executive summary
In this worlds of digitalization when everything is online. We do business online, we make money online, we meet our friends and families online and hence we all understand and appreciate importance of website. Now a day, no matter how small a business, everyone has got a website. Even we are searching for laundry or saloons online before visiting them. We even finalize our dine by checking the restaurant’s website online.
With this enhancements, need of security for these websites are increasing. Most of the times there is a myth that, why someone will hack my site as I don’t have anything important or classified on my website. But one important point that should be considered that customers are finalizing their plans just be seeing their websites and if the site is compromised, it’s just directly impacting their businesses and hence this is why security of website is important.
The same scenario with almost all sectors, from IT companies, MNCs, restaurants, hospitals, schools, colleges and just for everyone.
wordpress in-secure
WordPress is most common and easiest way to develop website. Anyone with basic knowledge and internet technology can make their site or online application and bring it live and running within several hours. WordPress is completely open source and code is available to download for anyone, and for hackers too. Most of users do not care to configure it properly and harden its security and that’s the main reason why WordPress sites are compromised and servers are used for spamming and mass mailing. In 2015, we believe that with increment in WordPress sites, there will be a huge increment in hacking of these sites. Here are some of the most common reasons why WordPress sites will be hacked in 2015, you can use these as checklists for securing your WordPress based sites and applications –
Outdated WordPress version – We create site, update the content of sites but do not update the core WordPress as most of the time site is broken if they are updated as the plugins and themes doesn’t always support the latest version of version of WordPress. Using outdated version of WordPress open doors for hackers to a world of vulnerabilities. WordPress team keep of researching to find these vulnerabilities and releases security updates frequently. So consider changing your priority from broken WordPress to updating the core WordPress. Subscribe to mailing list of WordPress so that you can receive each and every update and bug fixes.
WordPress Version – WordPress version can be revealed from default installation files like readme.html, license.html and in generator metatag. If these information are revealed then any attacker can search for available exploits over exploit-db and get the exploit targeting that particular version.
WordPress database table prefixes – While creating table during insallation process of WordPress, the default prefix is ‘wp_’ . If attacker manage to find SQL injection in your application then it will be very easy for him to get access of your databases too. So next time when you create a table in WorPress, make sure that you are not using default table prefix ‘wp_’.
WordPress Admin wp-admin lockdown - Most of the developers leave the wp-admin folder in without locking i.e. http://example.com/wp-admin. Finding this URL is very easy for any attacker to launch bruteforce based password cracking technique to get your login credentials. Consider changing your admin URL to http://example.com/red-plasma.
Database Permission – Most of the time when the WordPress applications is compromised, the first thing hacker does is either to install backdoor or tamper with database. Instead of assigning FULL permission to any WordPress user; only five permission should be given INSERT, CREATE, ALTER, UPDATE and SELECT to any WordPress user.
Insecure WordPress theme – Your WordPress core installation might be secure from most basic attacks like SQL injections but not your theme. Most of the themes don’t sanitize the input given by users on different fields and URLs and that lead to SQL injections. So no matter how much secure your WordPress installation is, if the theme isn’t secure then your site is also not secure.
Default WordPress Login – Most of the default WordPress login are vulnerable form bruteforce based password attacks. So if you are using username as admin then you are vulnerable and it’s possible that your password can be stolen. In many these, the name of the user who posted a particular post is revealed, so avoid using those themes and make sure your username isn’t revealed anywhere anyhow.
These are the most common vulnerabilities that attackers are exploiting on WordPress sites, so if you are a WordPress user then stay alert as these types of vulnerabilities will be trend in 2015.
software piracy
Software piracy doesn’t only hurts the economic growth rates of companies but also directly hurts the users using pirated software. Hackers are spreading malicious files like backdoors & Trojans to users on the name of free software. In an internal research conducted at CCFIS labs we found that of the pirated software are binded with some malicious code. The users installing these pirated software, watching pirated movies, listening pirated software are victim of cyber-attacks and in most of the cases, their systems are used to launch mass attacks as a part of botnet. In 2015, we predict that hackers will pirate more software and movies in order to increase their botnets.
Some of major disadvantages of using pirate software are – illegal use, no update or bug fixes, no technical support but the major disadvantage is being a part of any cyber-attack. Typically a cyber-attacked is launched in phase wise –
1. Hacker buys original software
2. Reverse engineer it and create crack or keygen
3. Bind its malicious code (backdoor/rootkit/trojan)
4. Spread thee software or movie via torrent
5. Use the system of users who install these software for launching mass cyber-attacks or for spamming.
Another smart way and easier way which is most common and famous now a days is movie piracy. This involved below steps –
1. Hacker buy original HD print of any latest movie.
2. Bind it with exploit code of any most common media player, in most cases its either VLC or MX Player.
3. Upload it on torrent and start spreading
4. Once the user download and play it, the malicious code exploit the media player and as the media player have some access like System access of the system and hence this malicious code gets all the access that media player have i.e. System access.
5. Now attacker use the compromised system to perform malicious activity like brute-forcing, DDoS, spamming, etc.
To mitigate this, one should must understand that ‘Nothing is Free’ except open-source. If you are using pirated software, watching movies, listening pirated songs then you are not only promoting piracy but you are affecting yourself and pivoting cyber-attacks.
security practice failures
Most of us still believe that following standard security practices, policies, standardization and protocols saves the network from attacks. These assumptions are completely wrong as the security policies are structures, made by experts and follow a set of rules or we can say some protocols. But hackers who try to bypass these policies are unstructured and have no policies or standard protocols to follow to compromise your network. This is the major reason of failure of security policies. Simple – building have its rule but breaking doesn’t.
The truth is that most of the security appliances, products and techniques doesn’t work the way they are advertised and even few cases we have found that these devices who are there to protect are have vulnerabilities that allows attacks to gain access of network very easily. In 2015, we believe that no matter what policies we are following, hackers will find a way around to break it. Following are some of the standard policies which we are following and how hackers can bypass these standard policies –
Antivirus will safeguard my users – No, an antivirus can’t save your users completely and it never will. Hackers are releasing millions of malware every month which is more than even the number of computer users worldwide. While developing the malware, the first
Firewall protects my network – Believing this the one of the biggest mistake done by network administrators and security planners. In past we have seen that malware uses non-famous port to connect back to it command & control center. For example – a hacker developed a malware and coded it to connect with port number 8888 and then hosted it on his website or spread it wild on internet. Now how the hacker will come to know that how many PCs he have infected or how many PCs are part of his botnet. Simply, he will run a port scan and he will find all the systems with port 8888 open and he will find all the systems infected with his malware. This attack scenario has been mitigated by today’s firewall as if configured properly they only allow connection only on port no 80 or 443. The malware that are being developed today are not establishing connection on ports like 80 and 443 and hence are not blocked by most of the firewalls. Previous generation of malware were waiting for hacker to connect back but malware that are wild now a days send reverse connection and information automatically once the user is infected or compromised.
Password Policy will work – Policies says create strong password, one that is more than 8 characters, includes capitalization, number and special characters.
But think why this policy was made, because policy makers came to knew that password can be broken and hence the only way to safeguard their breaking is to make the password more complex to make hacker’s task more difficult. This only make the hacker’s task difficult to break the password not impossible. Let’s take a standard password with upper case, lower case, digit, symbol and of 8 character (Tx9@eLsP) and see how much time it takes hackers to break that password.
So the password of this complexity can be broke in 1.12 minutes. Obviously breaking this password will need a lot of processing power and hackers have already found a way for that. By compromising systems across the globe and adding them in their botnet and using the resource of those systems to break the password. Through these almost every password can be broken.
This doesn’t mean that all security policies are redundant and not of any worthwhile security your network. The most important way to secure your network is to think like hacker, be innovative, taking risks, thinking out of box.
mobile devices
With increase in mobile devise and it users, mobile applications are also increasing. But this rapid increase in use of mobile technology has made tasks of hackers quite easy. According to research conducted at our CCFIS labs we have found that it’s easier to compromise any server with mobile application as compared to web application.
Most of the developer only focuses in securing their web application so that any malicious or unauthorized requests are not send and processed on server but they don’t notice that their mobile applications are also sending requests on their server and even malicious requests can also be send using mobile apps.Almost all functionality of web applications are present in their mobile apps.
In 2015, we predict that three major issues will raise in mobile security.First issue is of secure connection. Developers are implementing SSL to encrypt the communication between web applications and server but not using any strong mechanisms for encrypting communication between mobile applications and server.Second issue will be of database. Till date hacker were using SQL injection in web applications to get access of all database files. But now mobile applications are also communicating with database and hence any unexpected query can cause database error and that may lead to SQL injection.
Third major issue that will raise in coming future is of reverse engineering. Most of the mobile based operating systems are open source, except iOS and hence their applications are also open source which are vulnerable to reverse engineering. Hacker can steal credentials that are stored in mobile application to authenticate with server and other databases.
These upcoming treats may bring any service or business down in minute. We recommend developers to take care of these vulnerabilities while developing their applications. First issue can be resolved simply by encrypting the connection using combination of several algorithms. For second issue we recommend to use sanitization. There isn’t any fail proof technique for stopping reverse engineering but best practices of secure coding will help users secure their applications and from reverse engineering.
hacking human healthcare equipment
With enhancement in smart technology from smart phones to smart house, now healthcare is also entering into making smart healthcare equipment for better healthcare. This saves life of many and provide medical support which wasn’t really possible decade also but also bring cyber threats that can allow a hacker to manipulate these devices and directly impact the health of any patient. In 2015, we predict that hackers will start developing exploits for these devices.
The drug infusion systems that are used for delivering morphine drips, chemotherapy and antibiotics are controlled remotely as these devices are installed in every room of patient and its easier, convenient and more efficient than manual doses. As these devices are controlled remotely and an attacker can also manipulate this systems to change the dosage. Many other Bluetooth operated devices that are used for defibrillation to deliver shock to patient’s hearts can be manipulated. There are many other IP based devices which ae connected to the network can be compromised if attacker digs into the internal network of hospital.
Now a day’s many hospitals provided WiFi internet to families of patients and hence anyone can connect to the internal network of hospital network.
This domain still need a lot of research to identify exact vulnerability and loopholes that lies in these medical equipment’s and the system to mitigate this attacks. In 2015, along with security researchers, hackers will also perform attack on these devices to identify vulnerabilities.
