To err is human; to hack is, well, human too…

Posted by Tom Bain on July 12, 2011 at 2:35 PM

Errors happenIf you think about all the bad stuff that happens that most IT Security vendors claim to either prevent, identify or analyze, you don’t typically think of a person. It’s a thing, maybe abstract in nature, some type of virus (what does a virus look like?). Or, a criminal gang, huddled in a basement somewhere, launching attacks, botting machines and taking personal and corporate information and selling it for monetary gain.

However, there’s a fundamental issue at the heart of the exploits and data breaches we’re familiar with – human acts. A number of interesting articles surfacing lately have pointed out that essentially (and I tend to agree) that Security is not exactly a technology challenge – but that human error is largely responsible for the loss of data and all that follows.

Human error, or when people aren’t doing their jobs to the extent that they should be, often comes into play around access to data, or more to the point, a lack of appropriate access controls to sensitive information. I’d argue that it’s not just that people keep making mistakes, but rather human nature – it’s in the nature of vindictive individuals to destroy property (whether physical or intellectual) and to steal. It doesn’t matter if that individual is capable of developing an advanced software program, for if that software program is designed to take down a business, well, its human nature for those who wish to cause harm.

That said, as the shift in attacks in recent years has focused on stealing as much personal and corporate data as possible to make a pile money on the black market, LulzSec and Anonymous have shown us that launching attacks to wreak havoc is still alive and well. It’s an example of human nature at work, people using their skills to do bad stuff just for the heck of it.

A fascinating example of this (that went largely under the radar is the recent case of the former YouSendIt CEO who plead guilty to launching a web attack on the company. Khalid Shaikh was a co-founder at YouSendIt who also served as CTO at one point, so he likely knew his way around the application pretty well.

By all accounts, he launched an ApacheBench program over and over to the servers that YouSendIt’s platform sits on, and it caused a DDoS attack. As a result it rendered the YouSendIt servers as unable to manage the network traffic it thought it was receiving on top of the normal amount of traffic the servers see.

I’m not a technical guy so I usually deal with implications instead – since YouSendIt’s site boasts more than 18 million users and 20 million file transfers per month, I have to believe there’s a compromise somewhere around user information that might not have been reported yet. Furthermore, I know over a dozen people who use YSI regularly, to ship video or other large files, and have said they would now consider an alternative, now that I informed them of the hack. It certainly illustrates that the attack surface has widened in terms of attacking web apps, and drives home how something as simple as aDDoS can potentially disrupt business in a big way.

As a huge fan of YouSendIt (especially their desktop app) it stinks to see something like this happen. Having transmitted hundreds of files on YSI, I'm a little nervous using it again, but I'm anticipating they’ll take the appropriate steps to ensure it doesn’t happen again based on some of the recent moves the company has made.

My post would not be complete if I didn’t take a stab at offering a few ideas on how one might go about countering bad actors and all they are capable of by taking a different approach to thinking about security, especially web applications, considering they are the most exposed and most hacked layer of any enterprise IT stack.

--Organizations should consider a full assessment and analysis of applications to determine where the vulnerabilities lie - - most likely, there will be coding errors.

--Look at security from a development vs. production standpoint – if you are addressing code issues ahead of time while applications are still in the development phase and not rolled out to production systems, you are thinking about security the right way.

--Train your developers on the principles, both fundamental and advanced, on secure software application development - - this will go a long way to refresh the veterans and provide new insight for the newbies.

--Accept the fact that you can protect but you can’t change the DNA in people who want to do bad things – they are wired differently, and will attempt to execute their acts regardless of the processes or technologies in place to counter their acts.

Topics: developer guidance, application security

Tom Bain

Written by Tom Bain