Over the next year, we will see increased threat activity in the following areas: Phishing Phase II: a continued assault on personally identifiable information through web and application server manipulations; Attacks on the network infrastructure itself; Web services attacks; Mobile services exploits. As always, these threats will exploit human weakness: the failure to patch vulnerable systems, whether servers, routers or switches, quickly enough.
Phishing Phase II: Spyking takes over
When you drink a very powerful tropical cocktail it usually tastes like harmless fruit juice – though admittedly very good. However, you soon discover that the alcohol inside could knock out an elephant. This is called “spiking a drink.” and it’s the same with the latest phishing attacks. You think you are responding to a web query on a known server (the innocent fruit juice) when actually you have been redirected to a phishing site (the alcohol) by the good site. As we all know by now, phishing attacks require the absolute believability of an official-looking request. The first generation of anti-phishing attacks used spoofed email to create the aura of believability. However, we have been warned so many times not to trust email that we apply much greater scepticism to it.
As a result, the phishers are now applying more common hacker techniques such as HTTP request smuggling (HRS) or more common techniques such as DNS cache poisoning to cause site redirection by the trusted sites themselves. In HRS, a hacker uses inconsistent web parsing by certain web servers and web caches to fool them into accepting data that appears to be valid but actually causes site redirection. In DNS cache poisoning, a valid DNS server is made to resolve legitimate requests for web server addresses to rogue sites.
In other words, when we received phishing email, we could either check its validity by phoning the spoofed company or by doing some simple email header or source inspection. When we are on a compromised web server (i.e. the trusted site itself) we don’t have any way of easily verifying the fact that it has been compromised. In fact, this will be the major new form of phishing and I think we should be using a new term: I propose spyking.
This problem of authenticity will become increasingly problematic and the early email techniques will seem almost childish in comparison to the newer techniques. The danger, as always, lies in the silent capture and exploitation of the consumer’s personally identifiable information and the loss of confidence in our e-commerce systems.
Hijacking of the network infrastructure
This is a more dangerous threat in terms of the scale of destruction and we will continue to see its expansion. Probably the biggest news in network security in 2005 was the exposing of the Cisco embedded web server flaw inside IOS. Every Cisco router running IOS 11.0 to 12.x was vulnerable. This also underlines the fact that 1) the embedded model of security in the network device is more dangerous than an overlay model and 2) that a monoculture (Cisco networking monopoly) is bad from a security standpoint. The enormity of the IOS flaw in terms of the number of devices affected is not to be underestimated and indeed can be viewed as a threat to national security since so many government sites use Cisco gear, too. Thus, while not a new threat by definition, in fact the existence of unpatched systems well into next year will make it a vulnerability to watch.
Will SOAP get dirty?
With the advent of the web services revolution many vendors came out with security devices to safeguard the basic protocols of service oriented architectures (SOA). Most of these vendors have either been acquired or died because they were too early and XML-based interactions were limited almost entirely to intranets. Now, we are starting to see enterprises expose their XML infrastructures to the outside world and there is a “hacker arbitrage” opportunity. Like financial takeover artists who exploit market pricing differences caused by imperfect knowledge in the market, hackers are adept at exploiting gaps in knowledge between security and application people.
For example, security administrators are in the very early stages of understanding web services protocols while web services administrators have very little knowledge of protocol-level security. This creates a window of vulnerability into which hackers eagerly jump. We expect a significant rise in more sophisticated attacks on web services architectures as hackers exploit the easy holes in the same way they exploited easy holes in early implementations of previous protocol interactions.
Mobile service threats
As web site developers roll out WAP enabled or 3G enabled sites, there is a strong likelihood that new vulnerabilities will be created because the technology is in its early stages of development. Unfortunately, companies face tremendous pressure to make their web sites cell-phone friendly which also means many developers working with less well known and hence more vulnerable systems. Spyking (don’t you love the term already?) will work exceptionally well in this case since it is even harder to perform any validation of a site from a mobile device.