How Cyber Attackers Have Learned to Weaponize the Web Itself
Security wasn’t built into the Internet from the start, meaning that most protocols that the Internet uses weren’t initially designed to be secure. Data is sent unencrypted, responses to queries are accepted without question or verification, etc. The internet definitely “works”, but there are some pretty big security holes in the system.
Thing is that cyber attackers know how the Internet works as well. They know about these issues and take advantage of them to make their attacks more effective.
Data is “the new oil”. It’s valuable and everyone wants it. Companies collect your data and sell it to other companies. Hackers try to break into the companies’ networks and steal a copy of the data for themselves and to share with their friends on the Dark Web (for a small profit of course).
One of the big challenges for an enterprising data thief is getting the data out of the organization. Companies have worked tirelessly to collect that data and don’t want to get in trouble for leaking it. As a result, they set up cyber defenses that try to keep their data in and the attackers out.
When communicating with their malware inside an organization or performing data exfiltration, hackers often abuse common protocols to hide their communications. Most organizations allow certain protocols through their firewalls (like HTTP and DNS) because failing to do so means that they can’t access the Internet either. Many of these protocols have places where you can slip in a little bit of extra data that isn’t necessary for the protocol to operate. For example, HTTP can carry parameters in its URLs (all the craziness that appears after the web address that you typed). Hackers will embed their commands and stolen data in these places and use legitimate-looking traffic to slip it past an organization’s network defenses.
Turn Up the Noise
Distributed Denial of Service (DDoS) attacks are growing increasingly common due to the availability of cloud computing and poorly secured Internet of Things (IoT) devices. In these attacks, the hacker uses a set of computers to overwhelm the target, making it unable to do its job (like providing a web page).
There are many ways to perform a DDoS attack, but one option is to take advantage of amplifiers. These amplifiers are protocols in the Internet where you send in a small request and get a larger response. Attackers will send a request that looks like it came from the target, and the recipients will send a response that is much larger, giving the target more data than it can handle.
One way to use an amplifier is in a Smurf attack. Every network has a broadcast address where copies of a packet sent to that address are sent to every machine in the network. In a Smurf attack, the attacker sends a packet to the broadcast address that looks like it comes from the target. Everyone in the network gets a copy and responds, flooding the target with unsolicited connections and successfully performing the DDoS attack.
One of the big challenges in the Internet is figuring out how to get traffic from point A to point B. There’s no master map of the Internet, so computers need to have a way to figure out a path to the destination when sending a message. There are several different ways of doing it, but two common (and insecure) methods are ARP and BGP.
- ARP Poisoning
The Address Resolution Protocol is designed to help with routing packets within a subnet. The idea is that a computer sends out a request for the owner of a certain IP address and whoever owns that IP address responds saying “here I am”. The issue with this protocol is that the sending computer doesn’t bother keeping track of the requests that it sent. If a computer receives an ARP response, it assumes that it asked for it and makes a note of the information contained in it.
This is a problem because an attacker can just make a fake ARP response claiming that they own a specific IP address within the subnet. The next time that the sending computer sends data to that IP address, it’ll go through the attacker’s computer first, potentially allowing them to see, modify, or delete the message.
- BGP Hijacking
The Border Gateway Protocol (BGP) is designed to help route traffic throughout the Internet. How it works is a set of entities on the Internet, called Autonomous Systems (ASs) maintain lists of IP addresses that they can deliver to and how far the route would be. These lists are updated based upon announcements, which each AS trusts by default. If a shorter or more specific route is announced by an AS, then other ASs will send any traffic to that destination via the AS.
An attacker can generate fake updates claiming short routes that don’t really exist. As a result, all traffic to those destinations will flow through the attacker, giving them the ability to potentially read, change, or drop the message before it reaches its true destination.
Securing the Web
There are numerous ways in which the design of the Internet violates its security, but organizations like the Internet Engineering Task Force (IETF) are taking steps to fix the problem. Some fixes (like pushing the use of HTTPS over HTTP) already are being adopted, while others are still in development. The best way that individuals and organizations can help is by configuring their systems to use the more secure protocols as they become available.