Unprotected servers of information systems
Attackers are looking for unsecured Elasticsearch and MongoDB servers,
RabbitMQ - software message broker basedAMQP is a replicable message-oriented middleware. Created on the basis of the Open Telecom Platform system, written in Erlang, uses Mnesia as a database engine for storing messages.
Information security experts in early April found on the networkElasticsearch server, through which unauthorized access to the YouDo user database could be obtained. And in January, the network got the data of the clients of the credit broker "Alfa-Credit", which collects applications for loans and helps to choose and get a loan from the bank. They were contained in the open source MongoDB database management system used by some companies for internal purposes.
Recommendations
- For stable operation, Elasticsearch usuallycreate a cluster of several servers so that the Elastica instances can communicate with each other. To do this, open network ports. If the servers are accessible from the Internet, an attacker can connect to the database. In older versions of Elasticsearch, earlier than 7.3.2, the database can be accessed without any authentication at all.
- Unauthorized access to your data can be avoided by checking the settings of information systems in standard configurations and protecting servers and virtual machines with firewalls.
Insecure direct links
IDOR (Insecure Direct Object Reference,insecure direct links to objects - "High-tech") - a vulnerability that allows you to gain unauthorized access to web pages or files. IDOR is often called the term "brute force" (from the English. Brute force - "Hi-tech"), which means "brute force".
The most common way to use IDOR- an attacker enumerates a predictable identifier and gains access to someone else's data. Many servers generate access IDs using proprietary algorithms. Algorithms like this can simply increment the identifier value for each user request. Another common option is to use a function from the current time or other computer-specific data. Using this type of vulnerability, you can intercept access to other people's accounts, correspondence, and receive other people's data. The complexity of such an attack is minimal and at the same time quite dangerous. A simple example is you are writing a web application or you are creating a REST API and a method like / api / orders /? OrderId = 17505638.
REST, REpresentational State Transfer, "Passing view state" -architectural style of interaction of components of a distributed application in a network. REST is a consistent set of constraints to consider when designing a distributed hypermedia system. The term was originally coined by Roy Fielding, who was one of the creators of the HTTP protocol. The hallmark of REST services is that they make the best use of the HTTP protocol.
This is the perfect opportunity for intrudersto iterate over the data. Even if you restrict access to the method through the rate limiter (limiting attempts by time, from one IP address or from one user agent - "Hi-tech"), this does not guarantee security. Attackers can spoof headers, exploit proxy server farms, and use other means to circumvent restrictions.
One of the latest sensational examplesexploiting such a vulnerability is a leak of user data from a portal that provides information on fines. The passport data of those fined for violating self-isolation in Moscow were available on sites for paying fines by the accrual number, which can be selected by brute force using simple software. By the unique identifier of accruals (UIN) of a fine for violation of self-isolation in Moscow in the services of their payment, you can find the personal data of the fined person, including the last name, first name, patronymic and passport data.
Recommendations
- Hacking problems via IDOR can be avoided byif you create long keys from letters, numbers and special characters, as well as use rate limiter combinations, exceeding the threshold values for which will be transmitted to the monitoring system.
Database theft
With the development of information technology,cases of database theft, and the criminals can be both external hackers and their own employees. The reason for the theft may be an employee's resentment against management, a low salary, or a desire to additionally monetize his position. Moreover, the base can be stolen as a whole and sold on the darknet (theft), or used online to search for the required information (the so-called breakthrough).
Here the humanfactor, therefore it is difficult to deal with this type of leak. This is the most common and painful problem faced by companies and information security services.
For example, databases are regularly sold on the darknetof these motorists. Such leaks most often occur in the traffic police and insurance companies. The network also included the data of citizens who applied for loans to microfinance organizations. The customer data was put up for sale at the end of March on a dedicated website. The problem of customer data leaks in the banking industry is very acute, in which the cost of such information holes is directly related to people's money.
At remote work, employees of financial organizations do notonly sell personal data on DarkNet, but they themselves use it in bad faith. At the beginning of 2020, the number of court cases related to theft of money using official position was higher than in the entire last year. Unscrupulous bank employees are moving from selling customer data to using it on their own for criminal purposes - they increasingly take loans in the name of customers and also withdraw money from their accounts.
Recommendations
- Observe the basic rules of informationsecurity. For example, to differentiate access to data (production and test databases, backups). It would seem an obvious advice that many for some reason forget about.
- Keep passwords in a secure vault such as the Hashicorp Vault.
- Conduct a system audit of user actions, which will allow timely notice of unauthorized activity and prevent possible dangerous actions of system users.
- Prescribe responsibility for the theft of user databases in the employment contract with employees.
Storing code in open repositories
Often developers place in openrepositories of code storage systems private information related to their place of work. These can be links to the company's internal infrastructure, cryptographic keys, API tokens and pieces of code, the rights to which belong to the employing company. There is no 100% guarantee to protect the interests of the company. If developers want to make your code publicly available, they can only make their life more difficult, but not hinder. No document will solve this problem completely.
North State UniversityCaroline has done a tremendous job and scanned billions of files: for about half a year (from October 31, 2017 to April 20, 2018), researchers monitored about 13% of all public repositories on GitHub, examining each commit. The scan results indicate that about 100,000 repositories contain cryptographic keys and API tokens accidentally forgotten in the code, and every day many new data leaks of this kind appear on GitHub.
Since the experts observed the conditionrepositories for about six months, they got the opportunity to study how things are going with removing such leaks from the code. During the entire observation period, only 6% of repository owners almost immediately noticed that they had leaked and removed their tokens and keys from open access. Another 12% of developers took more than a day to do this, and 19% fixed the leak within 16 days. 81% of developers did not notice the leak at all and, obviously, do not even know what it might threaten.
A minimum set of reasonablerules that will reduce the likelihood of code leakage outside. The trade secret regime will solve one third of the problems, careful handling of the rights to the new code - the second third, and careful attention and competent selection of personnel - everything else. And here the work of the HR department and the atmosphere in the company directly affect the degree of its information security.
Recommendations
- You should regularly scan open repositories for sensitive information relevant to your company.
- Employment contracts must contain wording aboutalienation of rights in full for the new code. And also permission to use the program code as part of complex objects without specifying the name of the authors (anonymously).
- Don't transfer any rights to old code to new developers. Just do not enter into assignment agreements with them.
- The task of an HR manager or internal communications specialist is to create an atmosphere of trust and value for the company's personnel.
DDoS attacks
DDoS attack, or Distributed Denial of Serviceattack - simultaneous and massive sending of information requests to a central server. The attacker generates such requests using a large number of systems - a botnet, own or rented on the darknet. Unfortunately, this popular and inexpensive tool can permanently paralyze almost any resource or cause a collapse of the service it provides.
So, in mid-March, the attackers tried todisable the US Department of Health website. Presumably, the purpose of the attack was to deprive citizens of access to official data about the epidemic and the measures taken against it: at the same time as DDoS, unknown persons spread disinformation on social networks, via SMS and e-mail that the US would introduce a nationwide quarantine. The attempt failed: the website of the Ministry of Health continued to work, despite the increased load.
Another DDoS attack fell victim to a major Parisianhospital network Assistance Publique - Hopitaux de Paris. The attackers tried to disable the infrastructure of medical institutions. As a result of the attack, hospital staff working remotely were unable to use work programs and corporate e-mail for some time. However, cybercriminals failed to paralyze the entire organization.
Food delivery services Lieferando (Germany) andThuisbezorgd (Netherlands) found themselves in a more delicate situation. As a result of DDoS attacks, both companies took orders, but could not process them and had to return money to customers. At the same time, the attackers who attacked Lieferando demanded 2 BTC to stop DDoS (just over $ 13 thousand at the time of writing).
Recommendations
- You should not save on protection and catch unexpectedlyincoming attacks. You need to use one of the anti-DDoS systems, the principle of which is to mask the real IP address of your system and dynamically filter network activity caused by intruders.
Holes in information security system monitoring
In order to avoid data leaks, wewe cooperate with the best Russian pentesters who are part of the so-called Red Team. Penetration test in jargon is a method of assessing the security of computer systems or networks by means of simulating an attack by an attacker. The actions of the Red Team allow us to simulate an attack by a group of professional external intruders in the most naturalistic way to identify vulnerabilities in our code and infrastructure.
Both small online stores and Americanfederal agencies such as the Pentagon regularly use bug bounty programs to identify security flaws in their systems. Bug bounty is a program offered by many websites and software developers through which people can be recognized and rewarded for finding bugs. These programs allow developers to detect and fix bugs before the general public knows about them, preventing widespread abuse. All Internet giants have Bug Bounty: Apple, Microsoft, Facebook, Google and Intel.
Recommendations
You need to constantly check your informationsystem for unauthorized access. You can use automated tools for this, you can conduct penetration tests by your employees or declare a bug bounty, paying for the vulnerabilities found.
See also:
Look at the 3D map of the Universe: it was compiled for 20 years and it has already surprised scientists
Look at beetle larvae: they can save the planet from plastic by destroying it
New study reveals more about anomaly in Earth's magnetic field
More from the site
Elon Musk will own the world's largest business jet Gulfstream G700 worth $78 million
Nokia C2: an ultra-budget Android Go smartphone with a 5.7-inch screen, 4G support and a 2800 mAh battery
Russian employees are twice as likely to be fired due to posts in social networks
Two supermercuries found around the same star. Before that, they were found only seven times in space.
Plants vs Zombies shooter: Garden Warfare will continue, and EA has already announced an alpha test
AwesomePageDots, QuickCC, StickAround and other new jailbreak tweaks
iPhone 4S: the smartphone is 11 years old. What applications does it still pull?
Review of the smartphone Sony Xperia 10 Plus: a powerful camera phone?