Heartbleed and Shellshock are proving to be particularly heinous security threats. Heartbleed is an attack on the OpenSSL cryptography library on websites around the world, which exposes a vulnerability that's difficult to find and difficult to patch. According to AVG in a report last month, there are at least 12,000 sites in a list of the top 800,000 in the world that are still open to attack.
Shellshock is a more recent attack that uses a vulnerability in the UNIX Bash shell that has been exposed since the early 90s. It's part of the Linux operating system and has IT security experts worried because of how widely it's used on devices other than computers, which are regularly patched.
Worse to come?
But what if Heartbleed and Shellshock are just the start? Security experts have started pondering what similar vulnerabilities could be open to attack, perhaps one that is even more widespread, just as difficult to patch, and just as costly for the IT industry to eradicate.
What might seem like a tiny window in a security infrastructure – a simple protocol used for e-commerce, or the smartphone business users carry around all day – could actually be the next gaping hole that leads to a formal investigation, criminal charges, headlines on the BBC, and a major embarrassment when an attack is successful.
TechRadar Pro talked to well-known security experts to find out what they would pick as the most likely attack vector to occur.
1. In-Transit Encryption
The main issue with this attack vector is that it takes advantage of incredibly popular services like Dropbox and Google Drive, which are often used for business purposes. According to Istvan Lam, the CEO and Founder of Tresorit, data sent to these services is only encrypted once it is stored on the service, not in transit to the service.
"Data is not encrypted and ultimately not protected before it reaches the cloud, leaving it extremely vulnerable to attacks," says Lam. "If the provider itself is ever compromised, so is all data stored." The only security approach that will help enterprises in the short term, at least until they become more protected, is to create policies for using these cloud services and make sure employees avoid them.
2. ICMP protocol
Heartbleed attacks a vulnerability in the OpenSSL library used by many websites. But according to Mark Gazit, the CEO of ThetaRay, there's an even more common protocol that could be vulnerable, known as the Internet Control Message Protocol (or ICMP).
"The ICMP is used by network devices like routers to send error messages indicating, for instance, that a requested service is not available or that a host or router could not be reached," says Gazit. "Since ICMP is an internal part of IP, and must be implemented in every IP module, flaws in this protocol would enable attackers to easily infiltrate organisations, fly under the radar and exploit the protocol for their own communications (especially to exfiltrate data)."
3. Open source application server
Another ripe area for exploitation: an open source application server. According to Bryan Alexander, a senior security consultant for Coalfire Labs, the apps servers used for enterprise tools like SugarCRM could be mismanaged and leave gaping attack vectors wide open.
According to his research using a penetration testing toolkit, in about 60% of the testing scenarios where an application server is involved, the toolkit was able to find a vulnerability. What could help? Those who are operating the servers need to conduct code reviews and look for potential security flaws, then work to close them as soon as possible.
4. Point-of-sale systems
One of the most deadly attacks imaginable to security experts has to do with the POS systems used in retail operations. We've already seen individual attacks on companies like Target and TJ Maxx in the US, but Eric Cowperthwaite, a vice president for strategy at Core Security, argues that there could be more widespread attacks.
All it takes is a vulnerability in a vendor's POS system code (say, for a startup like Square) to cause more of a massive hack that penetrates into multiple retail operations all at once. Cowperthwaite says there is a trend with about six or seven major retailers getting compromised in recent years. The POS hole is not getting plugged, and it could mean more widespread attacks are coming.
5. Mobile device ransoms
One of the most unusual security threats has nothing to do with open source cryptography or cloud encryption. According to Troy Hunt, a security expert for the tech training portal Pluralsight, a new problem could arise for large companies that is even more serious than Heartbleed or Shellshock: hackers stealing a client device like an iPhone or an Android tablet, then holding the device (and the data) ransom for a large sum.
He says the issue has already become a major threat in countries like Australia for consumers where a thief demands a $100 (around £55) payment. Depending on the importance of the data on the stolen device, he says the ransom amounts could be more astronomical – and there's little recourse to resolve the problem.
6. Android attacks
One of the most likely attacks in the enterprise arena pertains to the Android operating system – carried by millions and millions of smartphones and tablets (and even a desktop all-in-one from HP called the Slate) in use all over the world. Many of these gadgets make it into corporate settings, and that makes them more attractive to hackers who want to steal data and spy on large companies.
"Due to the high segmentation of the Android market, over 95% of all mobile malware is on Android," says Benjamin Caudill, a Principal Consultant at Rhino Security Labs. "While attacks on your phone don't seem any different than those on your PC (which we've seen for years), infecting a mobile device allows it to be activated remotely, tracking your location and listening to your conversations."
from www.techradar.com
