Here's an article I wrote that originally aired on Dark Reading

Top 5 Reasons Your Small Business Website is Under Attack

There is no such thing as "too small to hack." If a business has a website, hackers can exploit it.

I was recently looking for a place to board our cat this summer, and one business had on its home page, underneath the name of the company, the words “Viagra discounts” in small but legible type. Assuming the company isn’t branching out from felines to pharmaceuticals, why would this appear on its website? The answer, of course, is that the company didn’t put it there, and was probably unaware of it altogether.

When small business owners think about website security at all, their attitude is usually something along the lines of, “Why would anyone attack us? We’re not a bank and we don’t store credit card data.” Once the company sets up its website, it “sets it and forgets it.” It may check its search ranking once in a while to be sure it hasn’t been blacklisted by Google, but that’s as far as it is likely to go. However, hackers are attacking small business websites with increasing frequency and sophistication: In the cyber-attack ecosystem small business websites are both an attack platform and an attack target.

Unfortunately, the current upward trend of small businesses managing their own websites will only amplify this problem. The National Small Business Association 2013 Technology Survey found that nearly two-thirds of small businesses maintain their own websites, up 15% from the 2010 report. Meanwhile the report indicates that 64% of companies consider the time required to simply maintain the site “a major challenge.”

If you work in, or provide security services to, a small business, below are five points that you need to understand in order to effectively defend your website from attack.

5. New vulnerabilities threaten your business every day: Small business owners need to understand that vulnerability discovery and disclosure is dynamic. Just because a website hasn’t been updated lately doesn’t mean that new vulnerabilities aren’t a threat. In fact vulnerabilities in existing code are more likely to appear on websites that haven’t been updated. According to anonymized aggregated customer data we analyzed at 6Scan, for companies using Web content management systems this issue is even more critical. At any given time between 70% and 80% of WordPress users are running an outdated version which can contain critical, and well documented, vulnerabilities.

4. Your site is under attack 24/7: Many small business owners check their traffic figures daily, pleased to see any increase. They might not be so happy to learn, as we did from our analysis, that, on average, 7% of the traffic to their site is actively attacking it, attempting to detect and exploit vulnerabilities. A site that gets 100 unique visitors per day (placing it approximately at Alexa’s 100,000th most trafficked site) is a target of two breach attempts every hour of every day -- almost 20,000 attacks per year. With these numbers it’s not a matter of if a vulnerability will be exploited but when.

3. Hackers are more efficient than ever: Cisco’s 2014 Annual Security Report referred to hacking legitimate websites as a “high-efficiency infection strategy.” Once a site is compromised, it turns into an attack platform, giving hackers the freedom to choose what devices to attack, what viruses to distribute, even what date and time to launch the attacks for maximum effect.
Back in my days at Zone Labs (one of the early desktop firewall vendors) malware email attachments were all the rage. Now bad guys don’t need to go through all the effort to push malicious attacks with a single payload -- they just hack legitimate websites and the victims to come to them. If they want to beta test a new iOS exploit, they can run that for a few days. If they want to build a botnet with proven malicious code, they just pop that up. The victims will just keep showing up, not knowing the site has been compromised. This ruthless strategy puts the “viral” back in viral marketing.

2. Your site -- no matter how small -- is valuable to hackers: There is no such thing as “too small to hack.” If a business has a website, hackers can exploit it. Stealing personally identifiable information from users and visitors is one way they derive value. But even without credit card data, user/password credentials can be valuable when used as part of a bigger scam.
Hackers also breach legitimate websites to post phishing pages -- this is essential to get around anti-spam software that will flag a link to a blacklisted IP. According to the Websense 2014 Threat Report, 85% of all malicious Web links are hosted on hacked legitimate sites. A third way attackers can use a hacked site is to host malicious content used in phishing scams.

1. Your reputation gets hacked as well: Being blacklisted by Google damages a small business’s brand, but it pales in comparison to being used as a platform to attack its business partners -- and this is not a spy-movie, spear-phishing scenario. Last year the networks of Facebook, Twitter, Microsoft, and Apple were compromised in “watering hole” attacks. In these attacks, cyber criminals hacked into small business Web sites that are known to be frequented by employees of the targeted companies. These specific attacks focused on small mobile application developers, but the model works for any industry.

The days of small businesses putting up a few web pages and relying on “security through obscurity” to protect them are gone forever. Hackers have great incentive to unleash sophisticated -- and often highly automated -- attacks on even the smallest sites. Small business stakeholders must begin to regard website security as a necessary part of operating in an online world, or their customers and partners will pay the price.

Where's the Free?

Here's a brief excerpt from my presentation at the Freemium Meetup in SF earlier this summer. It's a feel-good story about getting called out by WSJ's Walt Mossberg for making it too hard for anyone to find free ZoneAlarm on the Zone Labs Web site. Please...it was only three clicks, two cross-sells and a pop-up. He should have seen what we wanted to test.

Full preso at: http://www.youtube.com/watch?v=zKr7bgNGfxQ&feature=plcp

CICC Fireside Chat

I participated in the California Chamber of Commerce International Summit and had the good fortune of being interviewed by Jacques Benkoski of USVP.

--this episode previously aired on 6scan.com/blog

The Reports are in: Hacked Websites are a Big Problem

Written by Chris Weltzien  Posted in CMS, Cyber crime, Malicious web traffic, Security, Web Threats

The big boys have weighed in and both the Cisco’s 2014 Security Report  and the Websense 2014 Threat Report have identified a major contributor to cyber-crime: hacked legitimate websites.  The Cisco report accurately refers to these attacks as High Efficiency Infection Strategies because as the image below illustrates, a single website can attack a variety of devices. Websense re-affirms the popularity of this attack method by pointing out that 85% of malicious links are hosted on hacked legitimate websites.

Websites can launch attacks upon multiple device types ‘s (image from Cisco’s 2014 Security Report)

At 6Scan we see the magnitude of the effort behind these attacks and the damage they can inflict. There is a constant barrage of malicious traffic against the sites we secure. Why? Because using hacked websites to disseminate malware is a high-efficiency infection strategy.  A compromised web site, or web server, is the bad guys’ honeypot — it’s out there just waiting for victims to show up. Many new customers come to us after they have been targeted. Once breached, these sites become platforms for serving malware until inevitably they are blacklisted by browsers or desktop anti-virus. 

In many cases these small businesses have much more to lose than bigger companies. Large firms have insurance, recovery strategies and adequate resources to survive a breach, even one that is large scale and highly visible. Smaller firms, The Fortune 15 Million, don’t always have this cushion. In many cases they stand to lose everything. This is why 6Scan offers a free service to assess website security. It’s also why we focus on fixing vulnerabilities before they become breaches.

Stay safe.

The Prosumer Myth

SCENE:
Four employees in conference room.
Three sit staring at the projected image of the "Target Market" slide while the fourth stands at the white board, marker in hand ready to chronicle the impending onslaught of insight...

"The price point is high.. we need a market with less resistance."

"Small business would be perfect, but it doesn't really meet their needs."

"Don't forget it's also really complicated, so we need enthusiasts and early adopters."

[sound of light bulb pop as everyone shouts in unison]
"PROSUMERS!"

[high fives all around while everyone rushes from the room without cleaning up or erasing the white board]

There is a problem here. The Prosumer  (Professional Consumer) doesn't exist anymore, if, in fact, he/she ever did. Sure, there are sightings from time to time --  I thought I saw a Prosumer loitering at the edge of the Best Buy parking lot in Serramonte reading old video camera manuals, but whatever it was ran off into the adjacent graveyard before I could take a picture.

In 2008 Cisco published Prosumers: A New Growth Opportunity (http://bit.ly/Lvj9E0) which pegged the US prosumer market at 14.5 million people. However what they were counting was the number of "technical hobbyists" that shared two things: they enjoyed talking to sales people and they owned a pair of pants. These folks hung out in big box stores where they could check out gadgets, pick up some Monster cables and buy retail anti-virus product instead of renewing online. By 2009 this segment was in sharp decline; reeling from a series of setbacks starting with the cancellation of COMDEX  and culminating when Circuit City filled for Chapter 11 bankruptcy protection. They haven't been heard from since.

So the take away is, when you are introducing a product, pick a market -- preferably one that will derive a benefit from your offering. If you can't find product/market fit, don't look at changing the market, look at changing your product.

C

this episode previously aired on 6scan.com/blog

NFL Draft and the Cyber Kill Chain

Tomorrow, the unofficial start of the pro football season kicks off with ESPN's broadcast of the 2014 NFL Draft. As in the past, hundreds of thousands of people will follow the drama via the Internet. Unfortunately, a vulnerability contained on the website of one NFL franchise may leave that team's fans blindsided by hackers.

This team's website includes a Cross Site Scripting (XSS) vulnerability, one that's used as part of a nearly fool-proof cyber scam.

In these scams, attackers use emails about upcoming events as bait, e.g. “Find out who 'Team X' will take #1 in the draft…” These emails contain links directly to the team’s website. Each link is formatted correctly and looks 100% legitimate. Clicking the link executes a browser injection that lets the hacker display a pop-up window on top of the legitimate destination page. Pop-ups can display offers such as discount ticket promotions, new merchandise, etc. All information entered in a pop-up ends up in attackers' hands.

While significant, the damage in such an attack -- to the team’s on-line reputation and the victim’s credit profile -- is still manageable. However, as 6Scan Co-founder Nitzan Miron points out, bigger issues are at stake.

“This is not a catastrophic vulnerability in terms of network or database access, but it is a critical link in the cyber kill chain,” Nitzan said. XSS can also be used to phish employees’ credentials, giving attackers direct access to a company’s network. Once inside a network, attackers can leverage advanced threats that are difficult to detect.

“Hacked websites have evolved into the number one attack platform. They are involved in 85% of attacks and have become a critical early link in the cyber kill chain,” Nitzan explained.

XSS scripting - which can only be found by a website or application scan - is one of the top 5 vulnerabilities 6Scan detects. Because such attacks take place at the browser level, website administrators never know they're happening. This is just one of the threats that drive us to deliver automated scanning and remediation services that any business can deploy regardless of size or security expertise.

Stay Safe.

Data (In) Security

(this episode orignally aired on 6Scan.com/blog)

In the world of website content management systems, WordPress is king.  As far back as 2012 Fortune magazine anointed WP  rulers of Web and now their number of installed platforms exceed 70 million. So a logical question is “What does it mean to be one of 70 million in terms of website security?”

Well, in cyber-security as in many industries, Shakespeare’s line “Uneasy lies the head that wears a crown” is often applicable.  So it’s important to recognize that dominant market share makes an inviting target for criminals.  Exploit writers follow the money which, for them, lies in hacking vulnerable website code.  The more vulnerable applications in distribution, the more profit they see.

Hackers use WP sites – revenue-generating and fan-based alike – to carry out criminal activity ranging from malware distribution to data theft and more.  At 6Scan, we see an inordinate number of sites unwittingly inviting attacks with virtual “Hack Me” signs.  Of the WP sites on our scanning platform (as of January 17, 2014) fewer  than 20% were using the current version (3.8) and approximately 25% run versions that are more than one year out of date (see chart for full break out.)  Hackers love out-of-date applications, which they regard as low-hanging fruit, becuase their vulnerabilities are well known and exploit packages are available for purchase. So before doing anything else, 6Scan urges WP site owners and administrators to install the latest version of WP.  Strengthening sites across the board – all types – is good for the individual as well as the WP community in general.