Companies looking to improve their overall security posture may want to look for vulnerabilities in a place where they never might have expected to be attacked -- their corporate intranets.
According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites.
Based on advancements in security research that will allow hackers to use Web browsers and the flaws the programs carry to infiltrate and attack intranets with greater ease, including the use of newer hacking techniques such as CSRF (cross-site request forgery), businesses should begin actively reviewing and re-architecting the internal URLs to prevent major issues down the line, said researchers Jeremiah Grossman and Robert "RSnake" Hansen.
"This is a problem that is essentially as widespread as anything out there. Over the next eighteen months I believe that we'll see black hats catching up with the research community and beginning to adopt these tactics," said Grossman, who is the founder and CTO of vulnerability testing firm WhiteHat Security. "Basically with these types of attacks it's as if firewalls don't even exist."
Companies typically don't consider the fact that hackers could find a way to get into their intranets, the Web application testing expert said, but savvy attackers can find links to the sites by carrying out emerging attacks such as CRSF threats, which allow them to break into seemingly secure Internet sessions to secretly lift password and browser history data.
Hackers typically attempt to fool end-users into loading a Web page that contains a malicious request in common CSRF threats, much like traditional phishing attacks or cross-site scripting (XSS) techniques.
The attackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to intranets or banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.
Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts today. But based on his observations of corporate intranets, he maintains that the technique could spell trouble for internal company URLs in the near future.
Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged in to any sites that have been accessed by an end-user to carry out illicit activities, including sites that offer access to sensitive information or company data.
Another easy way to break into intranets is to use cross-site scripting attacks that mirror traffic from trusted Web sites, such as online banking applications, that won't likely get blocked from company networks, according to the experts.
In developing their intranets, it seems, many firms don't apply the same level of security testing that they use for their publicly available URLs, the researchers said.
"Companies think that only certain IP addresses may be able to access their sites. Bbut using these techniques the browser can go anywhere, which throws the defense of filtering IP addresses out the window," said Hansen, who operates the security consulting firm SecTheory. "Hackers can use the browser as a proxy to get access to intranet applications -- vulnerabilities in VPN systems for remote workers offer another attractive point-of-entry."
The experts said that to protect themselves, companies should begin defending their internal Web sites in the same manner they safeguard their external sites. Public-facing Web sites shouldn't be allowed to access the intranets on any level, which is another common means for hackers to find their way into the systems, they said.
"There will be tools made available that allow black hats to carry out this sort of threat easily within the next two years, which should inspire a lot more people to try them out," Grossman said.
"These types of browser vulnerabilities have always been there, and these attacks were always feasible. It's just that no one really knew about it; what the bad guys are doing with them today compared to several years from now is just the tip of the iceberg," he said.