February 26, 2013
Some Sneaky Ways Hackers Use To Try And Steal Information (and how to counteract them)
This article was kicked off and inspired by Madyson Grant. She asked us to say that if you have an interest in protecting others while they’re on the Internet, searching for IT jobs in that area is a good place to start!
In anything you do and everything you code or test, it is important to understand the potential risks of having hackers and thieves look for personal information and sensitive data. You should always think of how you can build security into a product, regardless of what it is. Always think of how you can test for security threats and how you should think about security when designing any system.
Understanding how hackers typically try to steal information is a good first step to take. Below you can find a few of the more common security pitfalls.
Online Checkouts That are Not Secure
Shopping online is great, convenient and all that, however, some websites are not secure and leave loopholes that can be directly accessed by hackers, leaking personal and sensitive information including user’s names, address and even banking or credit card info. Verifying a website is secure is possible by looking for a virtual “lock” in the URL address bar of your browser. All SSL-capable browsers use this symbol to indicate the secure mode so look out for it and make sure you don’t transmit data over an unsecure connection.
When testing, make sure the “lock” appears, since it shows that the security works as intended.
Online stores can either ask you for your credit card information or redirect you to a trusted third party. If a third party handles the transaction, the selling company never has access to your information. Hopefully the credit card company has better information security, so it might be wise to consider not buying from sites that store your information.
Needless to say, if you’re a vendor (or coding for a vendor) and you still store clients’ credit card info on your site, stop it right away. Besides making your site a low hanging fruit with huge rewards for criminals, you’re also losing business every time a user realizes you do this and closes the tab in disgust.
Signing in using your Facebook-account
Various websites ask you to virtually “connect” using your LinkedIn or Facebook-account or other social media accounts directly on the site itself. While this is a quick and easy way of logging on without having to create a user account, be aware of two things. Many of these ‘bridge’ apps will still get their hands on your email address, because they request it from the social network site. Secondly, do ensure the website is safe and look into it prior to entering your social login information.
If you’re testing one of these third party applications, do ensure that data is securely transmitted as any leak here would mean user details for social network accounts being compromised, which could ultimately result in very bad press for your company. Also, make sure an additional set of cells where users enter details can’t be injected or overlaid as that would be very bad indeed.
Account Phishing Scams
Account phishing scams are created by hackers to trick web users into believing they are entering in personal information on a valid and official website, when in fact it is a website that is similar in domain name but (?) owned by another person. Once the information is entered, it is submitted to the hacker, not the actual website.
If you’re testing, make sure that unique and highly identifiable markers are put in place when people are logged in to your site. This will make it that much harder for others to make off with users’ details.
You should also ensure that you are always very clear about when your service will send e-mails to customers and that you will never, ever ask them for passwords or log in details in an email. Warn customers that they never should give away their account information to anyone. You’ve seen this kind of thing before for sure, for example your online banking platform will certainly have something like “We (the company providing the service) will never ask you to state your login details to anyone”, or something to that effect.
And if you are writing requirements – make sure to define a routine to execute if the worst happens. It is too late to start wondering what to do when you find out you just have encountered a phishing scam; your contingency plan for that should have been made before!
Start hashing passwords
Never ever store passwords in plain text. Seriously, you should hash passwords, and do it well. Hashing is one of the most basic security considerations to be used when using passwords. It means that passwords are one-way encrypted and not possible to decrypt. Without hashing, passwords are stored in plain text in your application’s database and can very easily be stolen if the database is compromised. By hashing passwords you make it harder for anyone to use brute force and storm into your secure areas.
Remember the huge PlayStation debacle in which millions of user accounts were compromised? Remember the rage and sense of being let down people have? And this was the PlayStation network, not their money or more sensitive data. Hashing passwords protects you from ill-intended people, at least that much more.
Some typical hacker threats to be aware of
SQL injection essentially comes about when the fields available for user input allow SQL statements to pass through and query the database directly. If these queries come at a huge rate, the system may buckle under pressure. Patching your servers, databases, programming languages and operating systems is critical to minimising the risk of SQL injection, however, your application or website is public, as that is the aim of it, so you can never truly minimise the risk of SQL injection completely.
XSS attacks are very similar to SQL injections, but instead of requests and queries, this time the remote server is flooded with code, essentially client side scripting.
DDOS, (distributed denial-of-service) attacks attempt to ‘make a machine or network resource unavailable to its intended users.’ Defending against DDOS is a tricky business and depends on the scale of the attack, however, a good system of defences will normally involve a combination of firewalls, switches, ISP based prevention and application front end hardware, among others.
Tools for security testing
There are several tools available to check for security vulnerabilities, both from the open source world as well as from the commercial realm. Each have their advantages and drawbacks, and where they’re best to be used depends on the particular set of circumstances. One extremely comprehensive list of tools can be found here: https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
To plan, execute and follow up of the security testing and security requirements, you need a good test management tool such as ReQtest. ReQtest is a flexible platform for all your testing and requirements needs offered at an affordable price. Using the ReQtest Connect API you can let the security test tool automatically create bug reports in ReQtest.