How To Block "Profile Attacks"?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
supermike
Forum Contributor
Posts: 193
Joined: Tue Feb 28, 2006 8:30 pm
Location: Somewhere in the Desert, USA

How To Block "Profile Attacks"?

Post by supermike »

Check this out....

http://www.theregister.co.uk/2009/01/24 ... ty_breach/

For lack of a better name, I'm going to call this sort of attack a "Profile Attack". (If you know a better one, then I'll retitle the thread.)

I'm building a similar system to monster.com. So, what do you recommend I do to prevent this kind of profile attack? Basically, as you can see in the hyperlink above, a virus was specifically written to seek out a monster.com employer account username and password. Once obtained, it logged in under those credentials and started scraping email addresses and other identity information from candidate profiles. Once it received these, it started sending these people phishing requests, worm virus-laced spam (most likely to turn their PC into a zombie spam PC), and illegal money mule requests.

Now, one of the things my system will do is provide privacy controls for job candidates to specify. We specifically have fields that can be set as Employer-Only, Interviewer-Only, or Everyone. So, for instance, by default an email address is set to Interviewer-Only. And to enable that feature, one has to receive an interview request for a position and actually click "Accept Interview". Once they do that, the employer is then granted access to that email address. We also warn end users of the consequences.

So, again, any advice you have on preventing this kind of attack would be greatly appreciated.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How To Block "Profile Attacks"?

Post by kaisellgren »

supermike wrote:Check this out....

http://www.theregister.co.uk/2009/01/24 ... ty_breach/

For lack of a better name, I'm going to call this sort of attack a "Profile Attack". (If you know a better one, then I'll retitle the thread.)

I'm building a similar system to monster.com. So, what do you recommend I do to prevent this kind of profile attack? Basically, as you can see in the hyperlink above, a virus was specifically written to seek out a monster.com employer account username and password. Once obtained, it logged in under those credentials and started scraping email addresses and other identity information from candidate profiles. Once it received these, it started sending these people phishing requests, worm virus-laced spam (most likely to turn their PC into a zombie spam PC), and illegal money mule requests.

Now, one of the things my system will do is provide privacy controls for job candidates to specify. We specifically have fields that can be set as Employer-Only, Interviewer-Only, or Everyone. So, for instance, by default an email address is set to Interviewer-Only. And to enable that feature, one has to receive an interview request for a position and actually click "Accept Interview". Once they do that, the employer is then granted access to that email address. We also warn end users of the consequences.

So, again, any advice you have on preventing this kind of attack would be greatly appreciated.
Use Unix operating system - there are less worms, viruses and trojans.

Don't let anyone upload malicious content on your site.

Protect from web attacks e.g. SQL injections.
supermike
Forum Contributor
Posts: 193
Joined: Tue Feb 28, 2006 8:30 pm
Location: Somewhere in the Desert, USA

Re: How To Block "Profile Attacks"?

Post by supermike »

Well, not exactly. This kind of attack does not work like you think, Kaisellegreen.

Imagine a guy named John. John's a great guy and a legitimate recruiter with an employer account at monster.com, let's say. Now John didn't know this, but he opened up an Outlook message that had a buffer overrun exploit inside it that worked on Windows. It launches a very tiny program that pulls down content from an FTP server in Belgium, then activates it. And what does it download? A keystroke logger. So then the keystroke logger goes to work, and the hackers in Belgium have it set to watch when John gets on monster.com. It then grabs John's username and password and sends a background HTTP request back to their hacker server.

Okay, step 2 engages at that point. The Belgium hackers then take John's credentials, feed it into a script, and it starts downloading candidate profiles. Now job candidate profiles often come with 3 states -- fields available to everyone, fields available to employers-only, and fields available only to employers who issue an interview request. The hackers know this, so the script then starts sending out bogus interview requests. And, in large volume, the candidates accept the bogus interview request and *poof* they just exposed their full profile to a hacker script. From this, the hackers get their full name, home address, phone numbers, and email addresses.

Okay, step 3 engages. The hackers already have other means to get identity data from people from other hacker attempts they do on other systems. So, when they merge that data with this new data from monster.com, it may complete a full identity on people where they can then start performing identity theft. In the USA, if you have one's correct birth date, social security number, home phone, full name, and home address -- you can go get a car loan. How do I know this? Because someone did it to my wife -- that's why. (We worked with police and caught the bad woman, by the way. Took us 6 months to find her, but we found her.)

And then there's step 4. In step 4, they take that same data and start doing phishing attacks, zombie PC worm viruses sent by "Greeting Card" emails during the holidays (or perhaps as a bogus "Joke" or "Resume" email), and sending out money-mule requests. (BTW, I've seen some pretty legitimate-looking money-mule requests come in my inbox that say they like my resume, want to talk some more on the phone, then cancel the phone call because they say they're busy, and then send me an email asking me to do an illegal money-mule scam for them to help them start an office in the USA. A lot of dumb idiots would probably take the bait, unfortunately. And that's when the Sheriff shows up at their door to talk to them about illegal money mule scams and bad checks.)

So, anyway, I'm collecting your ideas on this. I think it's a tough one to crack. Here are some things I've come up with:

1. If a user (employer or job candidate) hasn't logged into their account in 60 days -- reset it and force them to have to reset their password to move forward.
2. Force users to change their passwords every 90 days, and to something different than the last one, if not the last 2-3 passwords.
3. Store shadows of passwords in the database, not encrypted passwords, and not plain-text passwords.
4. Avoid cookies or at least encrypt them pretty solidly.
5. Store their email address and birth date information in encrypted form in the database.
6. Use a captcha step if an employer wants to see a candidate's full profile once they have accepted an interview.
7. Throw hidden, random garbage data around, and inside, one's very critical personal information. It shows up in the XHTML and thwarts automated hacker scripts, but in plain view with your own eyes in the browser -- you can't see the obfuscation. For instance:

Code: Select all

<label for="fldEmail">Email</label>
<div id="fldEmail">john@company.com</div>
...would become...

Code: Select all

<label for="fldEmail">Email</label>
<div id="fldEmail">j<dt>40023230003328800</dt>ohn<tt>@company.</tt>co<dt>232300230</dt>m</div>
...and CSS could be used on some of this to hide certain tags like DT. If used with like 25-50 different ways to obfuscate this, each with random numbers inside, it's one more level of frustration against a hacker.

8. Introduce a view counter. Let an employer only view like 60 candidate profiles an hour, or, if the candidate has accepted their interview request, 20 candidate profiles an hour.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: How To Block "Profile Attacks"?

Post by Eran »

Very simple - use unique passwords for your site and an anti-virus that protects against key-logging (kaspersky for example). If someone gets a hold of your credentials, there isn't much you can do.
supermike
Forum Contributor
Posts: 193
Joined: Tue Feb 28, 2006 8:30 pm
Location: Somewhere in the Desert, USA

Re: How To Block "Profile Attacks"?

Post by supermike »

pytrin wrote:Very simple - use unique passwords for your site and an anti-virus that protects against key-logging (kaspersky for example). If someone gets a hold of your credentials, there isn't much you can do.
Again, remember, I'm not talking about getting access to *my* credentials, or anyone on the dev team, or the project manager of this project, or the sysops. Don't know if you were implying that, Pytrin. What I'm talking about is someone getting access to anyone's PC in the world through a worm or trojan virus or yet undetected buffer overrun exploit in IE or Outlook, finding out they have a monster.com account, and then through their keystroke logger (from the worm or trojan) they capture that end user's monster.com username and password.

At that point, monster.com is screwed. But when monster.com does some of the numbered steps (see my message before yours) I suggested, or perhaps other counter measures, they can protect themselves from "profile attacks".
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: How To Block "Profile Attacks"?

Post by Eran »

If a user on your site has had his credentials compromised, there's not much you can do about that. You can use request throttling - monitor incoming request from the same IP and if they exceed a certain number per second, block him temporarily. The same throttling can be applied to specific actions - ie, sending many interview requests in a very small time frame. Those actions may not automatically block - but rather raise "flags", a certain combination of which will automatically block and otherwise inform an administrator of a possible attack.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How To Block "Profile Attacks"?

Post by kaisellgren »

supermike wrote:Imagine a guy named John. John's a great guy and a legitimate recruiter with an employer account at monster.com, let's say. Now John didn't know this, but he opened up an Outlook message that had a buffer overrun exploit inside it that worked on Windows. It launches a very tiny program that pulls down content from an FTP server in Belgium, then activates it. And what does it download? A keystroke logger.
Impossible to protect from with PHP.

There are forums that deal with such situations. Vulnerabilities in applications, operating systems, etc. Antiviruses usually block keyloggers too.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How To Block "Profile Attacks"?

Post by kaisellgren »

pytrin wrote:If a user on your site has had his credentials compromised, there's not much you can do about that. You can use request throttling - monitor incoming request from the same IP and if they exceed a certain number per second, block him temporarily. The same throttling can be applied to specific actions - ie, sending many interview requests in a very small time frame. Those actions may not automatically block - but rather raise "flags", a certain combination of which will automatically block and otherwise inform an administrator of a possible attack.
Exactly.

If a user on your site uses insecure wireless network, or has outdated Windows (crazy), or if a user uses IE or other MS applications - there's not much you can do. It's the same thing as if this user writes his account details on a paper and accidentally the paper gets lost.

You could force users to not use IE or Windows - check the HTTP request, not 100% certain though.
Post Reply