Black Hat: Security researchers show how corporate intranets are ripe for emerging attacks

Companies looking to improve their overall security posture may want to look for vulnerabilities in a place where they never might have expected to be attacked -- their corporate intranets.

According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites.

Based on advancements in security research that will allow hackers to use Web browsers and the flaws the programs carry to infiltrate and attack intranets with greater ease, including the use of newer hacking techniques such as CSRF (cross-site request forgery), businesses should begin actively reviewing and re-architecting the internal URLs to prevent major issues down the line, said researchers Jeremiah Grossman and Robert "RSnake" Hansen.

"This is a problem that is essentially as widespread as anything out there. Over the next eighteen months I believe that we'll see black hats catching up with the research community and beginning to adopt these tactics," said Grossman, who is the founder and CTO of vulnerability testing firm WhiteHat Security. "Basically with these types of attacks it's as if firewalls don't even exist."

Companies typically don't consider the fact that hackers could find a way to get into their intranets, the Web application testing expert said, but savvy attackers can find links to the sites by carrying out emerging attacks such as CRSF threats, which allow them to break into seemingly secure Internet sessions to secretly lift password and browser history data.

Hackers typically attempt to fool end-users into loading a Web page that contains a malicious request in common CSRF threats, much like traditional phishing attacks or cross-site scripting (XSS) techniques.

The attackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to intranets or banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.

Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts today. But based on his observations of corporate intranets, he maintains that the technique could spell trouble for internal company URLs in the near future.

Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged in to any sites that have been accessed by an end-user to carry out illicit activities, including sites that offer access to sensitive information or company data.

Another easy way to break into intranets is to use cross-site scripting attacks that mirror traffic from trusted Web sites, such as online banking applications, that won't likely get blocked from company networks, according to the experts.

In developing their intranets, it seems, many firms don't apply the same level of security testing that they use for their publicly available URLs, the researchers said.