Skip to main content

Search...

Podcast Software Testing

Criminals find every loophole

Out of 73 universities audited, they had to abandon one in five because there were too many gaps. What this means for software security.

9 min read
Cover for Criminals find every loophole

Cybercrime is a professionally organized business model with specialized departments for every step of the attack: gaining access, malware, fake websites. Ransomware groups encrypt systems and demand a ransom. Effective protection requires actively adopting the attack perspective, disconnecting systems, immediately installing updates and consistently using two-factor authentication.

Key Takeaways

  • Ransomware groups work like professional start-ups: specialists buy and sell system access, others develop Trojans or build deceptively real phishing websites.
  • Those who pay after a ransomware attack are often attacked a second time because word gets around among criminals as to which victims are willing to pay.
  • Backups only provide protection if they are disconnected from the main network: At Maersk, all backups were linked and encrypted together with the overall system.
  • Two-factor authentication and the consistent installation of software updates already close many of the most common attack vectors without requiring a great deal of technical effort.
  • Anyone who develops or operates software must actively adopt the attacker’s perspective, because their own defender’s point of view systematically ignores the gaps that criminals are specifically looking for.
Listen on Apple Podcasts Listen on Spotify Listen on YouTube

Cybercrime runs like a successful start-up

Successful ransomware gangs work professionally based on a division of labor. Leaked internal chats and logs of such groups show that they have their own specialists for every step of the attack.

The tasks are clearly distributed. Some buy and sell accessibility to other people’s systems. Others develop Trojans and viruses. Still others build fake websites that look as convincing as the real ones.

Eva Wolfangel has seen such fake banking websites that were visually indistinguishable from the originals. They can only be recognized by the URL. Most people do not check this and enter their access data.

Anyone defending themselves must take this professionalism seriously. On the other side is not a hobbyist, but someone with a well-paid full-time job. Security requires the same effort as the attacker.

Why hackers find every gap

Hackers find gaps because their mindset is geared towards using a system differently than it was intended. This perspective is decisive, not just technical knowledge.

A convicted cybercriminal who served ten years in prison described exactly this mindset: Where are the loopholes, where can I use a system in such a way that I do things that are not actually intended. For him, this is a bureaucratic, well-paid job.

The security officer on the other side needs the same mindset. The difference is not in the method, but in the intention.

The same gap can be seen in software testing. Testers often check what is written in the requirements: whether the system works as intended. Attackers take the opposite view and test everything that was not intended.

The “evil bit”: criminal mindset as a skill

The term “the evil bit” is circulating in security circles. This refers to the ability to put oneself in the perspective of a criminal: not to protect the system, but to deliberately think against it.

Whether everyone can learn this is debatable. One security researcher put it this way: you either have the evil bit or you don’t. Some acquire the mindset, some say they simply can’t do it.

In practice, this has clear consequences. Either you develop this perspective yourself, or you get someone who does. Relying on the fact that your own software is only used as it is intended is not enough. Others will find the gap and use it differently.

That’s the only thing that’s missing: not saying this is how my software is meant to be used and not that way, but being prepared for others to find the gap and use it in a way it wasn’t meant to be used.

Eva Wolfangel

One in five universities had open gaps

A random sample of German universities showed how many gaps there are in the network. The plan was to roughly check around 400 universities and colleges from the outside. After 73, the investigation had to be aborted because so many gaps had already been found.

This corresponds to one in five of the largest universities. Large universities in particular tend to have more resources for security. The rate would probably have been lower for smaller institutions.

No exotic vulnerabilities were found, but highly sensitive data, some of it openly on the Internet:

  • Certificates, including a psychiatric certificate to postpone an exam
  • Reports to the police
  • Countless notes with name, matriculation number and often address

At some large universities, security vulnerabilities made it possible to penetrate the systems. A ransomware gang could have encrypted at this point.

Reporting vulnerabilities is more difficult than it should be

The biggest practical obstacle was not finding the gaps, but reporting them. Anyone who discovers a vulnerability often fails to reach the right contact person.

On many websites, it was almost impossible to find out which address is responsible for IT security incidents. Some universities did not get back to us for a long time. In one case, the responsible email address was unoccupied because the data protection officer was on vacation and no one was keeping an eye on the mailbox.

This is relevant because ethical hackers make such reports on a voluntary basis. If you make it easier for them to report a breach, you increase the chance that it will be reported at all. Having a clear, visible and staffed point of contact for security incidents is the first thing an organization can do right.

How a single attacker paralyzed Maersk

The NotPetya attack shows how quickly a company can go completely offline. The Russian secret service wanted to hit Ukraine and distributed the malware via the update of tax software used for business in Ukraine.

The consequences went far beyond the target. Maersk, one of the world’s largest logistics service providers, was also encrypted worldwide within minutes. Among other things, a Windows vulnerability was exploited for which a patch had long been available. Not everyone had installed it.

The clean-up work revealed a second problem. Employees were sent home, could not be reached for days and were sometimes only called together via private WhatsApp contacts. Everyone was given a new laptop and the old ones were thrown away.

Initially, there were no more usable backups. All systems were connected, so the backups were also encrypted. There were hundreds of copies of the central domain controller, which had updated each other and were therefore also all encrypted.

The fact that Maersk still exists today is due to a coincidence. A site in Ghana had an internet outage on the day of the attack and therefore had an unencrypted copy. Without this outage, the billion-dollar company might have been gone.

Architecture determines whether an attacker takes everything with them

The lesson from NotPetya is a question of system architecture. If everything is connected, an attack can encrypt everything within minutes, including backups.

Maersk has learned from this. The current Chief Information Security Officer reports that he no longer has a problem getting budget for more security. The company now knows how things can go wrong.

For you, this means separating systems so that an attack does not spread unchecked. This knowledge is available. But it is far from being implemented everywhere.

Why you should not pay

The recommendation from the authorities is clear: don’t pay the ransom. Whoever pays finances the business model and thus the next attack on the next company.

Technically, the blackmail works because the data is usually actually decrypted after payment. If word got around that you wouldn’t get anything back despite paying, nobody would pay any more.

However, paying does not solve the problem. Authorities report that paying companies are often attacked again because word gets around that they are willing to pay and are quick to convince. They also underestimate how much work, energy and time it takes to rebuild a system after decryption.

Security is a cost factor that becomes more expensive without damage

Security is often ignored in software development. At some point, a pen test is commissioned, the protocol delivers a result and the point is considered closed. Examining the topic in depth rarely happens.

The reason is usually that it is perceived as a cost factor. Security is expensive, that’s true. Anyone who calculates what happens if you leave it out comes to a clear conclusion: the damage is definitely more expensive.

The difficulty lies in getting this thinking across to the people who decide on the money. The calculation is obvious, but it rarely reaches the places where budgets are allocated.

Physical pen testing: through the front door into the building

Security does not end with the system. In physical pen testing, people try to get into buildings that they are not allowed to enter. Most of the time they succeed.

The methods are banal and effective. Greet the gatekeeper in a friendly manner and walk past. Make up a role, disguise yourself, take a back entrance, stand at the smokers’ entrance. There are many ways into a company.

This has consequences for the organization. Porters must not be left alone with the task of stopping friendly and nice people. Nobody wants to do that, and that is exactly what attackers exploit. Physical systems are needed that do not place this burden on individuals.

What you can do specifically as a user

A few consistently implemented measures close the majority of potential gateways. They are not costly, but a question of discipline.

  • activate two-factor authentication wherever possible. The extra click is annoying, but prevents many attackers.
  • **Install updates quickly **Attackers keep a close eye on where new gaps appear and work on exploiting them.
  • Only keep used apps and check the origin of each app.
  • **Do not enter any real data where it is not necessary ** Why does an online store need your date of birth? If in doubt, use a different name or date.

There is no such thing as complete protection. Sooner or later, data will be pulled from a poorly secured system, and administrations are regularly hacked. Nevertheless, a sensible middle way reduces the risk significantly.

For teams building software, the same logic applies on a larger scale. Do it properly. Get the attacker’s perspective on board instead of just checking from the defender’s point of view. Either acquire it yourself, or find someone with the evil bit to help you.

Share this page

LinkedIn X E-Mail
Back to all posts

Related Posts