Security and Complacency

Nobody likes to talk about a security breach. At some level its just embarrassing. At another level it feels like you are saying to your partners, customers, readers - hey we are sloppy, we live in a pigpen, we don't take care of ourselves... But if no one talks about the security breaches that they suffer from, then the next person down the line won't learn from the mistakes and improve their own procedures... and then they will have to learn the hard way.

On Wednesday of last week we were attacked by a criminal gang that seeks to use legitimate websites as proxy servers for "phishing." In this case it was a PayPal phishing site that we were encumbered with. I came away from this experience with two lessons about how complacent we have become about security -- the big "we" meaning all of us...

THIS EXPLOIT WAS OUR FAULT
First of all, the exploit was our own fault. We were having an HTML problem that we couldn't solve ourselves. We have been using an outside design firm. That firm uses overseas talent. We provided a username and password to our server to that outside design firm and then they, in turn, sent it to the offshore developer. Within an hour of providing that legitimate login to our server, we had been attacked.

A number of mistakes were made here.

First of all, we should never have provided a logon to our own server. We could have set up some separate sandbox that would have provided a demonstration of our problem. But we were lazy. Don't be lazy.

Secondly, our outside design firm sent the username and password IN THE CLEAR. The Internet is a dangerous place. Don't EVER send usernames and passwords in the clear.

Thirdly, we don't know this third party offshore developer, so we don't know whether that individual has a motivation to provide our information to a criminal element.

Even without having provided the keys to the kingdom to an outsider, we could have been vulnerable to this kind of attack if we had not been careful about the username / password combinations that we put on our machines. Here is something that I hadn't thought about until after we were compromised -- while most people do a good job of protecting their systems from external attacks, it is VERY hard to protect from attacks when the outsider has a legitimate user account on your system.

PRIVILEGE ESCALATION
These kinds of attacks are called "privilege escalation" attacks. A legitimate user account is used to run a variety of programs on a compromised system which allow that user to gain root permission on the system. Once the user has root access, he can do anything he wants with your computer.

In our case we were used as a PayPal phishing server. Emails are sent out to unsuspecting users telling them that they need to log on to their PayPal account. When a user does log on, their user ID and password are then emailed to the attackers.

THE LARGER COMPLACENCY PROBLEM
And this brings up the second area of complacency that we (the big we) need to address. We have sent numerous emails to EBay letting them know that we have shut down this rogue server and letting them know that we have log files showing the IP addresses for the 29 people that were foolish enough to fall for this phishing scheme via our servers. Admittedly a lot of cooperation between EBay and various ISPs would have to occur to track down these 29 people -- but why aren't we doing it? EBay isn't responding to us and most people I've spoken with say that they won't -- that this happens so many times a day that EBay can't follow up with them all. This is ridiculous.

Spam blocking company Blue Security recently shutdown with CEO Reshef saying that "...large ISPs and governments need to recognize that spammers are connected to criminal syndicates and that they, not a small startup, are the only ones who can shut down these networks."

These criminal syndicates are the same ones that are setting up phishing scams. This is the new underworld and it is only going to get worse. Especially when companies like EBay do nothing to mount effective defense. If the phishers were deprived of gaining value from their theft of user IDs and passwords, would they continue to use that method of attack? If the FBI (and other police organizations) had effective programs in place to track these people down, would it be the scourge that it is today? I'd like to think we as a society could become bolder and smarter in our defense against these criminals.

Of course the first defense begins in addressing our own complacency. I've changed all of my passwords over the weekend. Maybe this post will cause you to ask the question of your own company, and help make the whole Internet more secure as a result.