Posted by Jason Remillard on Fri, Apr 16, 2010 @ 02:21 PM
As the attacks on infrastructure become more complicated, the true nature of deep penetration attacks prove food for thought for all developers and operators. Consider this case - where the apache open source infratructure itself became 
significantly exposed by a simple XSS attack that utilized some social engineering techniques (i.e. getting folks to click on things), to load others up with credentials. After that, its off to the races!
In this case, a simple redirect hosted by a url shortening site exposed the clickers to a xss redirect, which then took the credentials of the clickee - in this case - administrators of some of the apache foundation infrastructure. From there, the path takes a meandering journey through key infrastructure - up to and including source code repositories and support infrastructure.
To note as well, the captured initial credentials exposed other systems with cached credentials, cookies, etc. Much like pulling on a thread, the intruders just had to keep pulling and following. Of course, these guys knew what they were doing (turning off notifications for source code changes, which servers to go after, where to look, etc.)
Consider that they had several hours to monkey around within the infrastructure - before teams noticed the breach. I recall an exposure several years ago where intruders had access for several months to key components of the ssh-key infrastructure. As far as is documented, no major damage (modified file payloads, etc.) has been identified. But this is a good example of why regular monitoring and scanning is important, especially in a multiple component distributed architecture.
As a side note - kudos to the apache team for a full, quick and detailed documentation of their exposure. We all learn from this - and we're all richer for it.
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Thu, Jan 21, 2010 @ 11:32 AM
I came across a great question in LinkedIn a few weeks past, and took the opportunity to document basically what it is, in a simple version: (and it was voted the best answer! :)
Question:
What is an ‘SEO poisoning attack’?
SEO poisoning attacks are primarily attacks on popular websites using XSS or cross server scripting. IFrame viruses also act like this. Iframe are the most dangerous viruses that attack websites online through low server or FTP password leakage. These viruses then target different websites which contain some exploit matters, images and content.
Answer:
This is a sophisticated attack that is being perpetrated on a daily basis. (We just had one of these this week).
Basically, the hacker includes a script (in apache config, in your Wordpress blog, htaccess), etc. That says, if the incoming user agent = googlebot, etc. SEND THEM here. If its not, display that site.
So in my customer's example, all of his SEO rankings were showing porn, Viagra, etc. But to end users, the site worked just fine. So when Google crawled his site, Google was redirected to other content. Google indexes it, and moves on. So now, ALL of your SEO for your site is showing indexed data for the porn site. Keep in mind as well, the Google Malware alert was NOT displayed to end users. So they tricked Google twice here - once on the SEO rankings, secondly the Google Malware detection system. Seems they don't test the malware NOT using the googlebot user agent - otherwise it would've been detected. 
Even worse now, the one we dealt with last week, was operating a ‘webring’ of sorts. That is, the sites referred to each other as well. These cracked sites were thus increasing the SEO value of the porn links exponentially as the ring grew (as more infected sites were added). This was growing at approximately 30 sites a day.
The main ‘benefit’ here is that Google indexes this hacker's site, using your backlinks, etc. to your site to grow his SEO value.
Seems like everyone wants a good ranking from Google :-/
Unfortunately, this is a sophisticated attack, and usually has many layers (in this case, the redirects were in 4 different places, and took us hours to find).
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:22 AM
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
It's not just the webhoster. It's the affiliates for that site that may lose sales. It's the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. It's the content readers that also receive the infection, or are impacted by the reduction in traffic. It's the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SSM are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen.
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:37 AM
This is a sales pitch, I am not going to deny that. A lot of web sites out there have an array of vulnerabilities and your site could easily be one of them. A recent study based on the first six months of this year found that every 3.6 seconds a new web site is infected (http://www.itbusiness.ca/it/client/en/home/news.asp?id=54476). That is ridiculous and more importantly, it’s faster than it was last year. This epidemic is getting worse.
Now of course, we want you to try our service, that’s what I’m writing about here, but we want to make you aware of the facts first. We help to make sure your website is secure so that you are not one of those statistics listed above. We’re not trying to offer this service to people who won’t be helped by it — if your site is flawless, good for you! Unfortunately though, most sites are not perfect. We come across a lot of infected sites — some much, much worse than the owner could ever have anticipated.
Now again, don’t do business with us if you feel your website has absolutely nothing that can be gained by our services. However, before you worry, get a free scan from us and make sure that at least for now you are still safe — and hopefully your site will still be safe 3.6 seconds from now…
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:30 AM
Well folks, its been a crazy week online this week.. Is it part of the holidays, or simply that more vulnerabilities are going ‘unfixed’ and the hackers are finding more? You be the judge.. We definitely think that there is a ‘retribution’ slant to most of the major issues this week, specifically with Rockyou!
Rockyou.com Falls Victim to simple hack, Major exposure!
One of the more interesting facets of the story is RockYou’s failure to appropriately protect user’s login credentials. The hacker showed us an image containing the last few lines of a 32,603,388-line, seven-column dataset weighing in at 276 MB. All the data we saw was in plain text; any grade schooler could have used this information to log in to users’ accounts.
Link to Original Story
If you are interested, the most easterly point of North America
Long a fan of the ‘virtual google traveler’, I have found an interesting article using google maps to ‘visit’ locales. In this case, its the most easterly point of North America!
Link to Story
SEO Poisoning – 54f3.com responds
I came across and interesting question in LinkedIn that asked what was SEO poisoning. We recently had a customer that came to us with this nasty, nasty infection. Its ugly, and it hurts. Read all about it here.
US and Russia being cyber-SALT talks
This reminds me of the good old days of the SALT talks. Remember those? When we had nukes pointing at each other for MAD (Mutually Assured Destruction) needs? Well, now we’re in the Web 2.0 world, and the conversation has changed.
Full Story here
SiteSecurityMonitor.com Malware Survey Continues
Our survey for the results and true impacts of malware on the general consumer, the hoster, and the other parties associated with a hacked site continues. To date, we’ve received an incredible response with some interesting results. Be a part of the feedback and please take a few seconds to respond to our survey HERE
All in all, a very busy week! I hope your preparations for the holidays are not too crazy for you, and wish you and yours a safe and joyous holiday (however you may celebrate it!)