Unprotected servers of information systems
Attackers are looking for unprotected Elasticsearch and MongoDB servers,
RabbitMQ- software message broker based onAMQP standard is a replicable middleware focused on message processing. Created on the basis of the Open Telecom Platform system, written in Erlang, and uses Mnesia as a database engine for storing messages.
In early April, information security experts discovered on the networkElasticsearch server, through which unauthorized access to the YouDo user database could be obtained. And in January, the data of clients of the credit broker Alfa-Credit, which collects loan applications and helps select and obtain a loan from a bank, was leaked online. They were contained in the open source database management system MongoDB, used by some companies for internal purposes.
Recommendations
- For stable operation of Elasticsearch it is usuallycreate a cluster of several servers so that Elastic instances can communicate with each other. To do this, open network ports. If the servers are accessible from the Internet, an attacker can connect to the database. In older versions of Elasticsearch, younger than 7.3.2, the database can be accessed without authentication at all.
- Unauthorized access to your data can be avoided by checking the settings of information systems in standard configurations and protecting servers and virtual machines with firewalls.
Unsafe direct links
IDOR (Insecure Direct Object Reference,insecure direct links to objects - "High-Tech") - a vulnerability that allows you to gain unauthorized access to web pages or files. IDOR is often called the term “brute force” (from the English brute force - “High-tech”), meaning “brute force” in translation.
The most common way to use IDOR- an attacker enumerates a predictable identifier and gains access to someone else's data. Many servers generate access IDs using proprietary algorithms. Algorithms like this can simply increment the identifier value for each user request. Another common option is to use a function from the current time or other computer-specific data. Using this type of vulnerability, you can intercept access to other people's accounts, correspondence, and receive other people's data. The complexity of such an attack is minimal and at the same time quite dangerous. A simple example is you are writing a web application or you are creating a REST API and a method like / api / orders /? OrderId = 17505638.
REST, REpresentational State Transfer,"transfer of presentation state" -architectural style of interaction between components of a distributed application on a network. REST is a consistent set of constraints considered when designing a distributed hypermedia system. The term was originally coined by Roy Fielding, who was one of the creators of the HTTP protocol. The great thing about REST services is that they make the best use of the HTTP protocol.
This is the perfect opportunity for intrudersto iterate over the data. Even if you restrict access to the method through the rate limiter (limiting attempts by time, from one IP address or from one user agent - "Hi-tech"), this does not guarantee security. Attackers can spoof headers, exploit proxy server farms, and use other means to circumvent restrictions.
One of the latest high-profile examplesexploitation of such a vulnerability - leakage of user data from the portal providing information about fines. The passport details of those fined for violating self-isolation in Moscow were available on websites for paying fines using the accrual number, which can be found by brute force using simple software. Using the unique accrual identifier (UIN) of a fine for violating self-isolation in Moscow, in payment services you can find the personal data of the person fined, including last name, first name, patronymic and passport details.
Recommendations
- Hacking problems via IDOR can be avoided byif you create long keys from letters, numbers and special characters, as well as use rate limiter combinations, exceeding the threshold values for which will be transmitted to the monitoring system.
Database theft
With the development of information technology,cases of database theft, and the criminals can be both external hackers and their own employees. The reason for the theft may be an employee's resentment against management, a low salary, or a desire to additionally monetize his position. Moreover, the base can be stolen as a whole and sold on the darknet (theft), or used online to search for the required information (the so-called breakthrough).
Here the decisive role is played by the humanfactor, so it is difficult to combat this type of leakage. This is the most common and painful problem faced by companies and information security services.
For example, databases are regularly sold on the darknetmotorist data. Such leaks most often occur in the traffic police and insurance companies. The network also included the data of citizens who applied for loans from microfinance organizations. Customer data was put up for sale at the end of March on a specialized website. The problem of client data leaks is very acute in the banking industry, in which the cost of such information breaches is directly related to people’s money.
When working remotely, employees of financial institutions do notThey only sell personal data on the DarkNet, but they also use it dishonestly. At the beginning of 2020, the number of court cases related to the theft of money using official position was greater than in the entire previous year. Unscrupulous bank employees are moving from selling client data to using it themselves for criminal purposes - they are increasingly taking out loans in the name of clients, and also withdrawing money from their accounts.
Recommendations
- Comply with the basic rules of informationsecurity. For example, limit access to data (production and test databases, backups). It would seem like obvious advice, but for some reason many people forget about it.
- Keep passwords in a secure vault, such as Hashicorp Vault.
- Conduct a system audit of user actions, which will allow timely notice of unauthorized activity and prevent possible dangerous actions of system users.
- Specify responsibility for the theft of user databases in the employment contract with employees.
Storing code in open repositories
Often developers place in openrepositories of code storage systems private information related to their place of work. These can be links to the company's internal infrastructure, cryptographic keys, API tokens and pieces of code, the rights to which belong to the employing company. There is no 100% guarantee to protect the interests of the company. If developers want to make your code publicly available, they can only make their life more difficult, but not hinder. No document will solve this problem completely.
North State UniversityCaroline has done a tremendous job and scanned billions of files: for about half a year (from October 31, 2017 to April 20, 2018), researchers monitored about 13% of all public repositories on GitHub, examining each commit. The scan results indicate that about 100,000 repositories contain cryptographic keys and API tokens accidentally forgotten in the code, and every day many new data leaks of this kind appear on GitHub.
Since the experts observed the conditionrepositories for about six months, they got the opportunity to study how things are going with removing such leaks from the code. During the entire observation period, only 6% of repository owners almost immediately noticed that they had leaked and removed their tokens and keys from open access. Another 12% of developers took more than a day to do this, and 19% fixed the leak within 16 days. 81% of developers did not notice the leak at all and, obviously, do not even know what it might threaten.
You can comply with the minimum set of reasonablerules that will reduce the likelihood of code leakage to the outside. The trade secret regime will solve a third of the problems, careful handling of the rights to new code will solve the second third, and careful attention and competent selection of personnel will solve the rest. And here the work of the HR department and the atmosphere in the company directly affect the degree of its information security.
Recommendations
- You should regularly scan open repositories for sensitive information relevant to your company.
- Employment contracts must contain language regardingalienation of rights in full to the new code. And also permission to use program code as part of complex objects without indicating the names of the authors (anonymously).
- Don't transfer any rights to old code to new developers. Just do not enter into assignment agreements with them.
- The task of an HR manager or internal communications specialist is to create an atmosphere of trust and value for the company’s personnel.
DDoS attacks
DDoS attack, or Distributed Denial of Serviceattack - simultaneous and massive sending of information requests to the central server. The attacker generates such requests using a large number of systems - a botnet, his own or rented on the darknet. Unfortunately, this popular and inexpensive tool can permanently paralyze the operation of almost any resource or cause the collapse of the service it provides.
So, in mid-March, the attackers tried todisable the US Department of Health website. Presumably, the purpose of the attack was to deprive citizens of access to official data about the epidemic and the measures taken against it: at the same time as DDoS, unknown persons spread disinformation on social networks, via SMS and e-mail that the US would introduce a nationwide quarantine. The attempt failed: the website of the Ministry of Health continued to work, despite the increased load.
Another DDoS attack fell victim to a major Parisianhospital network Assistance Publique - Hopitaux de Paris. The attackers tried to disable the infrastructure of medical institutions. As a result of the attack, hospital staff working remotely were unable to use work programs and corporate e-mail for some time. However, cybercriminals failed to paralyze the entire organization.
Food delivery services Lieferando (Germany) andThuisbezorgd (Netherlands) found themselves in a more delicate situation. As a result of DDoS attacks, both companies took orders, but could not process them and had to return money to customers. At the same time, the attackers who attacked Lieferando demanded 2 BTC to stop DDoS (just over $ 13 thousand at the time of writing).
Recommendations
- You should not save on protection and catch unexpectedlyincoming attacks. You need to use one of the anti-DDoS systems, the principle of which is to mask the real IP address of your system and dynamically filter network activity caused by intruders.
Holes in system information security monitoring
To avoid data leaks, weWe cooperate with the best penetration testers in Russia, who are part of the so-called Red Team. Pentesting, in jargon, is a method of assessing the security of computer systems or networks by simulating an attack by an attacker. The actions of the Red Team allow us to simulate an attack by a group of professional external attackers in the most naturalistic way possible to identify vulnerabilities in our code and infrastructure.
Both small online stores and Americanfederal agencies such as the Pentagon regularly use bug bounty programs to identify security flaws in their systems. Bug bounty is a program offered by many websites and software developers through which people can be recognized and rewarded for finding bugs. These programs allow developers to detect and fix bugs before the general public knows about them, preventing widespread abuse. All Internet giants have Bug Bounty: Apple, Microsoft, Facebook, Google and Intel.
Recommendations
You need to constantly check your informationsystem for unauthorized access. You can use automated tools for this, you can conduct penetration tests by your employees or declare a bug bounty, paying for the vulnerabilities found.
See also:
Look at the 3D map of the Universe: it was compiled for 20 years and it has already surprised scientists
Look at beetle larvae: they can save the planet from plastic by destroying it
New study reveals more about anomaly in Earth's magnetic field