Raf Martino is Cyber security consultant at Cyber4z and one of our expert trainers on the Stellar Labs‘ Cyber security: become an ethical hacker programme. He talks to Stellar Labs about how hackers exploit simple vulnerabilities in web applications – the tools most of us use every day. More importantly he describes some vital steps to take to secure these vulnerabilities to keep yourself and your organisation safe. We all have a role in preventing cyber crime but it can seem technical and daunting. Fortunately you don’t need to be a cyber security expert to listen to Raf because he explains so that everyone can take action.
Raf Martino is Cyber security consultant at Cyber4z and one of our expert trainers on the Stellar Labs‘ Cyber security: become an ethical hacker programme. He talks to Stellar Labs about how hackers exploit simple vulnerabilities in web applications – the tools most of us use every day. More importantly he describes some vital steps to take to secure these vulnerabilities to keep yourself and your organisation safe. We all have a role in preventing cyber crime but it can seem technical and daunting. Fortunately you don’t need to be a cyber security expert to listen to Raf because he explains so that everyone can take action.
Welcome to the stellar labs podcast. Future learning today. At Stellar labs, our mission is to bust the technology skills crunch with effective, measurable engaging training. We consult on design and deliver the technical and people skills and competencies you need in business. In these podcasts, you'll hear from industry experts and practitioners from the worlds of technology and training. They'll share their experience, insights and inspiration and their visions for the future with you. Keep listening to start your future learning here today. Hello, I'm Stella Collins and welcome back to the stellar labs podcast. Today I'm talking to Raf Martino, cyber security consultant as Cyber4Z and also a knowledge partner on our"become a cybersecurity specialist program". Raf, one of the things that we're all a bit faced with at the moment is because of the Corona virus, we're working more from home, we're working more online. What sort of challenges is that throwing up for us?
Raf:Well, what we're currently seeing is obviously, it's unusual to have that many people working from home. So you have overload of connections via secure channels, so VPN connections to your office network, which are overloaded. They are not designed to have that many connections which obviously is also a realistic threat, risk, because attackers might exploit that might, might perform some, denial of service attacks on those services, which essentially bring your business down. that's currently a big risk and a big trend we see.
Stella:Okay. So, yeah, we know for all of us that things are possibly working a bit slower on the internet, but there's worse things happening. Raf, you wanted to talk about some of the concepts about securing applications against attackers. So can you give us first of all, unexplained to perhaps the ordinary mortal like me: what do you exactly mean by application and who needs to protect their applications?
Raf:Yeah, so what I see here in the context of an application is nearly everything you're using on the internet. So if you're going through your banking application, if you're connected to your office network and using an internal application to, for example, write your work hours, that sort of stuff. That's all web-based usually, but it can run on the internet, can run only internally at your office. The primary aspect is that it's a web based application like you're used to using throughout the internet.
Stella:So it's pretty much everything that most of us are using on our phones, on our computers. They're all applications. Yeah. Okay. So it's pretty, this is pretty important to all of us.
Raf:Yeah, definitely. It's one of the most commonly used types of software I guess. So it can have an impact on that. It can have an impact on many people.
Stella:Okay. So what are some of the common problems then in protecting our applications? One of the things I've heard is that user input is a challenge, but again, what do we mean by that? And what would you recommend we do to protect ourselves?
Raf:Well, yeah, if we look at the most common web application vulnerabilities, it's a list called the'OWASP top 10', a very good resource. A lot of that can be linked to trusting user input when you shouldn't. So if you type something in a web application, for example, in your banking application, you can maybe search for something in your savings account or a checkings account or just anywhere online where you can input your username or you can perform a search, that's all user input that goes to your server. As a developer you have to be aware of the fact that that user input might be malicious. So it might be able to, for example, when it reaches a database, it might be able to change records if you don't handle that with caution, it might also have an impact on other users of your application. For example, if you are able to input something that is shown to another user, it might be able to run code in the browser of that other user. So for example, if I'm now going to Google, I want to Google something and there was a vulnerability, that trusted user input from a malicious user, it could be reflected, so to speak on my page and have an impact on me. So there's two aspects essentially. So you have the server that can be hacked, but you can also have other users of your application that can be hacked
Stella:Okay. So you've effectively got your system is set up to say this data is safe, we will accept this data. But you've got malicious people then using that and putting in malicious data.
Raf:Yeah, exactly. So if you're testing an application as an ethical hacker, that's one of the first things you do is, you don't give it the input that it expects. You give it the input that it doesn't expect and you watch what the application is going to do. Okay. All right.
Stella:So you want a system that can actually say this isn't what I was looking for. I wasn't looking for a file right now. I was looking for a name or something like that.
Raf:For example. Yeah. So one, one good recommendation there is that you should always be aware of what kind of input you're expecting. So if you're expecting for example a credit card number, you shouldn't allow people to input anything else. And if they are still able to do that, you should be able to detect that and just reject that sort of input.
Stella:Okay. So as a user, if you type in rubbish instead of your credit card, it usually does come back and say that's not right. And what other common problems do you have what, what else is a challenge?
Raf:Well, what we see a lot is really outdated components in your software stack. So, for example your web application is running on a web server that is not updated for the last three years. That's something we see on the internet, but also internally at companies. And what that means is if somehow you can see as a hacker what kind of version is running, there are multiple websites out there that you can put that version in and it will say to you if there's a way to exploit that vulnerability or if there are abilities in the first place obviously, but if you have a three year old version for example, then chances are that there's a vulnerability you can exploit. And usually those are also publicly available. So you can just download the script and point that to that web server and exploit that, which in many cases gives you access to the server itself.
Stella:So actually download the hacker's script. Scary. So this is why, for instance, on our websites, I have a WordPress website, we need to make sure that the latest updates are all in place.
Raf:Yeah, definitely. And it's not only the WordPress site itself, but also the plugins that you use on that WordPress site. Cause those themselves can have vulnerabilities as well.
Stella:Okay. So things need to be up to date. Are there any other things that you would tell us we need to be more careful about?
Raf:Well, what you see a lot as well as, is sensitive data being disclosed. So you have a lot of personally identifiable data which is very, very sensitive and usually that's just a matter of forgetting that you published something somewhere. Which is the same for default configurations of many software applications, which in a lot of cases just disclose logging somewhere. It might not be directly linked on your application page, for example. But there are tools that, can enumerate all of the pages that you are hosting. And it's something we see a lot in penetration testing and it often gives us enough information to get that one step further into hacking the application, my credentials for example.
Stella:So is this the sort of thing like, sometimes you get to see if you're trying to fill in security questionnaire, it says:"what's the name of your first school" or"your pet" or something and you happen to just post it on Twitter: for example;"my cat fluffy has done this, this and this". Is that the sort of thing we're talking about?
Raf:No, that's something different. That's more a combination of social engineering I would say and actually having an insecure way getting hold of your password when you forgot, for example. There are better ways of doing that. But what this is more about is mainly, deploying an application somewhere and forgetting about the default stuff that comes with deploying an application. So you have, for example, the login page for the administrator that might be disclosed somewhere. You might not be aware of that and it might still be using the default credentials. That's something that happens a lot. It might also be, for example, you w ere debugging something, so solving an issue as a developer, but you n eed kind of logging for that. Maybe you l og too much and you show that in your application, somewhere in the background, you can use that as extra information as an attacker to see what is happening and maybe m isuse that. What we often see is even credentials being logged. So usernames and passwords, i n logs that are open to anyone on the internet. And that's something that's very dangerous of course, b ecause you can just try those out in it often gives us administrative access to some of the applications we t est.
Stella:Okay. So there's all sorts of different levels of being cyber secure here. There's, you know, the average person like me who needs to be careful. For instance, I now use a special little tool called"Bitwarden" to keep my passwords in, which perhaps I shouldn't have shared in public, but at least I'm doing that now. So you have people like me who need to be more aware of what we're sharing, but you've also got within the I OT community itself, people who need to be more aware of what's going on. You tend to expect that people in the IT community understand these things, but actually they're probably not necessarily any more cyber aware than the rest of us.
Raf:No. Yeah, that's true. It's still a very specific domain. And if you're good at just programming or developing in general, it doesn't necessarily mean that you're also aware of security. It's becoming more common nowadays, so software that people are using is is maturing in respect to security at least. But there's still a long way to go and awareness is really key and having well-trained developers who are trained also in security is of very high value.
Stella:And is security something that developers are taught generally, Normally? Is that part of their educational process?
Raf:There's not really a focus on it, but you can't ignore it of course. You have the basic concepts normally of how to handle user input, for example. If you're programming something that's has to write something to a database nowadays you need to be aware of the fact that user input can be dangerous. So that s ort o f stuff normally is already taught.
Stella:Okay. So there is some element of it, but really we all need to become more cyber aware and have the skills to respond when something happens. But, for most of us, we're going to have to call in specialists like you if we have a genuine problem, I would imagine.
Raf:Yeah. And also sometimes it's really, what we call, a chain of vulnerabilities that we exploit. So it might not be one little aspect somewhere, but we use that little aspect and then another little aspect that we found and we use that together and then we have something that could compromise an application for example. So that's where a real big part of the added value of having ethical hackers is because those are the situations you typically can't find as a developer. it's the small things that you still have to be aware of that can go wrong.
Stella:And I think it's pretty quite important to explain to people rough that your job as an ethical hacker and you're not just wandering randomly round and hacking into random people's systems, you have to be invited in by an organization to inspect, audit their system. That's right, isn't it?
Raf:Yeah, definitely. So, we have all kinds of agreements that we have to have in place before we start. That's to protect our customers and ourselves, of course. We obviously won't do anything malicious without first having an agreement in place. And even then we won't do anything that will harm systems. For example, we will always, if we identify something that could harm your systems, for example, mention that to you and in some cases if you have a test environment where it doesn't really hurt any people or impact production, then, in some cases we together with the customer, try to exploit that to see what the impact really is. But, we will never just start hacking away.
Stella:Yeah. So that was worth explaining just cause I could hear you talking about hacking into things and I thought maybe people here are thinking I'm talking to an unethical hacker.
Raf:Even if you do it in bug bounties for example online, there are rules that you have to follow. So even then if you gain access to a server for example, you are never allowed to run any commands on that, for example, that's just not ethical.
Stella:Yeah. Okay. And I think that is really important. So I think what I've kind of picked up from this is that, you know, actually cyber security or cyber risk is a big risk. And the more we're online the higher the risk, as we talked about earlier on with coronavirus more people are online, but there are solutions and there are people like you working to protect us. What would be your best piece of advice for, you know, perhaps the ordinary person in the street, the ordinary person at work, just to try and keep themselves safe? What's your best piece of advice for that?
Raf:Well, I think the best piece of advice is being aware of the fact that it's very easy to let a hacker in. So if you see something that seems too good to be true, an email, for example, with an attachment, anything that's a little bit out of the ordinary, you tend to pick that up, It's something intuitive. Just don't click it, just don't give into your curiosity I would say and report that to the people that involved with security in your company for example. But also if you're doing this just private on your own laptop, just be careful with opening stuff at random. That's the biggest risk you can there.
Stella:Okay. Thank you Raf. It's been really interesting. I've understood even more about what you're doing and I'm continuing to learn more about c yber s ecurity all the time, which is really fascinating. Thank you very much indeed for sharing your thoughts today. And I hope we can have you back on perhaps in a few months time and you can tell us some more.
Raf:Definitely. Thank you. Great to talk to you. Bye. Bye.
Stella:Thank you for listening to today's podcast. Please share it with your friends and colleagues and visit our website, stellar labs.eu to learn more about what we do and how we do it. Tune into the next episode.