While sitting at a coffee shop across the street from a large bank, a person pulls out their laptop, hacks the (secure) Wi-Fi network of the bank, and by their 3rd cup of coffee has access to a desktop computer in the bank with full local access. Sounds far-fetched? Think again. That person is now writing this article. Thankfully the entity in question had requested this test to occur, but it does highlight a very important topic for discussion: African countries are growing in ICT, fast. Are they ready for the attention they will attract from hacking syndicates and cyber criminals?
The recent hacking of the Zimbabwe Stock Exchange is a case in point. By now we all are well aware that a Joomla vulnerability was exploited and their site was compromised. The result? Apart from any financial loss, it has resulted in reputational losses – Google “Zimbabwe stock exchange” and you will see what I mean. The first results you get are any company’s worst nightmare. In this case the hacking attempt was not for financial gain, it was to deface, to cause reputational impact and to make a point – “Africa we know you’re out there.”
It is of no surprise then that many companies in Africa, as well as governments, are beginning to take their security very seriously, and that’s a good move. As Africa puts itself on the map to become a major world player from a business perspective, we are going to light up like a neon light for people looking to exploit and hack. Is your company ready? Had anyone asked Sony Corporation that same question 1 year ago how do you think they would have answered? How do you think they will answer now?
Having a security policy is the first step towards a secure business network. But it is by no means the final step at all. Do you have management buy-in? Does management know the potential threats and the impact they could have? As a CIO the onus falls on you to ensure your company is safe. You need to know your threat landscape, what are the attack vectors and how will you protect them.
I have seen many companies in Africa (and beyond) pull out a template security policy, risk matrix and a security product datasheet and say that will suffice. Penetration tests, vulnerability assessments, staff awareness, proper fit of security products – these are not even mentioned. To these people the question remains to be answered – When that neon light called Africa shines brightly, will you be ready?
This guest article was authored by Dimitri Fousekis, a Security Architect and Penetration Tester. Fousekis has worked for many large corporates to assist in securing their systems, and providing input to global vulnerability management companies. He is affiliated to Bitcrack Cyber Security and may be contacted at dimitri@bitcrack.net
Share
Home
28 comments
As someone who is working in trying to do Security checks for companies, I am amazed at how many look the other way. If they haven’t had a breach then they think it will never happen to them. Nice article and I hope some people see it and decide to shore up their defences a bit.
Most of these companies do not want to pay for proper security implimentation. Some of them just pay the wrong people, by that i mean pple who do not know about how these hacks are made and how they can be blocked. To be a proper security resource means a thorough understanding of how the business system works, in detail, and how to compromise them. This means your solutions are based on facts, not impressions. I know of 2 banks which hired a security consultant who basically uses an application that scans the buss applications and generates a pdf report with the ‘found’ vulnerabilities. What made me doubt his credentials was the fact that some of the vulnerabilities found where inapplicable, such as saying the server is IIS (windows) when in fact we were running LAMP architecture. There is need for proper vetting of some of these so called security experts esp from abroad since we do not know about them.
Honestly, i have dealt with banking IT staff in Zim during the last few years, and i can tell you that some of them really and truly do not have a clue about IT and security, let alone even basic IT.
There was a time, when we had to assist a bank in getting their website secured “as per their security requirements”, (which in-fact was just a test that was outsourced to a 3rd party foreigner who had used IBM Rational Appscan).
In the end, we were stuck in a long winded meeting with the head IT person, the head IT security analyst and a few of their self proclaimed “IT Gurus” of this particular bank, explaining why an IIS exploit is not necessarily valid on a Linux server!
sad… but a very very true story indeed!
Hahaha. I am sure I know which institution you are talking about. I think it’s easy to dismiss other people as self proclaimed gurus and end up ignoring other factors that account for the current state of IT /IT Security in Zim.
I get the feeling that sometimes we do not fully appreciate the fact that best practices can not just be adopted overnight. That just doesn’t happen. Even the bodies that come up with standards acknowledge this – most probably you know about the COBIT Maturity Models or the Capability Maturity Model.
These models should not just be used to assess an organization’s current state. They should also be used to come to terms with the reality that improvements will happen gradually, not in quantum leaps.
Disclosure note: I once worked in IT at one of this banking group’s subsidiaries.
“I get the feeling that sometimes we do not fully appreciate the fact that best practices can not just be adopted overnight.”
Not overnight no, but not more than 6 months, with the correct drive and backing from both Technical and Business. The problem is the sheer arrogance of ICT Professionals in the banking industry (but not limited to) at the moment (I use the term professional simply because some of these individuals are paid), Simply refusing third party analysis and/or assistance because it may make them look less competent in the eyes of their superiors, however it’s completely the opposite, Acknowledging that you can make a sound technical and business decision to outsource (not even completely, perhaps just for the project planning stages), drives home the fact that you are committed to providing the best possible solution for your organization.
Unfortunately this arrogance causes IT guys to lock down, and not accept outside ideas / information, Simply because you work at a FI / ISP / NGO / Government Department doesn’t instantly mean your good at what you do, on the contrary it simply means you got the job, years of training, notes, concepts and practical application and finally empirical evidence that your practical applications are well designed, scalable, and secure as vetted by a third party, prove you are competent.
ICT Networking / Systems Engineering is not for the faint of heart, however it isn’t impossible, simple best practices (no don’t use secondary addresses on your interfaces, etc,), forward thinking (not just in terms of hardware i.e. how big does my raid array need to be?, but in terms of managebility i.e., when I have 200 server’s and 4000 workstations, how will I manage them?, starting out with “going big” in mind doesn’t necessarily have to cost much more, especially these days with virtualization becoming the norm) and an open mind go a long way in the IT world.
Taking the extra five minutes to change the defaults in any application also goes a very long way…
@google-913a532e93959e8d5a32b0d81115dc27:disqus
The bit about big overnight changes is just exaggeration for effect.
You raise important issues but you undermine yourself by indiscriminately labeling Zim IT professionals ignorant.
There is an easy way out of this: you could claim, like I did, that you are also exaggerating for effect!
@google-913a532e93959e8d5a32b0d81115dc27:disqus
I withdraw my first response to your contribution.
I mixed up ignorance with arrogance; perhaps, confirming my ignorance!
These guys should engage local personel to help them validate solutions provided by foreigners, instead of just assuming anyone foreign knows better than all of us here
I agree with you. That must be very frustrating but we can’t just wish this away.I am not sure how this can be resolved though. Any suggestions?
All very true – was recently asked to source some Hardware for a couple of foreingers from the land of 411 – it was what seemed to be A beast of a gaming Machine – but on further investigation and inquiry it turns out that these guys want to brute force attack some networks in the city centre, by using the Graphics cards 1,600 stream processors in GPGPU mode (http://en.wikipedia.org/wiki/GPGPU).
Wifi networks are the worst, when you realising how many people have done quick setup wifi networks as a quick, dirty, cheap, simple solution to networking, i decided not to get them this hardware –
Zimbabwe . . . the tech future could be hacked
i wonder if there are actually any anti-hacking laws in this country………..?
there are non. there are proposals in a pending bill/policy toward ICT. If blackhat activities lead to breaking other laws such as those against fraud, theft and other legally defined forms of crime…then the perpetrator can be charged by proxy of those laws.
Go on pple, lm taking notes ………
The article on the ZSE compromise did not state that it was hacked by way of “a Joomla vulnerability (that) was exploited”. Unless you have inside info, there is nothing that suggests that it was a vulnerability in Joomla that was exploited. It ambiguously states the use of “administrator privileges”. Which could be CMS-based or based on the hosting OS. Lets be accurate. Moreso if you are in security
took the words right out of my mouth, we are tired of people who do not know much about joomla, let alone hacking, doing the reporting. They should consult and get thorough information and not be biased towards demonising joomla, or any other cms. The company that hosted the ZSE has more detailed information on how it happened yet noone interviewd them. Makes you wonder then where the information is coming from.
Most likely it was through Joomla – FOSS is great but always to remember to UPDATE and PATCH you ish
That remains a possibility. I doubt @99cc7ce3550f7e6b3e22161a5bcdb561:disqus and @infinisys:disqus would deny it.
It seems they are just uncomfortable with people making sweeping generations.
Security is a concept still yet to be grasped and appriciated by many organisations in zim either by the IT or Business experts. There is a a massive desire to learn amongst the morden IT generation but the old dogs who guard the gates(Executives) are unwilling to invest in security because they sit on some false sense of security. The threat landscape is growing every second and sooner or latter some of the big companies in zim will fall prey unless they act now.
I am a zimba working out of zim in a security role for a very big organisation, and we don’t just hire security consultants without proper checks and accreditation……we need guys who can do real security and in this part of the world there a bodies who certify all companies that perform security testing and consulting……Zim is still backward and may take the next couple of years to get there. However, Certain bodies should push for changes in laws especially cybersecurity laws…Computer society of ZIm hey do something,.
Finally, I really know that more that 95% of the Blue chips in zim can be easily hacked. 100% of all companies using Joomla are the easiest to crack. So Joomla guys acceptance and humility will lead you into acepting reality and then from there you can learn how to build better and secure infrastructures.
“100% of all companies using Joomla are the easiest to crack. So Joomla guys acceptance and humility will lead you into acepting reality and then from there you can learn how to build better and secure infrastructures.”
not true at all……….
OMG there goes another ignorant joomla hater. For a moment there i thought you knew what you were saying. Please tell us how joomla can be compromised ‘100%’, and what the alternatives are.
what an assertion. how did you come by such a figure. 95% you say! Blue chip??! you make me laugh!
“WORKING OUT” for a “VERY BIG ORGANISATION”, means absolutely diddly squat. if anything, it has shown us that you are absolutely clueless that there are companies that excercise due diligence in security. and you said Blue Chip!
and how did we get to secure infrastructures[sic] all the way from Joomla.
@tinm@n and @infinisys:disqus , there is no reason to be haters here. remember this is an open forum , for sharing views and opinions which we can use to better the IT field in zim. Your views and mentality seem to be the problem hampering the development of IT , it takes an overal change in mindset, perception inorder to develop and improve.
I respect your love and passion for Joomla, its a great CMS, hence the widespread use in Zim, but you need to know that it has its own weeknesses that can be easily exploited if the correct design and implementation procedures are not followed.The lack of such security processes and drive to invest in other security layers in zim at the moment makes the situation worse. This is not only the developers problem but its at an organisational level.
Coming baack to the blue chip companies, yes they are easily hackable, its just that at the moment there is no good return on investment on wasting time breaking them but as soon the economic surface in zim changes these companies will be targets . So as IT pros we should act upon it now than waiting kuzoyeuka bako mvura yanaya, thats a poor strategy.
Well, said but your sweeping statements mean nothing without factual backing. 95% of blue chip companies? By what study? Conducted by whom? Over what sample space?
We cannot just fold our arms and accept everything that everyone says, especially without backing. If anything, your assertion is absolutely wrong and any such declarations cannot be left unchallenged. Being “tech” people, we tend to desire facts over opinions and unfounded perceptions.
It isnt just about Joomla, its clarifying a lack of understanding on where the problem is. The problem is not in the CMS but in the implementer, as you correctly said. This is typically so for ANY and EVERY free and open source software. Vulnerabilities are introduced by THIRD PARTY plugins/modules/extensions/components that would be installed without performing due dilligence. AND by lazy web admins that do not take a few minutes to check for updates/patches and implement them.
I actually have no love for Joomla. Just had to customise it for a client that swore by it. It is good enough for a quick installation, but the API is one of the most cumbersome to code for (from scratch). If you code extensions using its instrinsic (recommended) MVC, you stand to use alot of man hours. Though maintaining it after that would be a breeze, even when migrating 1.5 to 1.6/1.7, the path is less cumbersome…I digress
The attack Vectors that makes Joomla hacking so easy
With so many attack vectors available to hack joomla, a spirited attacker will break in and gather the trophies.Here is a sample(This is not an exhaustive list its just a snap shot)
· Server design and configuration
· Lack of Patching, Logging and Monitoring(IPS,WAFs etc)
· Lack of established Secure Software development principles
· The Joomla core
· Joomla extensions
· SEO implementation weaknesses(our strongest enemy)
· Lots of default setting and left lying around
· Joomla local file inclusions
Local file inclusions are also a common problem in Joomla extensions.
Many of them are vulnerable for this type of attack and some of them
never get fixed. This may lead to a server hack, which is not
funny any more – at least for the system administrator.
· Joomla remote file inclusions
· Joomla SQL injections
– cat, category, kat, categories, kats, cats
– id, userid, katid, catid
– sometimes also Item, entry, page
· Joomla XSSs/CSRFs
XSS/CSRF vulnerabilities can mostly be found in input fields,
such as forms, guestbooks, shoutboxes and search boxes. They
allow to execute HTML/JS/VBS code within the context of the
visitor’s browser.
Protect your own Joomla Implementation
1. Always keep Joomla up2date
2. Secure the backend servers and infrastructure
3. Always make sure you run the latest patched versions of the extensions you used
4. Make sure you choose strong passwords for all logins
5. Check your own website for vulnerabilities, you now know how to do this
6. Always check the webserver’s log files for potential hack attempts
7. Secure your server if you host your Joomla website on a VPS or even a dedicated server
8. Create a list of all extensions you use and try to monitor them. For example you can use
9. Research on security websites for staying informed about the latest vulnerabilities.
10. Only use secure extensions.
11. Test your own environment using free tools and the OSSTM or OWASP methods
Try these Tools
·
CMS Explorer
·
OWASP Joomla Vulnerability Scanner ; joomscan
·
Nmap(precisely http-joomla-brute NSE script)
·
Backtrack Evolution
·
MD5 Hash Cracker
·
Metasploit
All those exploits you listed can be applicable to any website. Its not inherent to Joomla only e.g sql injection, are you saying if you went onto a joomla site and login with a sql injection 101 like username = Lon AND ‘1=1’# you will gain access, or you would have to use an advanced one like using mysql LOAD DATA function to include system files and output them on the screen. Any website can be hacked with sql injection, but it at least has to be new and very intelligent which at least with joomla you know is the case, if you always update it. Security is not a state, its a process, where one has to keep abreast of recent developments and exploits to ensure they do not get compromised. I am not saying Joomla is unhackable but im saying to point fingures on it as a very weak CMS is a fallacy. You just have to do research and plugin the holes and also as you have highlighted its not entirely up to the application but also on the server level to plugin the holes, infact your primary point of security should be the server.
You will also find out many developers do not give Joomla API enough time which is the first step towards exposing yourself e.g some will use $_REQUEST[] insteat of calling JRequest::getVar() or ::getInt to get request data. But agaiin these are simple common procedures one should follow no matter what CMS (Drupal, WordPress, BDG…) or framework , Zend , CI, YII, CAKE Php, .NET MVC, ….. that they are using.
Clean all input, clean all output, install plugins that filter funny requests and report, ‘jail’ users to their home directory, turn off php(or server) system functions that are not ususally used (like exec), turnoff mysql uncommo functions ‘e.g load file, UNION…’ and consider using an application firewall/proxy with alert reports. You should also be very thorough when choosing 3rd party extensions. The reason why Joomla looks to be so vulnerable is because its the most popular tool on the internet. This also means most developers, esp entry level ones, also use it because of its ease to adopt, but they do not follow some of the procedures you and i highlighted above.
If you buy any gadget and do not follow the manual and it hurts you or breaks then who’s fault is it. But if you get hurt having followed the manual then you have a case.
good info though
EY, LLP carries out the global security survey annually and the stats from the previous 3-years showed that at most 90-95 percent of the big orgs in Zim lack defined security principles and defences. The survey targets senior executives or CIOs and the results are agregated. Remeber survey results are based on a small sample which then act as a representation of the total number of the zim blue chips. The outcome from the zim’s survey was then benchmarked or compared against other countries around the world and the level of security amongst our own blue chips was found wanting resulting in the surveyors coming to a conclusion that 95% of the companies can be easily attacked and breached especially with the rise of Advanced and more effective persistent attacks. Note that the conclusion is drawn from different aggregated areas such as governance, risk management, border security, encryption, application, database security, patching, logging and monitopring, network security, security architecture, security awareness training, Secure coding practices, security management, etc. All these aggregates are then score and based on the score the surveyors are able to deduce how hard or easy it is to attack the organisation,.
@tinm@n and @infinisys:disqus hope this gives you some insight on the background of the 95% of the big companies being easy to attack.
People should learn to update their software systems on a regular basis. Joomla is one of the best CMS in the world. There are sites who would stand to loose much more both financial and in reputation which use it. Obviously they are not fools to use it.
With the ZSE site obviously the only updates that occured on the site where in relation to the share prices. Otherwise i doubt if anyone was making updates to the Joomla code. So it was easy for for a hacker to find vulnerabilities on the site. Another factor is that there is a chance that the passwords to the site have not been changed in a long. If you look at recommended password policy, you will see it has drasticaly changed in the past few years. Because most times companies have outsourced web designing, set up and hosting there is a high chance that that companies do not change the passwords and setting set by the contractor. It can be to the extant that the company totally forgets the passwords to the website backend, and the hosting especially due to the fact the website is rarely accessed and the IT department has had personnel turnover. Which is a bad recipe.
For an organisation like ZSE, it makes sense to
1. Have their own dedicated web server. whether its located at their premises or is co-located at an ISP(who has a secure server room and necessary security) is not much concern, what is important is that they control it.
2. They should have individuals in IT who are responsible for maintaining the server. They make updates not only to the CMS, but also to the server’s System Software especially for the webserver programs such as Apache, MySQL and PHP.
3. Please make sure the dudes can do backups, even if it means bringing a machine to the interview room to test whether a candidates really can do, what he has put on his CV.
4. Their own software developers. These guys will only be there to make adjustments to the CMS, system responsibility is not their concern. Obviously ZSE would have benefited in having a PHP Developer. He will be useful for making adjustments to the software so as to take into account ZSE’s special needs. They can help add extra custom add-ons and are in a better position to liase with external contractors when it comes to adding new functionalities and upgrading systems.
5. Documentation of this IT function is very important especially when there is high levels of personnel turnover in the IT department.
Everyone knows its human to fall, but it becomes failure when you fail to get back up again. ZSE has surely failed. An organisation which has a well planned IT system and procedures would have been able to bring the site back in less than a day.
As for the wi-fi cracking issue, I believe the bank deserves to give the IT manager a warning letter. Given access and time someone could have entered their system and could have stolen a lot of money without being dictated. Banks should have a dedicated Information Security Officer.