Guy Fawkes Day, a day originally meant to celebrate the failed assassination attempt by a group of 13 conspirators looking to supplant King James I by blowing up the House of Lords. Today the most prominent incarnation of the Fawkes ideology (or at least the Fawkes likeness) is associated with the loosely-knit hacker collective known as Anonymous.
Earlier this week, Anonymous announced that on November 5th (Guy Fawkes Day) it would “march on The Houses of Parliament peacefully and unarmed”. Then came a series of attacks against high-profile Internet sites, all of which were immediately attributed to Anonymous by media outlets. The list of victims included PayPal, Symantec, a Lady Gaga fan site, NBC, Saturday Night Live, and NBC Sports.
Tens of thousands of records containing personally identifiable information (PII) were released, en masse, with the attackers communicating that the data was indeed sensitive information from their target. Anonymous, or at least some individuals who claim association with the group, did claim responsibility for some of the attacks. After the media spun their initial knee-jerk reactions, the truth began to unfold.
According to the New York Times, “although Anonymous’ claims went viral on Twitter and were picked up by several media outlets, it appears the attack on PayPal never happened. The 28,000 passwords actually belonged to ZPanel, a free open source hosting site.”
Anuj Nayar, a PayPal spokesman, said “the payments company had been investigating the attack since Sunday night and concluded that there was no evidence any of its data had been breached.” As for the other breaches, the main Twitter accounts associated with the Anonymous collective did not claim credit for the attacks on Twitter – something the group readily admits when they are behind a breach or public defacement.
Ideology aside, these events serve to remind us that securing web applications and servers is truly critical. No organization wants is to be the easy target for those looking to spread their ideological message by disrupting your information systems and impacting your business.
We’ve blogged before that securing your server and application stack is a foundational exercise in security. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users (source: http://en.wikipedia.org/wiki/Attack_surface).
Another way to think about it is to consider why football players wear a helmet, shoulder pads, gloves, shoes, thigh pads, knee pads, neck rolls, elbow pads, mouth guards, hip pads, tailbone pads, rib pads, and other equipment? That’s right… to reduce their vulnerable surface area. A football player knows that if he or she doesn’t wear at least the basic padding, they leave parts of themselves vulnerable to other players, including deliberate exploitation of sensitive areas (e.g. targeting a weak knee, exposed hand or unprotected thigh muscle).
One example of commonly exposed by sensitive functionality is administrative access to information systems. Most servers provide methods of facilitating remote access for administrative functions. Unfortunately, most server owners neglect to restrict access to these facilities in the name of convenience or a mobile workforce, leaving administrative ports open to the world.
One side effect of unfettered access to administrative ports is the potential for exploitation. One solution is to employ dynamic firewalling and two-factor authentication to facilitate on-demand access, per-administrative user, and obfuscating the administrative ports to the rest of the world.
It’s also important to remember that securing your servers is not a one-time thing. Server owners must employ a continuous security monitoring and orchestration model to ensure constant security. If you ever need help understanding the challenges of deploying servers or applications in cloud architectures, please do not hesitate to send us an email.