Opinion: Social Engineering Still Alive and Kicking
- By Russ Cooper
- May 17, 2005
A social engineering attack resulted in secure e-mail service provider
Hushmail having its Website redirected to a defaced site. According
to reports, Network Solutions, the Domain Name Service provider
behemoth, gave out information through a customer support line
sufficient to allow an attacker to alter DNS record information for
Visitors to the Hushmail site were instead sent to a
server co-opted by the attacker. Network Solutions said it's
implemented new security measures to ensure that such an "isolated
event" doesn't happen again.
There are so many things to go into here it's hard to decide where to
start. First, the existing security measures Network Solutions purports
to have in place weren't followed; what's the point in implementing
new measures if the old ones can't be followed?
Second, it demonstrates the frailty of the entire Internet. A single
site, with a single point to alter such significant information, can
lead to an entire company's online presence being altered or removed.
No amount of backup could have prevented this. It's solely in the hands
of Network Solutions to ensure this sort of thing can't happen. Multi-
billion dollar companies must be able to rely on Network Solutions to
prevent such an attack. Think about that the next time you're preparing
your sales forecasts for online business.
Although the redirection didn't last for very long, and despite the
fact that Hushmail has stated that no data was at risk or compromised
in the process, the action has had -- and will continue to have -- a
significant impact on Hushmail's reputation and credibility. This will
become an urban legend, something talked about for many years to come.
Social engineering targeting customer support personnel is one of the
oldest forms of attack. That a company the size and importance of
Network Solutions could be vulnerable to such an attack demonstrates a
shocking lack of sound security practices and judgment on its part.
According to a report by Zone-H, a site that monitors hacking activity,
Web server attacks and Website defacements rose by 36 percent in 2004.
Last year, there were nearly 400,000 attacks on network servers and
corporate websites worldwide. Currently, 2,500 Web servers are hacked
daily and Zone-H estimates that these numbers could rise to 80,000 per
day once third-generation VoIP phones become mainstream. Zone-H also
reported 186 attacks on U.S. government servers and 49 attacks on U.S.
It's important to note that Zone-H, www.zone-h.com, relies solely upon
reports from others for its data, leading to questions about its
overall accuracy. Previously, an outage of Zone-H's site would lead to
a reduction in reported defacements. Whether it was caused by an
inability to get hacker e-mail or a slowdown in reporting by hackers
who saw that the site was down is unclear.
That said, it's safe to assume that defacements continue to increase.
Website defacement is often seen as a "rite of passage" for hackers.
Generally, a would-be hacker starts by defacing some easily attacked
Websites (like default Apache installs or those using the scripting
language PHP) in an attempt to gain some credibility within the hacking
community. After a year or two, individuals move out of the defacement
attack space and into more sophisticated attack methods.
McAfee and Kaspersky Labs have recently published reports agreeing
with a Symantec study that found mass-mailing viruses on the decline as
virus writers switch to bots and Trojans. The Kaspersky report
describes botnets as "the greatest threat to the Internet as we know
it" and names their detection and prevention as a priority for the
technology industry. The McAfee report finds that the motivation for
botnets and Trojans is profit; the malware can steal private data or
create a platform for spam, malware and denial of service extortion.
Kaspersky estimates that 50,000 new bots are created each month, with a
current total of around several million.
According to anti-virus Vendor Panda, the number of new viruses has
almost tripled in the last six months. The spike is attributed to the
many variants of viruses being released, simply repackaged with
different encryption techniques.
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.