As you probably know, Grossman has been listing the Top Ten Hacks since 2006, focusing on new and creative web attacks. The number and complexity of attacks increase every year. White Hat Security posted the newest list of most dangerous hacking techniques at the end of last year, but today during a WhiteHat Security webinar about the Top 10 Web Hacks of 2012, Jeremiah Grossman, Founder and CTO of WhiteHat Security, and Matt Johansen discussed "the latest and most insidious Web-based attacks."
While listening to the webinar, what struck me the most was how often an old attack method is honed into something even more "deadly." In other cases, the new twist in a vulnerability is meant to abuse some new "functionality." For example, cross-site scripting vulnerabilities have been exploited since the 1990s, yet "new" XSS attack methods were among the most dangerous web attacks in 2012.
Sometimes an attack is based off previous research and then turned into a killer attack tool. Other times, there is new research stemming from an old vulnerability, which is then aimed at a next-generation technology like HTML5.
Chrome add-on hacking was interesting and really snagged my attention when slide 60 featured "Feedly," since Google is killing Reader and I'm playing around with Feedly and a few others. Grossman and Johansen warned you to beware of any app that has "access to your data on all websites." We know that, yet the desperate hunt for a decent RSS reader could allow someone to overlook it.
White Hat Security also pointed out that Juliano Rizzo and Thai Duong were listed at the #1 Top Web Hacking Technique for the third year in a row, making them 3-Peaters. In 2012, they "won" with CRIME. In 2011, they created and won the top spot with the BEAST attack that 75% of websites were still vulnerable to as of April 2012. Even sadder, almost a year later in 2013, 65.7% of sites are still vulnerable, according to SSL Pulse. In 2010, the dynamic duo won with their "Padding Oracle Crypto Attack." Ironically, the more things change, the more they stay the same, since that attack was first published in 2002. In 2013, there is a "new" variant via the "Lucky Thirteen attack."
Is this a security awareness, or lack thereof, issue? Bruce Schneier recently wrote about how security awareness training isn't the answer, which in turn sparked another article that stated, "arguments against security awareness are short-sighted."
If you didn't previously check out White Hat Security's top 10 hacks, I encourage you to take the time to look at the presentation slides that suggest some ways in which you can protect yourself. The web hacks cost organizations millions upon millions every year, yet sometimes it's simply a matter of taking the time to patch an old hole or change a default password. The audio version should be available tomorrow.
You should also read the Top 10 Web Hacking Techniques for 2012 on White Hat Security with all the links so you can study them in-depth. However, the following were the best of the worst and most dangerous new web-based attacks.
- CRIME by Juliano Rizzo and Thai Duong
- Pwning via SSRF (memcached, php-fastcgi, etc)
- Chrome addon hacking
- Bruteforce of PHPSESSID
- Cross-Site Port Attacks
- Permanent backdooring of HTML5 client-side application
- CAPTCHA Re-Riding Attack
- XSS: Gaining access to HttpOnly Cookie in 2012
- Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
Lastly, with the 300 Gbps DDoS attacks that are causing congestion and a general slowness in the Intertubes, if you have no idea what to do if your site is attacked, White Hat Security's Robert Hansen created a DDoS Runbook to help you prepare and have a game plan for if and when you get hit.
Like this? Here's more posts:
- Gov't wielded security as a shield to deny the most FOIA requests yet under Obama
- Microsoft patch stops attackers from owning PC via USB flash drive hack
- Microsoft goes public, talks about Windows Blue and Build 2013 conference
- Hackers steal photos, turn Wi-Fi cameras into remote surveillance device
- Black Hat Europe: 'Hardening Windows 8 Apps for the Windows Store'
- DOJ & SEC allegedly investigating Microsoft over bribery allegations in 3 countries
- Will future surveillance include global 'pre-crime' machine spying on everyone?
- Urban Exploration aids terrorists with photos of critical infrastructure?
- CIA Chief advises you to ask: What are your rights? Who owns your data?
- FBI's National Security Letter gag orders violate 1st Amendment, ruled unconstitutional
- Microsoft may not scan your email for keywords like Google, but your boss can
Follow me on Twitter @PrivacyFanatic