Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.
This is what a recent report from cybersecurity firm Imperva shows, which proves that you should harden your website not only to protect yourself, but also to protect others and prevent your online assets from being taken advantage of for illicit activities.
Piggybacking vulnerable websites for malicious purposes
Compiled by researchers at Imperva Defense Center, the report unveils a long-running blackhat SEO campaign in which hackers are exploiting vulnerabilities in thousands of legitimate websites in order to promote the search engine ranking of their clients’ websites.
The hackers are using botnets (networks of remotely hijacked computers) in order to amplify their campaigns and are using known hacking techniques such as SQL injection and comment spam in order to inconspicuously insert backlinks to their clients in the targeted websites. The attackers use CSS and HTML tricks to hide the inserted snippets from the eyes of visitors and site administrators while keeping them visible to web crawlers.
The fact that the targeted websites are not directly affected by the attacks (aside from SEO penalties) makes the attacks much harder to detect and notice. In fact, according to Imperva, the campaign is still ongoing and the hackers continue to seek out and target vulnerable sites.
Although the Imperva report is the most recent and expansive case of websites being piggybacked for malicious purposes, it is far from being the only instance. There’s a long precedence of websites being hacked and used as a beachhead for activities that in most cases are far more damaging than blackhat SEO.
In February, hackers broke into the official Linux Mint website and surreptitiously distributed their own backdoored version of the operating system to thousands of oblivious users. In October last year, hackers breached thousands of websites powered by eBay’s Magento e-commerce platform through a zero-day exploit and abused them to deliver malware to visitors.
More than our own data and security is at stake when we’re operating websites.
A joint research led by experts from Katholieke Universiteit Leuven in Belgium and Stony Brook University in the U.S. showed how hackers were compromising advertisements on illegal livestreaming websites to inflict visitors with malware.
But websites of questionable nature aren’t the only targets that hackers exploit to deal their damage. According to Cisco’s 2015 Annual Security Report, the aviation, agriculture, mining and insurance industries top the list of websites that pose the risk of harming visitors.
And a rash of malicious ads turning up on sites such as The New York Times, BBC and MSN earlier this year showed that even the big-name sites can unwittingly become complicit in the crimes of cyber-evildoers.
Source code flaws are at the heart of website hacks
Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.
But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.
While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.
Organizations are starting to understand the importance of rooting out security flaws from their applications, but there’s only so much you can do when dealing with hundreds of thousands of lines of code.
This is a challenge that, according to Ashbel, can be overcome with the use of static application security testing (SAST) tools, solutions that help spot security bugs in software as you code. “Source code analysis can be implemented in a very efficient and effective manner if organizations adopt the idea of introducing security,” he says.
The advantage of SASTs, Ashbel says, is that they become integrated into the development lifecycle of web applications and reduce the cost and time required to fix bugs.
“While this may not provide 100% protection, it is a key step which should become part of every organization’s SDLC (Software Development Lifecycle),” he stresses. “Making sure that code is analyzed for vulnerabilities as part of the SDLC is just like analyzing code for functionality bugs.”
Checkmarx has designed its tools with the focus to help developers quickly mitigate vulnerabilities in their code, while at the same time increase their secure coding skills via a set of functionalities designed to deliver education as part of the mitigation.
Other viable initiatives in this regard include efforts led by several security startups to leverage artificial intelligence in hunting software bugs. The innovations have been set forth in a Cyber Grand Challenge competition hosted by DARPA. Among tasks given to participants is to design tools that can disassemble software, analyze it and plug any potential security holes.
DARPA’s vision is to have AI that complements the work humans do in finding bugs — and, of course, exploiting them.
Not every organization has the know-how and resources to fix security bugs in the source code of their web applications.
A small team from the University of Idaho’s Center for Secure and Dependable Systems is among the competition’s finalists. Their goal is to make tools and methodologies available to developers that will make it easier and cheaper to build secure code. Jim Alves-Foss, who leads the two-person team, says they have opted for a combination of algorithms and heuristics to root out bugs that have been known to researchers for decades but pop up in newly written code, which he describes as “low-hanging fruit for attackers.”
Another team from software security firm GrammaTech and the University of Virginia are developing an AI-powered task master that can determine which parts of software are more likely to have security bugs and optimize computation resources to analyze those sections.
The efforts are still far from being deliverable to consumers, but the challenge environment is showing promise and will crop up some interesting results.
What if you can’t fix your web application’s source code?
Not every organization has the know-how and resources to fix security bugs in the source code of their web applications and make sure they don’t expose their visitors to harm. In fact, for the most part, organizations rely on popular CMS and blog engines such as WordPress, which let you power up your website with little or no coding skills.
This by itself can become a security hole, because, in many cases, site administrators remain oblivious to hacks because of their lack of knowledge.
As it happens, a huge number of website hacks are made possible through zero-day flaws in these engines, or known flaws in unpatched instances installed on web servers. And as most of these engines are open to third-party extension development, many data breaches take place through badly coded plug-ins installed by careless site administrators who only wish to access the added functionality.
But this problem isn’t without a solution. Firms with little or no security staffing and web application experience can invest in the use of cloud-based security services, which are easy to integrate with different forms of IT infrastructure.
For instance, cloud-based Web Application Firewalls (WAF) add a layer of security to web applications, and their installation is often as simple as a redirection of a website’s traffic through the WAF provider. WAFs function by monitoring website traffic at the application layer, which basically means they are much more effective than traditional security tools in discovering and blocking known attacks and zero-day exploits on web applications.
According to Gartner’s Magic Quadrant 2015, WAFs are one of the most popular tools for securing websites and can act as an alternative to vulnerability scanning tools and processes for organizations that don’t have the necessary resources.
Most major cybersecurity vendors and hosting services such as Amazon and Microsoft Azure offer some kind of WAF protection to their clients, but there are also many startups and mid-sized companies that are carving out a position for themselves in the cloud-based WAF industry, including Imperva, DenyAll and Positive Technologies (ranked as Leaders and Visionaries in Gartner’s MQ).
WAFs do come with their own caveats and require in-house cybersecurity talent. They also have their shortcomings when it comes to dealing with the complexities and diversities that characterize web applications. However, cloud-based security solutions often remedy the situation somewhat by requiring the least involvement from the client and deferring the bulk of the work to the WAF provider and its teams of experts.
Recent hacks serve as a reminder that more than our own data and security is at stake when we’re operating websites. It’s hard to call any single tool a panacea that will plug all the holes and prevent your website from becoming a vehicle for cybercrimes. That’s why we’re still seeing websites getting hacked on a large scale. However, it doesn’t mean that you shouldn’t try your best to protect your website (and, of course, its visitors) with as many tools as you can lay your hands on. After all, as the saying goes, you only need a stronger lock than your neighbor.