A new report analyzing a recent attack on a military dating site underscores the need for stronger safeguards on social networks.
As part of its Hacker Intelligence Initiative, database and application security provider Imperva deconstructed a March attack by the hacker collective LulzSec on MilitarySingles.com. By bypassing simple checks and filters, the group was able to steal sensitive data, including passwords on more than 170,000 members of the dating site. The “reborn” group posted of the attack on Pastebin March 26.
The attackers took advantage of a soft spot in developing today’s social applications: consumer-created content.
“The fundamental tenet of Web 2.0, user-generated content, is also the Achilles Heel from a security standpoint. Why? Allowing the upload of user-generated content to the Web site can be extremely dangerous as the server which is usually considered by other users and the application itself as ‘trusted’ now hosts content that can be generated by a malicious source,” company officials said in a just-released trend report.
“However, in Web 2.0 applications, the upload of user-generated content cannot be avoided. For example, imagine social networks without pictures and webmail without attachments. Very dull user, indeed.”
Among the most common ways intruders upload malicious content: file execution in which an uploaded file runs on the server; local file inclusion where the file contains PHP; malware hosting where the user trusts the file and downloads the content; cross-site scripting; and phishing.
In the case of MilitarySingles.com, attackers gamed the picture upload functionality. The application designer tried to guard against an attack by restricting uploads to photo file extensions only. But a text file with .jpg extension got through. The filter trusted content type specified by a browser – which is a client-side control – instead of properly checking files on the server side. “So an attacker, using a proxy to fiddle with traffic after it had passed client-side security implemented on the browser, was able to change the filename without changing the ‘image’ content-type,” the report said.
Attackers presumably changed the uploaded file extension to be PHP – and therefore executable on the compromised site’s server. This is particularly problematic, according to the report, because 77 percent of all Web applications currently use PHP.
Imperva recommends the following to prevent untrusted content from being uploaded:
- Assigning minimal permissions to the uploaded content – especially not giving the file executable permissions.
- Hosting user-generated content on a different domain. That way, even if the code is malicious it’s not evaluated in the context of your site.
- Hosting user-generated content on a different machine – that way, even if the code gets executed, it’s not executing on the machine that stores sensitive data and resources. That machine needs to be considered as untrusted and have minimal permissions.
- Filtering the uploaded content through whitelisting, blacklisting and implementing security checks on the server side, rather than client.
Hackers also took advantage of the dating site’d password management. Members’ secret codes were hashed but no additional salting was done to thwart a dictionary attack. It took LulzSec about nine hours to crack open more than 90 percent of the passwords, the most popular of which were the highly predictable 123456, password, iloveyou, princess, military, marines and sunshine.
Impreva recommends using hashes from the SHA-2 family, such as SHA-256, and adding salt to the hash function to render rainbow tables useless. Additionally, set a policy to help prevent a user from choosing a predictable password.
The password disclosures were particularly troublesome, according to the report, because many members were active duty military, and users in general tend to select the same password to access multiple sites and networks.
“In addition to the Web application security concerns, the fact that hackers targeted MilitarySingles should not be overlooked. Consideration should be paid to the fact that hacktivists are increasingly using social engineering techniques to infiltrate targets. Imperva calls into question if military and government employees should be held to a higher standard when it comes to social networking.”