January 26, 2015

Gartner Identifies Shape Security as New Deflection Technique

Gartner Research VP and Distinguished Analyst, Avivah Litan, mentioned Shape Security on her blog discussing the growing threat of automated attacks on websites. Shape Security has been mentioned in multiple other reports. The difference here is this blog that is publicly available for everyone (including those without a Gartner subscription).

According to Avivah:

[Shape Security is a] new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code). 

In her blog, Avivah features Shape Security as a solution to these automated attacks. Specifically, she states that Shape's polymorphic technology deflects malicious automation, preventing the attacks from executing at the point of entry. Deflection is better than detection – preventing attack is better that finding the attacker ex post facto.

Interested to learn more? Learn more here.

January 21, 2015

Attack Tool on the Rise: Account Checkers

Today we introduce and explain an attack tool that is becoming more prevalent among our customers: the Account Checker.

This credential stuffing tool isn't new, but usage is rising sharply for reasons we'll discuss below. Although very conceptually simple and easy-to-use, account checkers are extremely powerful.

Description of Account Checkers

An account checker is an attack tool that takes lists of spilled username/password pairs (i.e. “credentials”) and tests them against a target website.

Powerful account checker packages cost as little as $100, and adversaries can also create their own account checkers from off-the-shelf web automation toolkits like Mechanize, PhantomJS, IEC.py, Sikuli, Selenium or iMacros. These toolkits reduce the technical burden to write account checkers and conduct credential stuffing attacks.

Anatomy of Account Checker Usage

  1. Attacker acquires spilled passwords from a website breach or from password dump site
  2. Attacker uses account checker to test stolen credentials at many websites
  3. Successful logins (usually 0.1-2% of total) result in account takeover
  4. Attacker drains stolen accounts of stored value, credit card numbers, and other PII
  5. Attacker may also use this account for other nefarious purposes (spam, further transactions, etc)

Example of Benign Account Checker 

Below is a ‘benign’ account checker called namechk.com that illustrates how account checkers work. This tool checks if a given username is available on various social networks. In the image below, we checked the username “shapesecurity” and this tool correctly identified all the sites on which that username was taken.

This service uses a script that automatically tests a given username against all the websites visible in the image (e.g. Blogger, Facebook, Youtube, Twitter, etc.).

A criminal account checker functions in the same fashion as the above tool, and adds additional capabilities like checking whether various passwords (based on guessing algorithms, or one of the top 25 passwords) work on that site. The full process of checking usernames and passwords, along with malicious intent, leads to the widespread attack of credential stuffing.

A Microsoft study found that the average user has just over six passwords, that each password is shared across four different sites, and that each user has about 25 accounts that require passwords. Meaning breach anywhere results in passwords on 3.9 top sites becoming public.

Example of an Attack-Ready Account Checker

Brian Krebs wrote about the off-the-shelf account checker below. This is the same type of tool used to hack Hilton.

In the above screenshot, row seven shows an account checker for expedia.com. This checker is able to ascertain whether credentials are valid, and scrape the point balance, last four digits of the credit card number, and billing address of the card.

Below is a sample of the underlying code of an account checker. This account checker tests large numbers of credentials. When it finds a valid pair of credentials, it scrapes PII and steals stored value and credit card details from the account.

Where do attackers get lists of credentials?

The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public.
  • 38,000,000 Adobe accounts 
  • 318,000 Facebook accounts 
  • 70,000 Google accounts 
  • 60,000 Yahoo accounts 
  • 22,000 Twitter accounts 
  • 8,000 ADP accounts 
  • 8,000 LinkedIn accounts 
Hundreds more credentials are leaked each day on this twitter handle: twitter.com/dumpmon. Many security professionals use this list to identify which user accounts on their respective sites have been compromised, and to lock out compromised accounts. Obviously, attackers also use this list, in conjunction with account checkers, to find vulnerable accounts which they then use for various fraudulent activities. 

What can security professionals do to curb account checkers and prevent attackers from hijacking user accounts? 

The answer requires an understanding of the mechanism by which account checkers work.

Account checkers work by using the static form elements of the login page as an implicit API. In the code sample above, the attacker references various form element names in order to interact with the target webpage. Most websites cannot distinguish such interactions from normal human interactions
and thus gladly accept the attacking traffic. This allows the attacker to automate the website using account checkers and easily run through millions of tests over the course of a few days or weeks (often using a large distributed botnet and a huge number of IP addresses in order to avoid rate and volume limits). Thus, even very unsophisticated attackers can trivially launch potent attacks against many of the largest websites in the world.

To defend websites against such activity, which we call “unwanted automation”, we use an approach that is familiar to attackers - we change the underlying code of the site on every pageview. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, so Shape’s solution creates a moving target which frustrates scripts that seek to automate a website. This allows sysadmins to increase the effort an attacker must invest to successfully script or automate a given website.

Of course, savvy readers will point out numerous ways in which to conduct attacks in different ways. It is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and other). Shape of course is keenly focused on comprehensively defeating all such attacks and has solutions at each of those levels.

Click here to see the quantitative results of Shape Security in action.

April 8, 2014

Windows XP End-of-Support Will Result In More Powerful Botnets

Today marks the official end-of-support for Windows XP, which means no more security updates for Windows XP installations. Non-supported Windows XP installations will not get updates and will overtime become less secure and easier to hijack.

As millions of XP machine become less secure, we will see more Windows XP machines usurped and zombified for malicious web attacks.  Now that Windows XP machines will be easier to hijack, more nodes will be available to botnets to make attacks on web servers. This will impact the day-to-day of CISOs and security professionals who's job it is to protect web infrastructure from attacks.

While many organizations are focused on upgrading to more modern operating systems, it's the devices that they have no control over that may end up doing the most damage. It boils down to this: while an enterprise may do everything right to upgrade and protect its own computers, they don't control the millions of devices still running XP in the wild.

Vulnerable devices get compromised, and compromised devices become parts of a botnet. Botnets provide cybercriminals with a platform for everything from DDoS against websites to sophisticated account takeover and fraud. As official support for XP runs out, attackers will naturally rush in to take advantage of those left behind.

Here is a quick breakdown of the numbers to help quantify the significance.

Windows XP Usage Remains High

Industry statistics of operating system usage can vary wildly, and current estimates of XP usage range from 10% to 28% of the total operating systems used worldwide. With an estimated 2 billion PCs in world, that means that somewhere between 200 million to 580 million devices will be vulnerable by definition.

Source: NetMarketShare 2014

Windows XP Vulnerabilities Remain High 

2013 was a busy year for new Windows XP vulnerabilities, with a total of 88 new vulnerabilities reported. For comparison, this is twice as many vulnerabilities as were observed in 2012. The comparative view of Microsoft CVEs shows that while XP is not the leading source of vulnerabilities, it remains a very significant source of new vulnerabilities.

 Source: CVEDetails.com

 Windows XP Infection Rates Remain High 

Microsoft’s latest Security Intelligence Report shows that while the popularity of XP is on par with other Windows operating systems, the infection rate is almost double that of more modern operating systems.

Source: Microsoft Security intelligence Report Volume 15

These statistics certainly favor the attackers. Even if enterprises manage the Windows XP end-of-life perfectly, all of the unprotected XP devices in the wild remain. This is why deflecting bots and automated threats has become so important for virtually any organization with an Internet-facing site or application.

Clarification: Wade Williamson wrote this article.

How Heartbleed Bug Affects Web Security

HTTPS is layered on top of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to enable a user to securely communicate with a website without tampering or monitoring from intermediate parties.

However, on April 7, 2014 a serious vulnerability (CVE-2014-0160 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160) was uncovered within the TLS heartbeat extension in versions of OpenSSL that places the encrypted communication at risk. Attackers can leverage this bug to obtain the private keys from the webserver and use this information to decrypt and monitor communications that are taking place over SSL/TLS, exposing any sensitive data communicated by the user.

Scope of the vulnerability

1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Apache, which uses OpenSSL for HTTPS, is used by 66% of all websites according to netcraft.com (http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html). A study of the TLS heartbeat extension by Netcraft also identified that 17.5% of SSL sites may be vulnerable to the Heartbleed bug (http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html).

Is a patch available?

Yes - OpenSSL 1.0.1g was released on April 7, 2014 (https://www.openssl.org/source/). Impact of the vulnerability This vulnerability allows an attacker to extract memory contents from the webserver through the vulnerability in the heartbeat. As a result an attacker may be able to access sensitive information such as the private keys used for SSL/TLS.

  • Active Attack - Equipped with the private key, an attacker can silently monitor and decrypt communications between the user and the web server. As a result, an attacker could view private data such as passwords, credit card data, medical records and any other sensitive data the user exchanges with the website. In addition, the attacker could impersonate the target website to deliver fake, inaccurate or malicious data to the user. 
  • Offline Attack - Some well funded attackers gather large amounts of encrypted data and store this data in the event they can later decrypt the information. Using the Heartbleed vulnerability the attackers could decrypt this information if it was obtained when passed between a user and a vulnerable website. This means that sensitive data exchanged up to two years ago could also now be at risk for exposure to attackers. Note: sites implementing Perfect Forward Secrecy are protected against this particular attack.

Who might exploit this vulnerability?

In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors or criminal enterprises operating in collusion with network operators. In addition, individual attackers could leverage this vulnerability to attack individuals using a shared wifi hotspot.

Can attacks be detected?

Unfortunately, no. An attacker exploiting this vulnerability will leave no trace within the webserver logs. As a result it is not possible to determine if vulnerable web sites have been exploited.

What should website owners do? 

  1. Verify if you are using a vulnerable version of OpenSSL. 
  2. Upgrade OpenSSL as soon as possible. 
  3. Reissue your security certificates for SSL/TLS. The vulnerability has been present for two years and there is no way to verify if your private key has been compromised as a result of this vulnerability. In addition, a compromised key would be used to silently monitor communications from your users and the attack would be undetectable. It is prudent to assume a breach and proactively reissue security certificates. 
  4. Implement Perfect Forward Secrecy. This additional layer of security protects encrypted data from several potential attacks by using a per session random keys. 

What should users do?

Unfortunately there’s not much a user can do. If you have an account at one of the many large websites that may have been affected, you can proactively change your password just to be safe.

Which large websites were impacted?

A partial lists of large websites that are impacted can be found here. This list includes websites such as yahoo.com, stackexchange.com, eventbrite.com, okcupid.com, suning.com, and squidoo.com. 

What other concerns are there with this vulnerability?

The Heartbleed vulnerability allows an attacker to extract information within the webserver’s memory. As a result, a wide variety of information could be at risk including sensitive user or system data. In addition to placing webservers at risk, OpenSSL is also used by a variety of network appliances. These devices could be subjected to attack to extract sensitive information within memory.

Additional information


Clarification: Michael Coates wrote this article.

January 21, 2014

Introducing the Shape Shifter

We founded Shape Security two years ago to tackle one of the hardest problems in web security: how to protect the front door of modern websites. The pervasive rise of malware-infected desktops, botnets and automated attacks threaten the foundation of the new Internet economy. We realized this called for a new approach to security—one that dealt with the reality that we can never truly eliminate malware from the desktop. 

The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers. Our core strategy is to provide technology to protect websites even when they are serving infected desktops. In military terms, this is called “continuing to operate in a denied and degraded environment.” The ubiquity of malware-compromised desktops creates a degraded environment within which we must still find ways to enable everyday online activities like banking, shopping, socializing, and checking health records. 

To accomplish these goals, today we unveil the ShapeShifter, a web security product that protects websites from malware, botnets and scripts. 

The ShapeShifter physical appliance.

Botnets: A Massive Criminal Infrastructure of Infected Computers

Today’s cybercriminals assemble massive networks of infected computers (botnets) to attack websites. Most security products fail to block such attacks because criminals are able to make their botnet-based attacks look like legitimate usage. 

These botnets are the backbone for a wide variety of high-volume, automated attacks against websites. Some of these attacks are well-known, such as when banking botnets steal millions of dollars across many online banking sessions, or when bots abuse basic website functionality, crippling websites with traffic that is almost impossible to block. Other attacks are much more subtle but just as damaging. For example, a botnet can slowly test stolen usernames and passwords against an e-commerce site in order to take over millions of accounts and defraud end-users. In fact, the same underlying mechanism is likely how miscreants will turn the the vast trove of over 100 million credit cards stolen from Target into money: they will use automated scripts running on botnets to purchase things like gift cards and other easy-to-sell goods from e-commerce websites. 

There are many examples of attacks that use botnets and automated scripts to exploit websites, but they all target the same inherent vulnerability: the fact that most websites are created from publicly viewable common building blocks (HTML, Javascript, and CSS). This allows criminals to treat websites as implicit APIs, meaning the website can be operated by bots and scripts that can perform any action the website supports. Older security technologies do very little to deal with this problem. Traditional threat signatures and reputation scoring don’t work very well, because most attacks look and feel like normal usage from computers belonging to legitimate human users. Rate limits are easy to avoid by distributing an attack across thousands of IP addresses in a botnet. The ineffectiveness of these and other traditional techniques led us to seek a solution that could disable attacks from malware, botnets and scripts. So we built the ShapeShifter. 

Introducing the ShapeShifter

The ShapeShifter uses real-time polymorphism as a defense—it dynamically changes website code to break automated attacks. Cybercriminals have long used polymorphism to hide malware by making the malware appear to be different upon every new infection. We harness polymorphism to make the source code of websites appear differently on every page view, which has the effect of defeating malware, botnets and scripts. All of this happens without creating any user-visible changes. The website looks and feels exactly the same to legitimate users, but the underlying site code (HTML, JavaScript, and CSS) is different on every pageview. Because bots must reference the content is some manner, this never-ending modulation of the site code breaks scripts and deflects attacks. Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks. This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetization path. 

Many web attacks are only profitable if automated. Criminal enterprises pursue profit: without automated scripts, many of today’s attacks cease to be economically viable. Instead of constantly detecting and reacting to threats, the ShapeShifter targets the economics of web hacking, and makes the preferred approach of criminals—automation, too expensive. This provides broad protection from automated attacks against websites and represents a completely new approach to security.