Last week there was a lot of news around the hacking of several major companies and organizations: Symantec, ImageShack and ZPanel. Mathew Schwartz of InformationWeek wrote an article that clears up some assumptions on what companies were hacked and by what hacking organizations. Originally, there were rumors that the hacking group Anonymous was behind the attacks and that PayPal had been breached.
However, Hack the Planet later claimed to be behind the attacks on November 5th and here are their claims:
- Hacked Symantec’s database
- Infected ZPanel and released a Zero Day Bug
- Took control of every server and router at ImageShack
ZPanel said that the reported flaw was patched up months ago, and Symantec is investigating the reported attacks.
There has been no news from ImageShack prior to publication of this blog post. For this reason, we’ll take a look at ImageShack as a use case for how to avoid and clean up a major hack.
Avoiding a Breach
Hack The Planet provided a pithy comment to the ease of hacking into ImageShack, stating in a tongue-in-cheek way that the security system the company had was sub-par. Now, whether or not this is true, it does lay a good foundation as to why it is important to ensure that you are doing everything you can to keep your network and data center secure. Some hackers routinely scan sections of the Internet looking for vulnerable systems to attack. Eventually someone will find your web server and anything else you’ve got online.
To keep yourself from being an easy target, it is essential to do your security due diligence. Make sure that:
- You keep your systems and security updated and patched.
- You scan the baseline of your network – this can help you figure out if someone is trying to perform a DDoS attack or APT.
- You check the security of your application – today most attacks leverage flaws in your applications.
- You automate as much of this as possible, for continuous coverage.
The most popular attack today is SQL injection, submitting web forms with embedded SQL commands to pull data directly from the back-end database. This could have been how Symantec was hacked. Depending on whom you ask, your best line of defense for this usually has two answers. A DBA will say the answer is to use stored procedures in the database, and a web developer will say the answer is to pre-parse the content.
Also we suggest that you regularly hack yourself to help determine where a vulnerability in your system might be. We go into more depth on this topic in our blog post, “Why White Hat Hacking is Your Network’s Friend.”
How to Clean Up a Security Breach
Although the procedures above will help you become less vulnerable, they will not ensure that you will be completely safe. Governments and corporations alike need to have contingency plans in place to perform network forensics once a breach occurs. Here are ways that you can help clean up your network after a security breach.
- Follow the pivot chain. Sophisticated attacks don’t stop at one system: they use that system to attack further into the network. Even if you’ve cleaned up the “hacked” system, there may still be other back doors lying dormant in your network.
- Perform network forensics. This can help you determine where you got attacked and if worms or viruses might still be lingering in your system.
- Understand your responsibilities, and live up to them. If regulations say you have to report the breach, don’t bury the report: admit your fault, or someone else will gleefully make it public for you.
Be prepared before a breach
A lot of companies think that they’ll never get attacked, but hacker groups seem to have an infinite amount of time, and a strong desire to break things. There are a few simple things you can do to prepare in case you’re ever attacked.
- Start recording all of your traffic before you get hacked. Any data that slips through the cracks might be the key to characterizing the breach and assessing the damage. Since you can’t predict when this will be, start now.
- Limit the useful lifetime of any data that gets out. Hackers don’t always release their results immediately: when the LinkedIn password hashes were leaked, analysis showed that they were at least 3 months old. ZPanel got ahead of the hackers by fixing a potential Zero Day bug three months ago. Try to find ways to make sure that whatever gets stolen today is useless by the time it’s leaked.
Need more details on how you can manage the lifecycle of a breach? Check out this slideshow from eWeek.