As a provider of web security services to thousands of customers worldwide, Incapsula benefits from a broad view of the threat landscape. From our unique vantage point, we’d like to offer some insights into the top three mega vulnerabilities of 2014 – namely, Heartbleed, Shellshock and Poodle.
What makes these mega vulnerabilities special is that unlike most vulnerabilities that are specific to a particular OS, browser or software application, these three relate to the core Internet infrastructure (e.g., SSL and Linux devices) and, in essence, affect just about every connected device owner and every Internet user on the globe.
We believe it’s very important to raise awareness regarding these types of mega vulnerabilities. With a huge number of systems affected worldwide, their appeal to hackers is almost irresistible and even with multiple patches and solutions out there, plenty of under-maintained systems are still vulnerable, even as we speak.
View the infographic below for a recap of this year’s three mega vulnerabilities.
April 2014: Heartbleed Exposes OpenSSL Private Keys
Dubbed Heartbleed, this dangerous OpenSSL bug allows an attacker to access information from a client or server’s memory. The information exposed includes private encryption keys (i.e., the linchpin of SSL security), usernames and passwords, and sensitive data and content. What makes this even more problematic is that OpenSSL is used everywhere – from Apache and nginx web servers to email servers, VPNs and network appliances.
Clearly, this is a nightmare scenario that poses a huge risk to end-user’s private information, organizations’ sensitive data, and even their intellectual property. As soon as their private encryption keys are exposed, organizations are thrown into a “code red” situation and must act immediately to stem potential damage. The cost in terms of time and resources to implement such a fix is substantial, not to mention the disruption it causes to business operations.
September 2014: Shellshock – Much More than a Zero-Day
Six months later, the Shellshock vulnerability was discovered in Bash, which is the most common command-line shell used in Linux/Unix/OS X systems. Once exploited, this vulnerability allows attackers to completely take over the server, enabling them to steal files, delete information, download malware and execute DDoS attacks.
If this wasn’t bad enough, Shellshock is also frighteningly easy to exploit – all an attacker needs to do is send an HTTP request to the server. There is no need to log in (i.e., provide username/password) and no need for physical access.
While two months have passed since the vulnerability’s discovery and the release of a patch, Shellshock is still going strong. Incapsula saw Shellshock exploit attempts increase from around 400 offending IPs at zero day to over 15,000 four weeks after discovery. Over the same period, however, the average attack rate has remained about the same.
This is a very enlightening development, which shows that Shellshock has evolved from a high-profile, buzz-generating attack to one that mainstream hackers are using on a routine basis. In other words, a large number of perpetrators are systematically probing for vulnerable Linux and Unix devices.
While the media storm has passed, Shellshock is now actually entering its second most dangerous phase, as those that haven’t already patched their machines are unlikely to do so.
October 2014: Poodle – The Death Knell of SSL V3
SSL 3.0 is notorious for its security holes. In use for over 15 years, it has been superseded by TLS versions 1.0. 1.1 and 1.2. Unfortunately (from a security standpoint), many TLS implementations remain backwards compatible with SSL 3.0 as a fallback option to ensure smooth interoperability with legacy systems.
To exploit the design flaw in SSL 3.0, attackers convince the browser to downgrade to SSL 3.0 (i.e., fallback option).They then exploit SSL 3.0 weaknesses to decrypt and extract sensitive data from the stream (e.g., email addresses, passwords, credit card data from an e-commerce site).
Since this version of SSL is practically obsolete, the only way to fix this vulnerability is to totally disable/remove SSL 3.0 from your systems. Since it’s mainly used in legacy systems, it’s not easy to find where it’s being used and what the implications are if you remove it. And since no patch exists, if you do decide to replace SSL 3.0 with a more up-to-date TLS version, you’ve got a major coding and integration project on your hands.
Nevertheless, in terms of severity, Poodle is the least dangerous of the three. SSL 3.0 is only present on about 2% of today’s client devices. Since both the client and the server have to support SSL 3.0 to enable the fallback option, the above scenario is less likely to take place.
Furthermore, Poodle requires a high level of technical expertise to exploit. The attacker needs network access to the client or server environment to carry out a man-in-the-middle attack, where the attacker is making the connections with both sides and has complete access to all information being transmitted.
Looking Ahead: Mega Vulnerabilities Are Expected to Increase
Looking forward, we believe that the number of mega vulnerabilities is also likely to increase for several reasons.
First of all, savvy attackers realize the huge ROI from searching for and exploiting vulnerabilities that affect the majority of the Internet. Secondly, from the security researcher’s perspective, discovering a mega vulnerability – like any of those above – creates the kind of fame that professional and academic careers are made of.
Similar to mega vulnerabilities, other popular open website platforms (e.g., Drupal, WordPress, etc.) are also prime targets for hackers. These widely used platforms can be exploited to steal data or to launch DDoS attacks as part of a botnet.
Attackers and cyber criminals regularly scan for known vulnerabilities. They know that even when a patch has been released, it takes most organizations several days, or even weeks, to roll them out to their systems and endpoints. If your system, website or other connected equipment contains vulnerabilities, they will eventually be found.
In light of these facts, we are now seeing more and more interest in security services that offer rapid response solutions to zero-day threat. On sales calls and in support tickets we see more and more clients expressing interest in Incapsula’s capability to handle zero-day threats, as well as detecting and blocking attacks that target known vulnerabilities.
To protect from zero-day threats Incapsula employs a crowd-sourced security model that aggregates attack data from over one hundred thousand active domains worldwide. In addition, Incapsula also leverages its a massive (and constantly updated) IP reputation database to monitor trafficom all major botnets and many other less-known hubs of hacker activity. Finally, Incapsula’s dedicated security research team is its third, and perhaps most important, tier of defense—leveraging years of professional experience to augment the platform’s threat detection capabilities.
In 2014 Incapsula has already proven its effectiveness against zero-day threats, as it leveraged its cloud architecture to instantly introduce network-wide security updates in record time.
In 2015 we will push the envelope even further, with new detection mechanisms and even more effective deployment solutions, to combat new wave of mega vulnerabilities, as they emerge from the shadows.