Advertisement
  1. SEJ
  2.  ⋅ 
  3. SEJ Show

Robert ‘RSnake’ Hansen Talks Website Security on #MarketingNerds Podcast

Robert "RSnake" Hansen talks about a number of really important topics, such as what webmasters need to focus on when it comes to web security.

Robert ‘RSnake’ Hansen Talks Website Security on #MarketingNerds Podcast

Visit our Marketing Nerds archive to listen to other Marketing Nerds podcasts!

In this week’s episode of the Marketing Nerds podcast, we are joined by Robert ‘RSnake’ Hansen, who is VP of WhiteHat Security Labs, well-respected DefCon speaker, world renown hacker, writer of Slowloris, and creator of Ha.ckers.org.

In our discussion, we talk about a number of really important topics, such as what webmasters need to focus on when it comes to website security, hiring a forensic team to evaluate your site, HTTPs and whether it helps, whether WordPress is a secure platform, should we really be worried about NSA, Facebook, and other companies tracking our data, finding Hillary Clinton’s email servers, and China’s new social engineer hack that is pretty damn scary.

This is definitely a Marketing Nerds Podcast you don’t want to miss.

#MarketingNerds: Robert Hansen Talks Web Security | SEJ

Here are a few of transcribed excerpts from our discussion, but make sure to listen to the Podcast to hear everything:

What Companies Should be Considering to Stay Secure Online Today

Let’s take a retailer as an example as opposed to a bank or something. I think retailers have an interesting problem because they generally like to have user-generated content on their site. Things like feedback, or somebody asking questions, or send a friend functionality, or shopping lists, or whatever, all that stuff is user-generated content. Maybe not in a way most people think of it, but it doesn’t matter. If I’m storing something in a database that’s being reflected back at some point, that is definitely user-generated content.

I think if you’re going to say there’s one massive problem, it’s people just generally don’t do good sanitation of inputs and they don’t do good sanitation of output. The problem with that is they intermingle it with things that are actually sensitive. It’s not particularly sensitive what my shopping list or my wedding list, that kind of stuff. That’s not particularly interesting.

What is interesting is if I somehow find a way to escape out of a query and make a call to your database and pull out your user name and password, that, on the other hand, is very interesting.

Because all this stuff is intermingled and it’s all in one big database, different table but one big database, and using one database user with all the same permissions as if it was an admin, that simple design choice makes it incredibly easy to attack.

Similarly, if I’m allowed to write content and it gets saved to the actual HMTL of a page or gets reflected out as HTML, or as an admin, if from the internet I can log into my site and physically change the layout of the page or whatever, which is a common feature in content management systems, that is a pretty dangerous design choice because if there’s ever any vulnerability in the CMS, or if there’s ever any vulnerability in the user of the CMS, suddenly the attacker can modify the entire source of the website. That leads to malware, stolen usernames and passwords, and whatever.

You have to decide how bad is it if something bad happens. If this happens on some brochure where there’s nothing there, it doesn’t matter. If it happens on your main corporate website where people actually do purchase things, on the other hand, that might be the end of your company. It just depends on what we’re talking about.

Once you’ve decided that it’s something you actually want to deal with and it’s a vulnerability that’s real or whatever, generally speaking, if you know the vulnerability is there it’s very easy to fix. Super easy. There are only a couple of vulnerability classes out there that actually are tricky to solve. For the most part, it’s usually one or two lines in your code and you’re done.

If you don’t know that it’s there, there are several things you can do. One is you can hire a penetration testing firm, a company like ours that does manage security testing. Two, you can hire a bug bounty team. You basically say, “Any takers, anybody who wants to break into us we’ll pay you if you find a vulnerability.”

There are some issues with that. You have to be fairly mature to even go down that model, but the nice part is you get a robust group of random people who are all trying to hack you all at once. The third way, even if both of those fails, what you can do is you can get cyber insurance. Cyber insurance is wonderful, assuming that you’re covered, which means usually they ask you some questions like, “Do you do security auditing?” So you must have one of the first two things nailed down before you can go down that path.

I think one of the scarier things I’m seeing right now is a move to rapid redeployment where you have a website that they think it’s compromised, you just immediately replace all the code back to its known good state. It doesn’t matter that much if you get compromised then. As long as you have pretty good monitoring, you can quickly get the site back up and running.

That stops infections from taking hold in some cases where they’re not cloaking it, as a good black hat SEO would know. What it doesn’t solve is the data theft part. If you’re dealing with digital goods where it doesn’t really matter if they steal the digital good and you don’t really have any valuable information in their database, that rapid redeployment model works really well.

Does HTTPS really secure your website or just an SEO thing?

It is both. I think before you make a decision, one way or another, you should understand what the economics of it are and also understand that Google is doing this, in my opinion, primarily to prevent ad injection companies, ISPs or whatever, from injecting their own adds. Looking at the economics of it, I know that’s horrible but I’m a cynical bastard.

There is a security benefit to using it, not a huge one, but I would say the less active adversary who’s just passively listening on the wire, who happens to be a man on the middle, like at a coffee shop or something, is not going to be able to drive a whole lot of data out of a stream that uses HTTPS. They’ll be able to drive a few things, maybe they can figure out what pages you’re hitting, but they’re not really going to be able to see the content itself in most cases. That’s not the truth of all cases, but most cases.

The lazy adversary will have no idea what they’re doing. Once you get to the much more sophisticated adversaries like if, unfortunately, I were the man on the middle, I’d probably be able to see everything you’re doing, and that’s because of side channel attacks and various problems in the browser and so on. It’s not like it’s hopeless and it’s not terrible, but it’s definitely not a great security. Let’s put it that way.

The real reason that I think to do it is not just the immediate ranking boost, which I think it’s probably more like if you have a competitor who’s exactly the same rank as you, it’ll put you above them. It’s not much of a ranking factor beyond that. I think the actual value is any links you get between now and the point at which you switch over to HTTPS will have a 15% link penalty, approximately, until you get to change their link over to HTTPS because of the 301 redirect from the HTTP to the HTTPS.

Let’s say you have 200 links and 50% of them you can get them to change over to HTTPS, the other 100 you can’t, you’d have a 15% penalty. It’s like showing up to work and missing 7 and a half percent of your work week or whatever.

In my opinion, it is worth doing sooner than later for that reason alone. You don’t want to have to sacrifice any links unnecessarily.

How secure is WordPress overall?

I found a lot of vulnerabilities in WordPress over the years. I’ve also used WordPress as a core platform for a bunch of my websites and I would say gradually they’ve gotten quite a bit better. I really like the fact that they are doing more automated updates. I think that’s very clever. I think with something as simple as that plus WordFence and you’ve got a pretty decent defense, I will not go on a limb and say that the plug-ins are very good, though. The plug-ins, in general, are a gigantic crap shoot and tend to be full of vulnerabilities.

I’ve never liked the fact that their admin page is accessible in a known location. That’s just a big problem point. I don’t like how trackbacks work. I think those are very dangerous. I don’t like how the web user owns all the files. That’s very dangerous.

I don’t like how their database is set up, especially everything having the same level of access, usernames and passwords combined with text, all that stuff. There are some very strange design decisions that came from antiquity, back when WordPress was tiny that I think we’re stuck with, which modern-day, I would say, don’t do it that way. Don’t have your usernames and passwords in a PHP file and the root directory. Little things like that.

Should people turn off Trackbacks in WordPress?

Absolutely. Immediately, as a matter of fact.

Should we be wary about things like NSA spying on us or the rights we give to Facebook in their app?

I think people are right in being concerned in so much that the architecture itself allows for it. Let me give you an example. Right now, even without all of those crazy permissions, if I sent you an account, or a little light app, or something, there’s a million of those on the Android platform, I don’t actually need all those permissions to snoop on you.

I’d say for instance, the accelerometer in the phone is so sensitive that it can actually pick up voices without access to the microphone. If I wanted to, as an adversary, I could probably build a very tiny app that was able to discern most voices in the room, not as sensitive, not as well as your microphone, the microphone is designed for that purpose, but well enough that it would get me what I want.

I think it’s important for people to be aware that this is possible more than it’s necessarily being worried about the implications of any existing app or whatever in so much that if I download a bunch of apps and I have 50 on my phone, I should assume that at least one of them either has a vulnerability or is maliciously developed to do something bad to me.

That way, having that mindset just means maybe I shouldn’t bring that phone into the meeting, or maybe I should pull out the battery if my phone is capable of that, or maybe I shouldn’t have this conversation. You know what I mean?

Your Adversaries are Much More Capable Than They Used to be

Once upon a time if I wanted to find an exploit, every single web server, let’s say, that was vulnerable to some exploit, it would take me effectively the end of my life to scan the entire internet because by the time I finished scanning the internet, it would have changed so much because it took so long that I’d have to start the scan all over again. We’re talking, in some cases, months to scan even a very small chunk of the internet.

Nowadays there’s a change at Linux kernel that happened a couple of years back that makes it so I can scan much, much, much, much faster than I used to be able to. I’m no longer bound by a number of sockets that a computer can open and now I’m bound by bandwidth. Bandwidth is cheap. It’s easy to get a lot of bandwidth. Now I could scan, let’s say, the entire internet on a single port in a few minutes, handful of minutes.

What that really means is I know that sounds bad, I can basically find every vulnerable machine in a few minutes, but it’s actually worse than that because what I can do is take that data and shove it in your database, and the internet doesn’t change that much that rapidly. I can run that scan, let’s say, once a day, or once a week, or whatever.

Then let’s say a new vulnerability comes out for WordPress or whatever. I can go to my database, look for all the vulnerable things that are in that database, and then start attacking them.

I can literally compromise every single machine that’s vulnerable on the entire internet in a few minutes. Long are the days of patch managements in terms of effectiveness once that really become weaponized. We won’t have the opportunity to get in front of it. You won’t even have the time to download the patch and start installing it by the time you will be compromised.

What that really means is you need to look for other things. I think DevOps is a really interesting movement in our industry towards rapid patch management, rapid fixing, detection. There are some interesting tricks out there for doing detection of somebody who’s compromising you, that kind of thing.

Basically, the point of the presentation is that whole method of keeping something in separate directory no one will ever find me, or trying to protect myself by removing the word PHP out of my Apache HTTP response or whatever. That just doesn’t work anymore, or, at least, it doesn’t work well enough to stop an adversary like what I’m talking about.

China’s New Social Engineering Hack: The Human Credit Score

China has a new credit score the country is considering, I think it actually originated from Alibaba or something so it’s not a guarantee that this will happen. Effectively, if you and I are friends, and I’m a political dissident and China knows about that, you and your credit score would get dinged because you and I are friends on some social network. If you buy things like dishwashers and baby food, your credit score would go up. If you buy video games, your credit score would go down.

Anything that the states want you to do, you’d get a higher credit score, and that credit score actually means something. It helps you get a better passport, they actually give you money, you get better jobs. If you get a lower credit score you get ostracized by your friends, you cannot have certain types of jobs, again, you can’t travel internationally, and so on.

I think that is one of the most interesting hacks I’ve ever heard of because it’s very similar the way the Stasi used to work. You never know who’s part of the Stasi, your best friend could be, so you never really want to say anything negative because you can always be ostracized or outed by the very person who you have dinner with. This is at a mass scale and it basically shows how incredibly dangerous social networking is because now they really do have a very powerful platform for identifying this.

It would be a public score that anyone can check on anyone else’s score, which is interesting. The government hasn’t come out and said they were definitely doing this, but the idea is on the next couple of years. It’s already there, it already exists, but in the next couple of years the theory is this might become law, in which case you better start working on your credit score right now because down the road it will impact your ability to get loans, have friends, and all kinds of stuff.

#MarketingNerds: Robert Hansen Talks Web Security | SEJ

To listen to this Marketing Nerds podcast with Robert ‘RSnake’ Hansen and Brent Csutoras:

Think you have what it takes to be a Marketing Nerd? If so, message Kelsey Jones on Twitter, or email her at kelsey [at] searchenginejournal.com.

Visit our Marketing Nerds archive to listen to other Marketing Nerds podcasts!

 

Image Credits

Featured Image: Image by Paulo Bobita
In-post Photo #1: Image by Aki Libo-on
In-post Photo #2: Image by Robert Hansen. Used with permission.

Category SEJ Show
ADVERTISEMENT
SEJ STAFF Brent Csutoras Managing Partner / Owner at Search Engine Journal

Managing Partner / Owner at Search Engine Journal with over 18 years experience in Digital Marketing, specializing in Reddit, Search ...