Page hijacking for dummies

In order to hijack a web page and make it distribute malicious content, an attacker usually has to find a vulnerability in the respective web server or the employed scripts. As twitter user @Random_Robbie and Kevin Beaumont [1,4] noticed, sparking an online discussion, this cumbersome process is not always necessary!

It has become common practice for web pages to load content from remote locations in order to incorporate external content, both information as well as scripts such as Javascript or PHP. Most people are not aware that when they visit a web page, it is actually composed from dozens of sources that are outside of the visited domain. If one of those links to an external resource is broken, as might easily happen during copy-pasting of code segments or the misconfiguration of yet another wordpress plug-in, the intended external content will not be loaded.

This is not necessarily a security issue. But in this specific case the link was not simply broken but referenced a file in an Amazon S3-Bucket that had not been registered…. yet. All an attacker needs to do is simply register that bucket and deploy a script file that caters to his or her needs. This is an imminent threat and is not just limited to those who use Amazon S3. Likewise, the link might have referenced a yet unregistered domain, posing the exact same risk. Still, relying on S3 makes this a little more delicate. Even if the bucket already existed, chances are you might still be able to exchange content as buckets are commonly misconfigured and writable to the public as has been revealed within the last two weeks [2,3].

Although any kind of web space can be misconfigured, this case of publicly writable buckets is S3-specific. On the other hand, loading content from non-existing sources is obviously a risk in any scenario and not limited to Amazon. What is not obvious, though, is how and why such a scenario arises.

Possible explanations are manifold, ranging from human error to malicious intent. Either way, loading content from locations that one is not in control of is, in my humble opinion, a bad habit that unfortunately evolved to be common practice.

[1] https://twitter.com/Random_Robbie/status/968386467058929664
[2] https://www.techrepublic.com/article/unsecured-amazon-s3-buckets-are-prime-cloud-target-for-ransomware-attacks/
[3] http://www.bbc.com/news/technology-42839462
[4] https://twitter.com/GossiTheDog/status/968391071049945088

Malvertising: The role of dynamic content and ad networks in the propagation of malicious code

Malvertising – that is the spreading of malware or fraudulent content through malicious ads on otherwise trustworthy homepages – is not only persistent but also growing as recent articles from Motherboard [1] and Ars Technica [2] suggest, both refering to a report from Cyphort as their primary source. This increase in delivery of malicious ads poses an imminent threat to users on the Internet. Ars Technica emphasises that one consortium only, consisting of 28 fake ad agencies, was able to reach 62% of ad monetized websites on a weekly basis. Continue reading

Screwed up VLAN implementations – On the Importance of Basic Technologies

There is hardly a week passing by, that is not dominated by some more or less serious IT security incident. Though a considerable number of these incidents is caused by the exploitation of specific vulnerabilities, be it zerodays or not, their impact is frequently dependent on the prevalent infrastructure of the systems in question. The spreading of WannaCry, for example, could have been – and in many cases probably was* – condemned by the proper employment and configuration of firewalls to separate networks or at least filter potentially illegitimate traffic. Continue reading

On the Usefulness of Anti Virus Software

Anti virus software is probably one of the first things to be installed on a fresh system before any other software hits the harddisk. There seems to be consensus that a virus scanner is a must-have nowadays, the only thing that is not clear, is which one is supposedly the best when it comes to malware, ransomware, spyware, scareware, root-kit, spam, phishing, botnet, trojan or <place random word here> detection. No-one has ever been blamed for using AV, the opposite might be the case though. But in fact, there is an ongoing discussion about the usefulness of such software and it is as old as virus scanners themselves. Continue reading

Security Implications of Radio Equipment Directive 2014/53/EU

Operating radio equipment in compliant modes is a reasonable thing to do. WiFi and GSM jammers are excellent examples of what might happen if radio equipment is not operated in compliant modes, rendering communication (based on GSM or WiFi in this case) impossible in a certain radius. Things can get even more delicate if GSM baseband firmware is modified so that it violates the GSM protocol in ways that allow for Denial of Service attacks on cell phone towers. Back in 2009, this was one of Apple’s claims on why it would need to take actions against jailbreaking iPhones (1), with a jailbreak being mandatory if users wanted to remove the built-in provider-lock. This unlock, in fact, tinkered with the baseband. Continue reading