Software Testing News Journalist, Leah Alger, attends SEC-1’s Penetration Seminar to hear how Holly Grace Williams, Head of MMS & Penetration Testing Team Lead, SEC-1, explores real-world techniques for breaking into computers
At the seminar, it was important for Williams to explore “Why hackers hack”. According to her, “financial gain” is the main reason. Banks and large companies are common targets for hackers. However, smaller companies or individuals are targeted – especially through ransomware. For example, between 2013 – 2015, “Anunak” targeted US department stores and Eastern European banks – stealing, at least, US$300million.
Testers should understand the techniques used by real attackers in order to build more secure systems. Nevertheless, there are different types of hacking techniques everyone should be aware of:
- direct attacks, against published services
- direct attacks, against staff members
- indirect attacks, against staff members.
- account compromise
- privilege escalation
- Windows domain compromise.
Infrastructure & application vulnerabilities
Williams then touched upon how most companies have a significant external facing attack surface. Typically, the vulnerabilities can be broadly grouped into two categories:
- operating system vulnerabilities
- off the shelf application software vulnerabilities
- configuration issues – weak admin passwords
- network device vulnerabilities.
- web applications
- CMS systems/plugins
- extranet applications.
Images can’t be malicious – can they?
Furthermore, another worrying factor of cyber attacks is the way applications treat them.
“Applications naively presume that many file types are safe – especially example images”, says Williams.
“It can become an issue when applications allow files to be under a whitelist, such as blindly allowing “images only” – PNG/JPG/GIF.
According to Williams, whitelists can be bypassed and blacklists can be ineffective if certain extensions are missed off the list. This is why you should ensure upload systems check the uploaded file and ends with a trusted file system such as .jpg.
For extra defence, Williams advises to whitelist file extensions by ensuring the file is validated after canonicalisation; normalise the file path and check to validate it before writing to disk. (i.e. resolve any traversals before validating that the file path is intended); store files in a non-web accessible directory if possible, and validate the file MIME-TYPE.
She also notes that, if you comment META field within a PNG image, it will allow you to embed PHD code and maintain the plaintext in the file.
Written by Leah Alger