprom or NSA main websites. The above-mentioned examples are semi-targeted attacks, when you and your website are selected by hackers on purpose but just to facilitate their further targeted attack on bigger resources.
Now, let’s speak about untargeted attacks, which are the most common today in the SMB sector. Cybercrime is a very big and fast-growing industry. Each byte of information has its price on the black and grey markets. Of course, one customer record from an online shop will hardly bring more than one pence, but a hundred records is already £1 (or even more), while a thousand records easily gives at least £10 (or much more, depending on the records’ “quality” and “completeness”).
How much will it cost to compromise Amazon? Several million GBP, moreover you will need time, excellent technical skills and a bit of luck. Not many Black Hats have the necessary skills, time and resources to launch attacks against the biggest players of the e-commerce industry, therefore they prefer to compromise a dozen small and medium online shops per day and get their money on the “every little helps” principle.
How will they find your website in the Internet? Easily – Google is the best friend of hackers. Robots, hidden behind millions of proxies, are crawling World Wide Web in the 24/7/365 mode to find outdated versions of web application software or to bruteforce default and weak passwords.
In untargeted attacks, hackers make money on very large quantity, not quality. I will not even mention all the goals the hackers may have for hacking your website as, besides banal theft of your databases, they are infecting your website with malware to conduct drive-by attacks against your website visitors and turning them into zombies to perform DDoS attacks, up to creation of hidden sections with illicit content – for which you may be held responsible.
Web applications are one of the easiest and most popular attack vectors used by hackers today. During the last three years High-Tech Bridge Security Research Lab has identified almost one thousand vulnerabilities in commercial and open-source web applications installed on tens of millions of active websites.
Unfortunately, hackers have much bigger resources and predictable ROI (Return On Investment) that allow them to achieve much more impressive results. The number of web security incidents permanently grows, while quality of web application coding and user awareness about security doesn’t follow fast enough. Remember that Black Hats may always select your website as a target, moreover one day they will do it, so it’s only a question of time. After a brief overview of attackers’ motivation in this first part, we will have a look on the most common web hacking techniques, countermeasures and investigation process in the second part.