BLACK HAT - Security issues lurk behind corporate intranets

Experts claim that many companies are unknowingly leaving the door open for outsiders to infiltrate and attack their corporate intranets using new hacking techniques such as

Companies looking to improve their overall security posture may want to look for vulnerabilities in a place where they never might have expected to be attacked -- their corporate intranets.

According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites.

Based on advancements in security research that will allow hackers to use Web browsers and the flaws the programs carry to infiltrate and attack intranets with greater ease, including the use of newer hacking techniques such as CSRF (cross-site request forgery), businesses should begin actively reviewing and re-architecting the internal URLs to prevent major issues down the line, said researchers Jeremiah Grossman and Robert "RSnake" Hansen.

"This is a problem that is essentially as widespread as anything out there. Over the next eighteen months I believe that we'll see black hats catching up with the research community and beginning to adopt these tactics," said Grossman, who is the founder and CTO of vulnerability testing firm WhiteHat Security. "Basically with these types of attacks it's as if firewalls don't even exist."

Companies typically don't consider the fact that hackers could find a way to get into their intranets, the Web application testing expert said, but savvy attackers can find links to the sites by carrying out emerging attacks such as CRSF threats, which allow them to break into seemingly secure Internet sessions to secretly lift password and browser history data.

Hackers typically attempt to fool end-users into loading a Web page that contains a malicious request in common CSRF threats, much like traditional phishing attacks or cross-site scripting (XSS) techniques.

The attackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to intranets or banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.

Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts today. But based on his observations of corporate intranets, he maintains that the technique could spell trouble for internal company URLs in the near future.

Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged in to any sites that have been accessed by an end-user to carry out illicit activities, including sites that offer access to sensitive information or company data.

Another easy way to break into intranets is to use cross-site scripting attacks that mirror traffic from trusted Web sites, such as online banking applications, that won't likely get blocked from company networks, according to the experts.

In developing their intranets, it seems, many firms don't apply the same level of security testing that they use for their publicly available URLs, the researchers said.

"Companies think that only certain IP addresses may be able to access their sites. Bbut using these techniques the browser can go anywhere, which throws the defense of filtering IP addresses out the window," said Hansen, who operates the security consulting firm SecTheory. "Hackers can use the browser as a proxy to get access to intranet applications -- vulnerabilities in VPN systems for remote workers offer another attractive point-of-entry."

The experts said that to protect themselves, companies should begin defending their internal Web sites in the same manner they safeguard their external sites. Public-facing Web sites shouldn't be allowed to access the intranets on any level, which is another common means for hackers to find their way into the systems, they said.

"There will be tools made available that allow black hats to carry out this sort of threat easily within the next two years, which should inspire a lot more people to try them out," Grossman said.

"These types of browser vulnerabilities have always been there, and these attacks were always feasible. It's just that no one really knew about it; what the bad guys are doing with them today compared to several years from now is just the tip of the iceberg," he said.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

InfoWorld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?