When hackers recently defaced the homepage of OpenSSL.org, administrators initially claimed the attack cam “via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.” One day later, VMWare defended its ESX Server against the OpenSSL claim and – one day later – OpenSSL’s investigation “found that the attack was made through insecure passwords at the hosting provider.”
VMWare, which originally claimed “the defacement is a result of an operational security error,” released an updated statement when OpenSSL updated its advisory to “confirm that their understanding of the cause of this incident is the same as VMware’s.”
What’s the lesson here?
Primarily, says Online Tech Senior Product Architect Steven Aiello, that attackers aren’t interested in taking the hard road to their targets. “Human error, weak passwords and OS misconfigurations from inexperienced administrators are still the most vulnerable targets for hackers,” he said.
While the OpenSSL hack was harmless – the Turkish group responsible seemed only interested in bruising OpenSSL’s pride – that’s not typically the case. Complex criminal organizations are becoming quite effective at making money in cyber space.
Take, for instance, researchers at Trustwave finding another Pony botnet controller in December that was overseeing nearly 2 million website logins, email account credentials and FTP, RDP and SSH accounts.
The account information was mainly for social media accounts like Facebook, Google, Twitter, Yahoo and LinkedIn. But it also included an estimated 8,000 passwords for APD Payroll Services accounts.
“No industry is safe,” said Aiello, who spent nine years as a Systems Engineer at ADP. “Having worked at ADP, I know their security systems and that they spend a LOT of money on security. So what are smaller companies supposed to do for protection?”
One logical step may be to look for a trusted, secure hosting provider for help.
Another is to get the entire organization to understand the importance of – and comply with – security measures. Consider it a New Year’s resolution. And it can start with something as simple as improving password strength.
The Trustwave researchers that discovered the Pony controller took a deep look into the stolen passwords themselves. From an InformationWeek report: “Hundreds of thousands of credentials, the researchers said, use only one character type—either numerals or letters—as a password. Most of those are built off the 123456 construct; seven of the top 10 passwords found via the controller started with 123. Password, admin and 111111 round out the top 10.”
“Users are still the weakest link in the chain,” Aiello said. “As much as it pains me to say, internal employees must be viewed as the weakest link. Those who work in IT security are passionate about it, but a human resources employee looking to make the next hire, or the person processing next week’s payroll, they most likely could care less.”
InformationWeek: OpenSSL Says Breach Did Not Involve Corrupted Hypervisor
VMWare Security & Compliance Blog: Recent OpenSSL Website Defacement