Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

Concern about web security at financial institutions

ST image 2Russ McRee’s post on The need for financial web application security rung true for me.  While the bad actors are finding ways to make money through e-commerce and even social network websites, the finance sector will always be a target since that’s where the money is.

It can be super tough to harden a website against online attacks.  Russ does a great job calling out some of the things that are especially troublesome, but this dovetails nicely into the presentation Jeremiah Grossman gave yesterday (link to follow).  Jeremiah’s presentation said that cross-site scripting and cross-site request forgery are major problems, but business logic flaws are becoming more and more prevalent. 

Unfortunately, websites of all types are going to need to start defending themselves against all of these types of attacks – both the technical kind and the business logic kind.

May 20, 2009 Posted by | business logic abuse, Business Logic Flaw, Detection, Online Fraud, Social Networks | , , , , | Leave a Comment

Business logic flaws on the rise, according to new report by WhiteHat

WhiteHat Systems released its seventh installment of the WhiteHat Website Security Statistics Report today, with a webinar tomorrow by Jeremiah Grossman going through the top ten most prevalent website security issues.

According to WhiteHat, the top ten vulnerabilities remain largely unchanged, with Cross-Site Scripting continuing to top the list.  However, “business logic flaws, an often-overlooked issue that enables hackers to take advantage of the functionality of a site, occupied more than half of the top spots.”

This should be great awareness for business logic flaws and the impact they can have on websites. At Silver Tail, we are always looking to raise the mind share on business logic abuse and business logic flaws because these rising threats are causing companies a tremendous amount of pain today. Bad guys now target the legitimate business logic of website to perpetrate their fraud, and its extremely difficult to detect and disrupt.

The webinar should be very interesting – check it out: Tuesday, May 19, 2009 at 11:00 a.m. PT / 2:00 p.m. ET.

http://www.whitehatsec.com/home/events/events.html

May 18, 2009 Posted by | business logic abuse, Business Logic Flaw | , | Leave a Comment

Precision hacking – a new term for business logic abuse?

We’ve been having a lot of discussions lately about one term that describes when people use the legitimate function of websites to perpetrate bad behavior.  Sometimes the bad behavior can be fraud and sometimes it is just a nuisance. 

An example of the nuisance type of bad behavior is the Time “Most Influential People” poll being hacked.  Paul Lamere called this exploit “precision hacking”.  But I’m worried that using the word “hack” is too technical for the business folks to take seriously.  It also puts these types of flaws squarely in the security space when often these are more risk management issues.

Jeremiah Grossman has called this business logic abuse - the abuse of the legitimate business logic of a website.  I like the term since it makes sense logically, but I worry that you have to think about it for a while before you understand what it is implying.  This can also be called business logic flaws.

What would be really great is to come up with a term like “Phishing” – something that has no real meaning, but that everyone will come to associate with these types of attacks.

Here are some suggestions for possible terms to represent when someone uses the legitimate pages of a website to perpetrate bad behavior.  Let me know if you have opinions or if you have other suggestions.

  • business logic abuse
  • business logic flaws
  • business logic exploits
  • precision hacking
  • swizzling
  • e-cheating
  • cheeting
  • others?

May 5, 2009 Posted by | business logic abuse, Business Logic Flaw, Fraud, Gaming, Online Fraud, Phishing | , | 6 Comments

Blogging Highlights from RSA

The RSA conference 2009 picked up with some great keynotes on Wednesday and stellar sessions on Thursday. It is done, at least for me.

hathawayI thought Melissa Hathaway delivered a solid keynote, but everyone wanted more details and especially the 60-day cyber-security assessment due from the White House next week. That let some folks down, but she still delivered with examples, priorities and even some humor. Good to hear the Obama administration considers cyber-security a top priority.

Dave DeWalt from McAfee started off suspect – I thought the weather analogy would get cheeky, but he held true to it and it played well, inserting some gruesome stats and trends. My favorite (or scariest): “…more malware attacks in 2008 than in the previous 5 years combined”. And by the way, what is this malware doing? Abusing business logic, hijacking sessions, and in general driving malicious behavior on web sites – good timing for Silver Tail, in my opinion. The more complex the malware and the attacks, the more important behavior analysis, anomaly detection and real-time disruption will become.

nsaThe last keynote, James Bamford, was an eye-opener. One would think the NSA could do anything, but its amazing what it missed – both in terms of trends and specific attacks. Another favorite (or scariest again): After 9/11, President Bush ordered the NSA to eavesdrop domestically, violating the FISA act. Attorney General Ashcroft had to sign a “it’s ok to eavesdrop” form every 90 days. Eventually Ashcroft was convinced it was a bad idea to keep signing this and the entire leadership of the Justice Department nearly resigned over the issue.

I must highlight the Fighting Russian Cybercrime Mobsters session with Dmitri Alperovitch, from McAfee and Keith Mularski from the FBI. They did a fantastic job outlining the history and current threat of Russian organized crime in online fraud, including a summary of the DarkMarket campaign the FBI and 8 other countries ran to arrest many cyber-criminals. Very informative and entertaining. Favorite quote (not so scary): “Q: Are the bad guys far ahead?” Mularski’s Answer, “No, I really don’t think so.” So you’re saying there’s a chance…!

evil-computer-guyAnother highlight – Pat Peterson from Cisco diving into the details of bots and botnets. Fascinating research and data. Essentially, “there is no online criminal activity without bots involved.” The money is pretty staggering.

Trey Ford put together an entertaining session on business logic flaws – always a favorite for me since highlighting the abuse of the business process (e.g. business logic abuse) demonstrates the ROI Silver Tail can bring if you could detect new threats and disrupt them in real time. “The code is not broken, its the business process!”

Good news is I’m done with the RSA conference – its been great, good seeing old friends, fellow bloggers & tweeters and meeting new contacts. We are back in SF next week for FinovateStartup09.

Continue to follow Silver Tail through our blog and now Laura Mather @STSgirl and I @smurdoff are on Twitter.twitter

April 23, 2009 Posted by | business logic abuse, Business Logic Flaw, Detection, Investigation, Online Fraud | , , , , , , , , , | Leave a Comment

“Equal Opportunity” Business Logic Exploits

There was a phishing attack against iStockPhoto a few weeks ago.  A phishing attack against a new brand isn’t interesting in and of itself.  What is interesting about this particular attack is that it wasn’t clear why the phishers were specifically targeting iStockPhoto. 

Before we get into the various speculations and the actual reason, let’s talk a bit about what happened.  The phishers used the same type of attack that they use on social network sites.  They posted messages with links to the forums and through iStockPhoto’s internal messaging system.  These messages had links in them that took you to fake iStockPhoto signin pages.  iStockPhoto took the entire website down for several hours while they cleaned up the mess on their forums and in their internal email systems.  Add that to the bad press they are getting, their brand is probably suffering a bit right now. 

istockphoto_logoThis type of attack is perpetrated daily on the social network sites, but the results on iStockPhoto were a bit different.

There were several hypotheses about why the phishers would try to steal iStockPhoto passwords.  Most of the theories I saw thought the phishers were using the credits in the iStockPhoto accounts to buy photos.  Hmmm.  Not sure why they would do that.  To make their phishing emails look better?  Phishing is all about marketing, but I’m not sure the phishers would go to those lengths when they can just copy a very well crafted email from a well known brand. 

I had a different, and equally incorrect, hypothesis.  My hypothesis was that the userID for an iStockPhoto account is an email address.  Once you have someone’s email address and password to one account, there are lots of opportunities for badness.  Since many online services use an email address as the userID and many people use the same password for all of their online accounts, you could do damage on a lot of websites with someone’s email address and password.  And imagine tricking someone to give up their email address and password on iStockPhoto.  It would probably be a lot easier than tricking them into giving up their password to their bank account.  Their suspicion level would likely be fairly low when it comes to an iStockPhoto signin page.  And then you could go try that email address/password combination all over the internet!  But, alas, I was wrong.

I read a post today from one of the victims that said their credit card was charged for more than $1500 following the incident.  Is it possible iStockPhoto showed a user’s credit card details in the clear if you went to that user’s account page?  If they used to do so, they probably don’t show that information anymore. 

If the phishers were going to the page that showed credit card information for users, this is a clear cut example of business logic abuse.  There are lots of reasons to want to show the user which credit card they have on file (though you don’t need to show them the entire number).  iStockPhoto needs that functionality as part of their business model.  And yet, the phishers were able to exploit it for their evil ways.

I see two takeaways from this incident.  First, the phishers are continuing to abuse legitimate business logic to perpetrate their crimes.  Second, the phishers are truly becoming “equal opportunity” bad guys.  No longer are they targeting only the well known brands when they can make their money off of the smaller, less popular brands.  The small and medium sized brands out there better get ready – the internet bad guys are coming after you too!

April 13, 2009 Posted by | business logic abuse, Business Logic Flaw, Fraud, Phishing | , , | 2 Comments

Blogging from the Merchant Risk Council (MRC)

mrc_smbanner_learnmoreWe are at the Merchant Risk Council (MRC) this week in Las Vegas.

Great welcome reception last night – attendance was sold out this year, which is a statement about the quality and importance of this conference. Pick your survey out there, online fraud is on the rise and people are concerned. Kudos to MRC for putting on such a strong showing in such economic times.

This morning Tom Ridge gave the keynote – a great mix of politics, e-commerce and generational commentary. He’s recently learned how to text his kids, by which they were shocked (good laugh for the crowd).

tom-ridgeTom outlined his concern that recent data breaches, phishing attacks, and even the fraud prevention attempts that web sites employ for all users (how many times do I have to tell you, “its me!”) provokes a feeling that the internet is not safe. This is bad for everyone. And when his view is, “the Internet is the most important piece of critical infrastructure we have in America,” we need every bit of trust in the Internet that we can get.

The quote I like best, “Better to manage risk before it manages you.” Think about it.

Another highlight was the presentation from David Moriarty at Apple – amazing data he has captured from Apple on their transaction fraud monitoring, diagnostics and anomaly detection. I liked the analogy to the Tom & Jerry cartoon – Tom continues to chase Jerry, through every scenario possible, with Jerry always finding another way to get the cheese. Chasing fraudsters is often a game of cat and mouse and no one plays it better than Tom & Jerry!

Business logic flaws got a mention from Trustwave, in their talk about hacking at the application level. I believe we will see more about business logic flaws and business logic abuse in future presentations at MRC.

Ori Eisen from 41st Parameter gave a mention to “know thy enemy” in order to fight back against fraud. Good advice. Thinking like a bad guy is a notion we exercise a lot at Silver Tail.

I witnessed considerable attention on fraud for the transaction (online purchase) – a very important process because that is where the money is. However, what if you could detect fraudulent behavior before the transaction is started? What if you could detect a fraudster based on their behavior on the website before they ever click to buy? Its a question that has generated a lot of interest in what Silver Tail is doing. Would like to hear your comments.

March 11, 2009 Posted by | business logic abuse, Business Logic Flaw, General, Online Fraud, Trust | , , , , , | Leave a Comment

First White Paper on Business Logic Abuse

paper-and-penThe next big thing in website attacks is business logic abuse. This is the use of legitimate business logic (including sound business logic and business logic flaws) to commit online fraud. It’s getting a lot of recognition, from Wikipedia articles (as highlighted in a recent post) to Black Hat presentations like the one from Jeremiah Grossman at Black Hat 2008.

Silver Tail has released the first white paper defining business logic abuse – including methods for detecting, investigating and stopping malicious behavior (including hijack threats, velocity attacks and gaming schemes) as they occur.

Online fraud is on the rise and no one predicts it will decline. The number of fraudsters is increasing and the attacks are evolving from theft through hacking into more sophisticated attacks targeting the business logic of the website itself.

Given that business logic exploits can be live for weeks or months, it is no wonder bad actors are constantly finding new ways to exploit websites. Combine this with the significant income from online fraud and the lack of fear of law enforcement and one can see why this problem is on the rise. The return on investment (ROI) for bad guys is just too compelling! What websites need is a potent response: namely, the same automation and ability to innovate as the bad guys.

Silver Tail has published the first white paper on business logic abuse.  The paper defines business logic abuse and the significant impacts it can have on an organization.  Definitely comment here or contact us privately with any feedback you have relating to the paper.  It would be great to hear your thoughts!

January 22, 2009 Posted by | business logic abuse, Business Logic Flaw, Detection, General, Investigation, Online Fraud, Prevention | , , | Leave a Comment

Business Logic Abuse Wikipedia Article

nohat-logo-nowords-bgwhite-200px1There’s an article on wikipedia on business logic abuse.  I’ve heard differing views on Wikipedia – some say it is a super handy reference while others think that encyclopedia articles written by the masses are unreliable at best.

The thing that’s great about wikipedia is that it lets lots of people contribute to crafting a comprehensive article.  So – if you have thoughts on how business logic abuse should be defined, or examples, or references, I’d encourage you to contribute your part.

January 19, 2009 Posted by | business logic abuse, Business Logic Flaw, Business Process Abuse | , | 3 Comments

Now you know about a business flow exploit – how do you fix it?

repair2In talking about the Koobface virus I pointed out how the identification of business logic flaws can take days and the investigation of the flawsnk> can take even more time.  Throughout both of these phases, customers are exposed to whatever bad behavior is being perpetrated through the abuse of the website’s business logic.

Oftentimes, after identification and investigation, the website can put some kind of intermediate fix into place.  These intermediate fixes are usually stop gaps to prevent the bad behavior while a more robust solution is developed.   The problem with these stop gap solutions is that they often impact more legitimate customers than is intended and/or don’t completely stop the abuse of the site’s business logic.

The key to completely addressing the business logic abuse is to develop a long term fix for the issue. Those of you who have your own development cycles to contend with know that these fixes are often extremely time consuming to deploy.  The solution has to be designed, coded, tested, merged with the build, and released.  Some websites are very efficient at this and can take a new feature from concept to release in a few weeks or a month.  For most websites, this concept-to-release cycle is months long.  In an emergency case, most websites can get a fix deployed within 2-4 weeks.

It may seem like 2-4 weeks isn’t a very long time.  But let’s review what happens with the Koobface virus.  Bad guys start sending links to malicious websites through a social network’s messaging interface.  It takes 2-3 days for the site to determine that there is a problem.  It takes another 4-10 days to investigate the problem and figure out how it is happening.  Then, it takes 2-4 weeks to deploy a fix.  During this time period (between one and six weeks by the logic above), the bad guy is able to take advantage of the business logic flaw he discovered.  He can likely perpetrate a lot of bad behavior in that time.

Because the bad guy is able to reap the rewards of the exploit for so long, the cycle perpetuates itself.  Once a particular business logic flaw is fixed, the bad guy has every incentive to find another one and start the cycle over again.  Believe me when I say, being the person at the website who is dealing with this constant barrage of attacks is extremely frustrating!

December 22, 2008 Posted by | business logic abuse, Business Logic Flaw, Fraud, Online Fraud, Prevention | , | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.