Security analysts and architects are consumers just like everyone else. With all of us lusting after technology and trends, it’s hard to blame them for trying to turn consumer trends into security trends.
A lust for consumer products is not innate. When you live in a village 50km away from an Internet connection – it’s about running with a pair of decent sandals rather than running Android 4.4.2. We are programmed to lust for things.
Many of us live with multiple phones and tablets, TV sets, notebooks, email addresses, Facebook and monthly bills; we are under constant bombardment on TV, print, radio and Web coupled with coupons and special offers targeted specifically for us in our phones, browsers and mailboxes.
2013 was the year of cloud and big data. Since hot security trends are created by suffixing the word security to a hot consumer trends we had cloud security and big data security. By the way, I think social media security had a brief fling with our mindshare last year – although I may be mistaken.
It’s hard to say what will happen with cloud security and big data security, but the big tech trend of 2000 – eCommerce generated over $260BN in 2013. When technology mainstreams we just take it for granted and stop talking about it.
We’ve Stopped Talking about eCommerce – But We’ve Also Stopped Talking about eCommerce Security
eCommerce had a major influence on our security protocols, an influence focused almost exclusively on external threats: interception of login credentials and violation of privacy and/or integrity of transactions by malicious outsiders.
The mainstay of external security is the holy trinity of SSL, firewall and IPS as it has been for over 15 years ever since Gil Schwed invented the stateful-inspection firewall and Al Gore invented the Internet.
Inside the network, we assume that internal threats are mitigated by access control and data governance policies, even though access control itself is seriously flawed:
- It provides no guidance when the access methods fail.
- It’s possible to pervert an access control policy – satisfying the policy but not the intent.
- Access control does not prevent violations by trusted individuals regardless of how well access control policy is implemented.
In addition to access control, we often see network isolation in the military and defense industry and sometimes in hospitals. Network isolation is based on noninterference models. The idea of noninterference is simple: a security domain u is non-interfering with domain v if no action performed by u can influence subsequent outputs seen by v.
It’s noteworthy that about 6-7 years ago, noninterference models spawned 2 security trends; internal firewalls (intended to defend against internal network worms) and NAC. Neither technology mainstreamed like the Windows Active Directory and Group Policy access control, probably due to cost and complexity of implementation and management and the dominant incumbency of Microsoft Windows in the enterprise network.
So it seems we’re stuck with SSL/firewall/IPS and access control for better or for worse. At this point in the article, you’re probably wondering where I’m going… I’m going to talk about collusion between 2 or more external attackers.
Collusion attacks on eCommerce services are basically privilege escalation attacks at the application-layer. Collusion attacks are important for two reasons:
- The standard portfolio of SSL/firewall/IPS is not sufficient for transitive policy enforcement and allows privilege escalation attacks. Transitive policy enforcement means that if A cannot perform operation X and B cannot perform operation X then A +B should not be able to perform operation X.
- It is almost impossible to detect a collusion attack using your server/security logs.
We consider 2 types of collusion attacks –a “weakest link” attack where malicious attackers collude by exploiting vulnerable interfaces in the same Web or mobile application and a “joint forces” attack where malicious outsiders collude to combine their permissions, allowing them to perform actions beyond their individual privileges.
“Weakest Link” Attack:
Hawaii Five-0 Fan Club Online sells online subscriptions to get the latest backstage data on the popular TV series, now in its fourth season and still going strong. Jack has an online Web site where he aggregates TV news and he’s an affiliate site of Hawaii Five-0 Fan Club Online. Jill has an online Web site for surfer fashion and she’s also an affiliate site of Hawaii Five-0 Fan Club Online.
Jack is a heavy user and negotiated a really low price for his subscription. Jack met Jill in a bar in Santa Monica and over a white wine and a beer they saw a business opportunity where Jack could arbitrage his low prices for his new friend Jill and save her the cost of a subscription (and deprive the Web site of the revenue).
Their “weakest link” attack was made possible after Jack noticed that Jill could use the GUID (globally unique ID) of his subscription with the GUID of her customer account number – using URL hacking. They share their GUIDs and exploit the URL hacking vulnerability of the Web site.
Since they share payment credentials without sharing usernames and passwords, they can fly under the radar since the Hawaii Five-0 Fan Club Online doesn’t check for inconsistencies in the query strings in their Web server log.
The countermeasure of validating IP address against username (used by a few web sites like salesforce.com) is not effective since they are using unique usernames and IP addresses.
“Joint Forces” Attack:
The simplest form of a “joint forces” attack is collusion between two or more outsiders, one of whom has higher privileges. Healthy Diets is an online Web site that uses a pyramid of Healthy Diets sales consultants who are also users of the products. The lowest level user is a “Novice”.
Once a Novice recruits 10 other users, he becomes a “Consultant”, once his network recruits 100 other users, he becomes a “Regional Advisor” and at the top of the pyramid with over 10,000 users in his network he becomes an “Industry Leader”.
The different role levels have different commission levels as well as different application permissions. Using XSRF or URL hacking or timed token vulnerabilities, groups of users may collude in order to elevate their commission levels and application permissions.
Another more sophisticated “joint forces” attack is possible in mobile apps where colluding applications can communicate directly or exploit covert or overt channels in Android system components. Moreover, applications can launch privilege escalation attacks by exploiting kernel-controlled channels and completely bypass the middleware reference monitor (see Towards Taming Privilege-Escalation Attacks on Android Bugiel, et al – PDF).
Collusion attacks are a form of fraud and an important threat vector for an eCommerce operator since they can cause economic damage and are not easily detected in logs.
Fortunately, most collusion attacks exploit standard Web application vulnerabilities such as XSRF and URL hacking which are easy to test and remedy especially if you use a modern Web application framework like Rails.
We recommend pen-testing frequently and writing special reports to query your logs in order to detect collusion attack patterns.
New security trends such as cloud security and big data security are searching for security models that work. Developers are advised to take a clean sheet of paper and not blindly copy a conventional IT security model such as centralized access control that is known to be broken.
We recommend collecting threat scenarios from a zero baseline and using threat modeling to identify the best security countermeasures for cloud security, big data security or whatever trend security will be up to bat next year.
About the Author: Danny Lieberman (@security_expert) is the authority in applying business threat analysis to Governance, Risk, and Compliance (GRC). He is a sought-after speaker, prolific blogger, and advisor on data security and compliance issues to global technology companies. With over 30 years of experience, Danny’s objective is to assist organizations in implementing the best and most cost-effective measures that reduce their Value at Risk and protect their customers. A leader in understanding the relationship between software vulnerabilities, data security, ethical practices and leveraging compliance to improve security, Danny aims to help his clients reduce value at risk by creating a common language across functional organizational boundaries and recycling threat intelligence. Software Associates was founded by Danny Lieberman in 2002 and is based in Israel with a branch in Warsaw, the Control Policy Group. Danny is also the founder of Pathcare – Sharing and private messaging with physicians and patients. His latest startup, Clear Clinica is applying IPS risk rating and threat rating techniques to the world of big clinical data in order to provide early warnings of risk to patient safety.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Lessons Learned from the OpenSSL Hack
- Target Data Breach: How to Perform Early Detection of a Distributed Attack
- Proactively Hardening Systems: Defining the Attack Surface
- Stolen Target Credit Cards and the Black Market: How the Digital Underground Works
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock