Big businesses ignoring critical website flaws

Some of the world's biggest household name retail and IT websites were riddled with holes that remained unfixed despite that affected organisations were informed of where the flaws were and how to fix them.

Retail websites, for instance, would deploy new web apps for new sales campaigns and fail to adequately check the code for security bugs. Up to 20 percent of businesses in that sector pushed out new code every day, making it the most prolific of all verticals. The holes existed in custom web applications and were generated often when new code was deployed.

US research firm Whitehat Security made the discoveries during weekly reviews of 20,000 websites belonging to its big ticket customers including eBay, Salesforce and SuccessFactors.

The six-year research found that 85 percent of its retail sector customers had highly critical security vulnerabilities in their websites. The average retail site had a whopping 106 flaws that could lead to "newspaper headline" data breaches, according to company founder Jeremiah Grossman (@jeremiahg).

More than half of retailers and customers in the education and non-profit sectors had at least one publicly-exposed flaw on their site every day of the year.

But despite that the security company informed its customers of the flaws, how it could be exploited and how to fix the bugs, retailers took on average a whopping 224 days to apply the fixes and only half bothered to do so -- the rest opting to remain vulnerable.

IT companies fared the same but were quicker to fix flaws.

"Life is unfair for these [retail] guys because they have to change their code a lot," Grossman said at a presentation given earlier this year at Ruhr University and to be repeated at AISA 2013 in Sydney today.

"That's because they have to release new code for each holiday or sale [and] everytime they change the code the run the risk of introducing new vulnerabilities."

Government customers were the most secure, yet on average each site contained eight flaws. Only 65 percent fixed the bugs, taking 48 days to do so after being informed.

Yet anyone of these vulnerabilities -- and all of the 20,000 sites contained at least one -- would be enough to lead to a significant compromise, Grossman said.
 
A third of all the tested websites had at least one critical vulnerability publicly exposed on their sites every day of the year. Some 29 percent had the flaws accessible for nine months and 18 percent had bugs exposed for a month or less.

Further research found most companies chose to ignore vulnerabilities if doing so did not break compliance requirements. The second most common reason given by WhiteHat's customers to its questions was that a patch or fix could conflict with a business case. Coming in third spot was that the risk of exploitation was accepted.

"Compliance represents the ceiling of their security, not the floor. So as long as an attacker is better than PCI compliance, they're gunna get hacked."

The spate of hacking incidents affecting gaming and media companies in 2012 had served in the long-term to lessen the time to fix flaws affecting those companies, the statistics showed.

Top 15

Of those affected websites, more than half (54 percent) gave up "high severity" information like internal IP addresses and user login credentials, and slightly fewer (52 percent) were vulnerable to cross site scripting attacks.

"[Attackers] aren't hitting the main homepages, they are hitting secondary websites and extracting data," Grossman said.

About a quarter of tested websites would validate whether a username was accurate meaning attackers who tried to brute-force logins would be helped in their bid to discover the credentials to target.

But the majority of known breaches were performed through simple attacks including denial of service, cross site scripting and SQL injection. The latter vulnerability had persisted even though it remained "unchanged since Christmas 1999".

"[Attackers] exploit the application, run SQL injection, install custom malware to beat antivirus and exfiltrate data - that's how it's happening out there - the rest (other attack vectors) is academic."

An ageing problem

Grossman said the "number one" problem with fixing flaws was that there was an "insane shortage of developers"  meaning businesses had to direct coders to focus on making revenue-generating features rather than patching vulnerabilities that may or may not be exploited.

"It's a problem for economics, not technology," Grossman said.

He said much of the problems behind website insecurities came down to legacy web code, budgets and priority errors.

"Most websites prior to 2005 weren't written with security in mind," he said. "Any website older than 2006 probably has SQLi (SQL injection vulnerabilities)."

Companies had also mis-allocated budgets. Most organisations he said would deliver IT investments into applications and labour costs first, followed by the host and networks.

Information security, however, would invest the lion's share of resources into protecting the networks with technology like firewalls, then invest in patch management and anti-virus and only tip very little on application security.

"It is 180 degrees -opposite to where the business invests," Grossman said. "Security is out of phase with the business and as long as that continues, data breaches will continue."

He also took a shot at so-called best practise security guidelines saying that most were untested in terms of its ability to reduce breaches, adding that noone had yet tied software input security controls to outcomes. "Everything becomes best practice but nothing is required to produce results."

Lessons

The research found that accountability was one of the most important facets to avoiding breaches.

Most of those organisations in which security professionals or executives were accountable for breaches reported they had not been hacked, significantly more than those where there was misplaced or non-existent accountability.

Grossman said accountability empowered security professionals to act and noted that best practice guidelines did not influence security postures.

The industry veteran who in 2000 served as Yahoo!'s then lone security tech gave examples of where security problems may arise for various businesses.

For those who had pushed out highly vulnerability code but patched bugs fast, there was likely a problem in development or quality assurance, but not in staff education.

Organisations which had few vulnerabilities but failed to fix them promptly likely had problems with education and security skill sets, or the business priorities were not well-aligned.

Copyright © SC Magazine, Australia