I obviously browse the web and sometimes when I do that, I just randomly check for odd behavior. It’s just a simple fact that if we have given some random website, there are issues. In general, it takes me literally about 3 minutes to “find something”.
First thing first. I’m actually not a great hacker. I’m probably not even good. I just know what to look for and have my experience of ~10 years as a programmer in my backpack.
The second part is when I find “something”, it can be something simple. Most cases it is just misconfigurations and/or information disclosures. Just stuff that makes it easier to actually really, really mess something up. I mean that’s the whole thing; I don’t want to break anything.
The truth is that someone who isn’t that cool as me or is actually targeting you is going to ruin your day. A bad day can be annoying and for some, it might scare them. Yet this is just the best option. Worst case someone actually ruins your entire company. A more logically option is that you have issues for a week and backlash for days if not weeks. Either by your customers, employees, stakeholders, social media or whatever has a link with you.
Real cases of this month
To give you some more insights. A summery of my recent month. I just keep it short without any juicy details. It’s more about awareness.
I was being asked to help recover some data. This was just a small company, a few employees. Everything they did was locally stored. There was some recent data “in the cloud” but that was just some new data. The most important stuff was on incremental backups.
I can be very blunt and short about this. They were royally fucked. Everything was encrypted and the type of worm was never cracked.
They just lost the data of 2019. Somewhat lucky 2018 was still safe. Please think for yourself: what if you lost all your data in general, or just 2019? Are you still a healthy company then?
Backups is just a term. If you have no affiliation with IT, your backups can still be useless. Especially if your security is bad or not even existing at all.
A pentest on a website
I also did a pentest, which is a good start. Know your strength and weaknesses.
Again, it is just about the message so I’m going to be short about this: It took me 1 hour and I had full access to their online presence.
Access to the backends, user-data, CMS, etc. Ok fine, you can restore backups (perhaps?) but what if someone pushed you out your own systems for a few hours. Defacing your website(s)? Do you still have the trust of your customers?
I guess this was a wake-up call, which is good. But I know for a fact that there are millions of cases who are in the same boat..waiting to sink.
Testing my custom scanner
I’ve created a scanner to..scan. The web.
Actually, it was just a test but I found a fairly big company in The Netherlands. I cannot go much into details but let’s just say I could execute a stored XSS and there was a CVE scored 10 (the max) available to be exploitable.
This was just a “funny mistake” – I did not even want to target them. I was developing something and I could have gained access within minutes. It’s like the equivalent of finding a car running with the keys in it on an open field with nobody around.
Proving someone wrong
Ye, self promotion here, but I’ve created isitthough.com to prove people a point. A security company made a statement on LinkedIn. This triggers me, are you secure yourself?
It took me 2 minutes in which I could PM that person their admin users, the outdated apache version and the fact they had open dirs.
Does this make them insecure? Not really, but if I wanted, I could use those backend users to brute-force a login (there was no protection on that).
Just a small thank you to them if they read this (hi). They were a fair sport by thanking me and they were already working on a new website.
So what is the problem?
I really should write a full blog about this, but for the sake of awareness, I will write an opening for it. In the basic: it is just about money. Security costs money straight away. It’s that simple.
Every aspect of a company gets hit by security. Security is not only about some developer making a fuck up in their code. It’s about everyone and everything involved. Hence it can be costly.
The difference is that “healthy” companies look further than their fiscal quarter. They have a long term vision and therefore know that a major breach will cost them millions. This makes it easier to invest half of that into security.
- The average cost of a malware attack on a company is $2.4 million – https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation
My main issue is that “money” should not be the main reason. I’m really aware that companies need to make money, but the drive for security should really not about money. I wanted to create awareness for something else. Not about money, hence why I do most of my work for free:
The )!(*@#!@ users.
You might store thousands if not a lot more, of user-data. For the sake of them: keep it secure. Can that please be something worth?
By simply ignoring money as the biggest factor for once, what is wrong with giving people more knowledge and power regarding data in general. I strongly believe that a company who is aware of security delivers better products. People are more involved and actually, care more about their work. Let’s be fair, in a “big” company only a few feel something about the costs. Motivating them by saying “if we have a breach, we lose money” is not going to help. How about “if we have a breach, we failed our customers“.
It should feel good, knowing you serve your customers well. It should be your standard, to deliver the best experience. Give people the time to make good products and think about the right processes involved.
How to be more secure
This is a hard one, but I wanted to close this part with some general tips. I’ll be happy to go more in depth in a follow-up blog post!
- Think about your data.
- How often do you even use it? Did you really need to store it? “You can’t have a data breach if you don’t have any data” 😉
- In my case, I wanted to have a way people could contact me. It simply gets pushed as a message to me and it will get deleted within a month. I have no use to store that for years on my server/database. Do you?
- Be open for security
- Implemented a security disclosure policy. Allow people to give you insights on potential issues without suing them for doing the right thing. Also, act on any feedback. P.s. if you need help with a policy, give me a shout.
- Demand security
- In many cases, you use 3rd party assets. For example a website. Demand security. When it is delivered, enforce a pentest. In fact, don’t you want a good product when you buy it? Why not make it official with an actual test by professionals?
- Spread information, educate yourself and your employees/colleagues. We are all professionals, why not be professional when dealing with data?
- Care about it
- When you meet a person in real life. He/she show you a photo of their family. Take a photo of that and print it. Print it and stick it to every lantern in the street. Would that be socially accepted, or would you still be friends if you did that?
- What is different than gathering “useless” data you do not need, storing it not secured, allowing it to go public over the entire web?
As a person, I really felt sad with some sort of disbelieve. That we live in a more “online” world should not mean we should think “data” is just anonymous in big batches. I truly believe the state of security worldwide is really, really bad. We read a lot about bigger companies having breaches but this is also happening to small businesses. Yet it never gets into the news.
I do love many new initiatives, such as bounty programs. Yet this is still very limited to only a few companies who already have their things done right.
Honestly I think that big events such as ransomware, Meltdown and Spectre are actually helping the cause for security. Some companies are getting really hurt, some even went bankrupt. It’s just unfortunate that we require “diseases” to make things better.