Exploits and defences


Martin McBride, 2017-02-19
Tags none
Categories none

Passwords

Passwords are an important element of online security. There are various ways an attacker might attempt to obtain a user's password, including:

Guessing - if users choose obvious or default passwords like "password" or their date of birth, it is possible for an attacker to find the password by trying all the usual cases. Many websites insist that your password is strong - for example, it has at least 8 characters, and includes upper and lower case letters, numbers and punctuation symbols.

As a user, it is also important to avoid using the same password for different sites, because if one site gets hacked criminals could use your password to access your account on other sites.

Brute force - this is where someone tries to guess your password by trying every possibility. If you use a sensible password, the number of possibilities is very large, so this type of attack won't work. Many websites limit the number of times you can try to log on, for example after 3 failed attempts the account might be locked for 5 minutes. It might take billions of years to crack a strong password!

Social engineering - this simply means trying to trick users into revealing their password. This is often done via a fake phone call or email asking for your password - no reputable organisation would ever ask for your password in this way, so any request of this type would clearly be a scam. Sometimes a fake email might link to a fake website, which can be more difficult to spot.

{{% orange-note %}} Always use a strong password, use a different password for every site, and don't write it down anywhere. Never give your password out by phone or email, and check the URL of the web site you are logging on to.

Open source password managers, such as KeePass, make it easier to create strong passwords and store them securely. {{% /orange-note %}}

SQL Injection and database protection

SQL injection is covered in its own separate topic.

SQL injection attacks are often used to try access a website's database, including user data. Another approach to protecting the database is to encrypt the data. That way, even if an attack does manage to access the database, the content will be unusable.

Of course, a website should take steps to avoid SQL injection as well.

Spam

Spam typically takes the form of bogus users signing up to we forums, and posting messages containing adverts or links to sites containing malware or phishing attempts. This can harm the reputation of your website by exposing users to harmful sites, and can make your forum unusable.

Moderating a website means checking messages regularly and removing anything which shouldn't be there. It is effective but time consuming.

A lot of spam is added automatically by online spam bots (programs which automatically find forums, sign up, and post spam). A Robot check can be useful. This typically asks you to carry out a simple task before you can sign up. For example, it might show you 4 images and ask you to click on the kitten. This is easy for a human but difficult for an automated spam bot.

Denial of service (DoS) attacks

A denial of service (DoS) attack is where an attacker deliberately floods a website with lots of page requests. Since a web server can only deal with a certain number of requests within a given time, this can lead to the website becoming slow or inaccessible to genuine visitors.

Launching an attack would normally require the attacker to have access to a lot of computing power and a huge amount of network bandwidth.

However, many attackers use other peoples' computers to launch attacks. As a first stage they will release a virus which silently infects as many computers as possible. The virus has no obvious effect on the computer, but it will listen for instructions on the internet. When instructed it will make repeated page requests to the victims website.

The infected computers will belong to millions of different people around the world. The collection of infected computers is called a botnet (network of robot machines). The owners of the computers will have no idea that their computer is infected, and even while the attack is happening they will not notice any problem. But the combined effect of millions of computers all accessing a website at the same instant will most likely prevent the website working for the duration of the attack.

Cross site scripting

Many website use JavaScript, which allows the web page to run programs within your browser. This is used for things such as dynamic content - everything from a simple drop down menu to an in browser game will probably use JavaScript running in your browser.

Of course, if the bad guys can manage to get their own JavaScript program to run is your browser, they could do a lot of harm!

With cross site scripting, the attacker will typically post a message to an online forum. Hidden in the message will be some instructions which tell browsers to load and run a JavaScript program from a completely different website, controlled by the attacker.

If you happen to read the page which includes the bad post, your browser will fetch the attackers JavaScript and run it on your computer.

In fact, the JavaScript running in your browser is quite limited in what it can do. It can't access your files, for example, so it can't steal or delete your data. But it can still do some bad stuff - for example it could read cookies from other websites, which might contain login details or other sensitive information.

The main defence against this type of attack is to sanitize all messages posted to forums, so that instructions to download scripts are not allowed through. In addition, modern browsers are designed so that they don't trust a script which comes from a different website, so they will not attempt to execute it.

The security arms race

Internet security is a constant battleground. The bad guys are just as clever and dedicated as the good guys, so as soon as one threat is eliminated, another one pops up out of nowhere.

But guarding against the known threats, and remembering that you should never trust anything a user has typed in, is the best way to keep safe.

Copyright (c) Axlesoft Ltd 2020