Why Hosters Should Care About Web Security

Earlier this week, the “Moroccan Ghosts” published a list of 52 defaced Israeli sites, replacing site
content with political propaganda pages (and some cool Moroccan music).
Looking into the hacked domain list, we noticed that most of the domains in the disclosed list are hosted on the same server. In this case, a large hosting company in Israel. It was relatively easy to see that the server itself runs PHP v5.


Although this is merely educated speculation, it seems that the hackers were able to exploit a configuration mistake in the server rather than individual vulnerabilities in the hosted applications or taking over the entire server through a vulnerability in a single application.In a shared hosting environment “one rotten apple spoils the barrel” – so a single vulnerability may result in owning the entire server and the database that holds data for all applications.
In other words, when an application is hosted on a shared hosting server, even if one application owned by company A is secured, if a second application owned by company B is not so secure and is being hacked, the end result may be a breach to both. This is also true to a secured application on an insecure platform.
What can hosters do to prevent incidents like this?

• Proper server administration should enable creating silos in terms of database servers, virtual directories and permissions per customer. This reduces the risk in some ways but does not remove it.
• Hosters should offer the same compartmentalization services they offer to physical customers, to the digital and hosted customers by adding web application controls that will reduce the risk of such hacks.
• Make sure that the management platform is secure, since lots of the hoster hacks are breached via an insecure management console that allows file changes and DNS changes per user provisioning, or globally.
• Offer web vulnerability scans to your customers, because most companies do not have the experience that hosters have dealing with web applications and the security required around them. It makes sense that customers that outsource hosting their applications will appreciate outsourcing the security around them. However, to complete the cycle scanning is not enough! Once vulnerabilities are found it is critical to use controls such as Web Application Firewalls to remediate the findings.

Skype with care – Microsoft is reading everything you write

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.
A reader informed heise Security that he had observed some unusual network traffic following a Skype instant messaging conversation. The server indicated a potential replay attack. It turned out that an IP address which traced back to Microsoft had accessed the HTTPS URLs previously transmitted over Skype. Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:

65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"

The access is coming from systems which clearly belong to Microsoft.
Source: Utrace They too had received visits to each of the HTTPS URLs transmitted over Skype from an IP address registered to Microsoft in Redmond. URLs pointing to encrypted web pages frequently contain unique session data or other confidential information. HTTP URLs, by contrast, were not accessed. In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.
In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:
"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."
A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.
Back in January, civil rights groups sent an open letter to Microsoft questioning the security of Skype communication since the takeover. The groups behind the letter, which included the Electronic Frontier Foundation and Reporters without Borders expressed concern that the restructuring resulting from the takeover meant that Skype would have to comply with US laws on eavesdropping and would therefore have to permit government agencies and secret services to access Skype communications.
In summary, The H and heise Security believe that, having consented to Microsoft using all data transmitted over the service pretty much however it likes, all Skype users should assume that this will actually happen and that the company is not going to reveal what exactly it gets up to with this data.

Hack the hacker: US Congress urged to legalize cyber-attacks to fight cybercrimes

US Congress should legalize attacking hacker’s computers with malware, physically destroy networks and take photos of data thieves and copyright violators with their own cameras in order to punish IP thieves, the IP Commission recommends.
The commissioners - former US government officials and military men - say that the “scale of international theft of American intellectual property (IP) is unprecedented”. However, the US government response has been “utterly inadequate to deal with the problem.”

"Almost all the advantages are on the side of the hacker; the current situation is not sustainable," the commissions's report says.

“New options need to be considered,” the authors call, then adding that current laws are limited and “have not kept pace with the technology of hacking.”

Thus, the commission suggests allowing active network retrieving stolen information, “altering it within the intruder’s networks, or even destroying the information within an unauthorized network."

For example, locking down the computer of unauthorized users and forcing them to come out to police could be one of the options.

“The file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account,” the commission recommended.

In other words, authors suggest legalizing ransomware - an extortion tool used by organized criminals, when malware that blocks access to the computer system it infects, and demands a ransom paid to the creator to remove the restriction.

Such measures, the commissioners stressed, do not violate existing laws, but still might help to prevent attacks and even provide both time and evidence for law enforcement to investigate the cyber-crime.

As additional measures, the report recommends “physically disabling or destroying the hacker’s own computer or network,” implanting malware in the hacker’s network or photographing the hacker using his own system’s camera.

“The legal underpinnings of such actions taken at network speed within the networks of hackers, even when undertaken by governments, have not yet been developed,” the authors say.

So, if counterattacks against hackers were legal, companies could use a variety of techniques and cause severe damage to the capability of IP pirates.

"These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking these activities in the first place," the report concludes.

However, if counterattacks were legalized, this would not be just about companies and hacker. Some pirated movies or songs on private computers, could be deemed an IP theft and allow rights holders to do horrible things to suspected systems.