InfoSec Awareness: CSRF

CSRF means Cross Site Request Forgery and also known as a one-click attack or session riding . With CSRF attacks, browsers are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get. An attacker may forge a request to log the victim in to a target website using the attacker’s credentials; this is known as login CSRF.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

Prevention

Individual Web users using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery.

Logging out of sites and avoiding their “remember me” features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.

Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options – CAPTCHA, Re-Authentication (password), One-time Token

No Organization is Immune!

No Organization is Immune: Fraud Can Have a Lasting Effect on Any Company — Despite the growth of fraud across organizations of all industries and sizes, many may still not see themselves as a potential target. Though fraud may be dismissed as something that affects a certain type of company, the reality is that there is no “typical” fraud victim. In recognition of Fraud Prevention Month, Shred-it, a world-leading information security company wants to help organizations of all types recognize their susceptibility to fraud and identify safeguarding methods.

Hacked? Blame China and forget !!

Thanks to the global media and IT security forums for headlines and discussions in recent weeks,you might not have missed the news that digital forensic investigation firm Mandiant has accused People’s Liberation Army (PLA) Unit 61398, a Chinese military cyber operations group, for launching persistent threat attacks against many businesses and government organizations since 2006.

The panic button , pointing Chinese hackers, has been pressed. Well, what next?

“If you know that the People’s Liberation Army is spying on you, do you change your defenses? How? Do you look for Chinese language intrusion prevention tools?” said Alan Paller, director of research for SANS, in a recent newsletter.

Thanks to the Department of Revenue of South Carolina, which stored 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. When the infamous data breach was detected, the blame was on unnamed Russian hackers. The state has now urged anyone who has filed a tax return in South Carolina since 1998 to contact law enforcement officials. Why South Carolina authorities did not learn anything from the Utah and Texas breaches?

Very recently, we all were flooded with reports that tech giants Apple, Facebook, Twitter and Microsoft were all compromised by attackers who gained access to a third-party iOS development website, then used it to infect visitors’ Mac OS X systems using drive-by malware attacks thanks to a zero-day vulnerability in Java. These companies responding cautiously on the attacks and still claiming to be maintaining best standards of security.

Seriously speaking, does it matter who attacked them?

Across the globe, IT has become highly critical for survival of the businesses.  The important  issue is whether you have an effective & updated information security policy and practices document? Do you have and follow robust information security practices? Is your network can be owned by anyone – a hacker, an ex-employee, a corporate espionage inside agent, cross border agencies ? Is your data safe – with strong need to access practices and logs that are reviewed meaningfully?

In essence, the question is a simple and straight forward one – Do you able to protect your business in a cost-effective way? Or even simpler – do you have an IT Governance framework?