Industry sign banking alaska executive summary template computer
hello everybody and welcome to this webinar by Alaska which is covering form jacking which is going to tell us all about what form jacking is higher can be attacked hi it is becoming very prevalent especially in 2018 and nine 2019 and what you can do about it my name is guy Robinson I'm the finder of your Eska and I will be giving this presentation and webinar on form jacking based on some research that we have done ourselves and with a couple of other large companies to look into the issue that is form jacking and what the industry as a whole can do about it so this quickly mentioned it by myself and herbage Alaska I have been in software and cybersecurity for over 20 years I have been a senior security architect at organizations like Citigroup I've been a penetration tester I've been a security consultant I'm also a global board member for the organization of wasp or the open web application security project which is a worldwide organization which advises and builds tools and projects that helps with the world of software security a bit about Alaska Alaska we build applications and platforms that help organizations test dynamically in a dev psych ops way for applications and securities issues just like form jacking we automated in the best and brightest of the application security tools so they can be run automatically a day in day out without needing manual security skills we also translate the those technical issues into what we call monetary business risk so instead of a large organization having tens of thousands of SQL injections potentially we translate those into the monetary business risk of those technical issues so that you can help prioritize and know what the business risk is to those various technical issues and we also then provide this neural dashboards and reports that allows CISOs and CTOs to communicate the security of these application security issues across many teams many applications and businesses etc it's one of the issues that the application security industry has art skill in that we can't just keep on pushing around technical security issues and the numbers of those we have to really understand the business risk in a quick and efficient manner and be able to communicate that so we can understand that our security strategies are working and our risk profile from application security is getting better or worse so what is form jacking and this section we're going to cover this a quick introduction to the what is the tert the technical issue termed form jacking so for jacking is essentially a new take on an old type of vulnerability it is a JavaScript type attack where attackers are able to introduce their code into a website running on a browser and use that to extract information that they would want from a user session so it's become more popular in the last few years for different reasons that we'll cover later on but it's a popularity is growing dramatically as we made famous this year mostly by the semantic internet threat report from 2019 which listed it as one of the large one of the biggest issues from 2019 from 2018 it's estimated to attack around about an average 4,800 websites per month that's around about 240 websites per day and that's very interesting and it is attacking the websites that is the website itself has been attacked therefore any users subsequently using that website all of them are potentially subject to the attack as well so that allows it to grow very very quickly so one of the main things keep in mind is that this type of issue whilst it's actually quite simple to exploit is quite difficult to test for because it essentially attacks a third party source repository or a third party and today to your main business site so if you are a bank or if you're a large organization that has an extensive website this system or this type of attack is not it sends the attack in your infrastructure it is not introducing code inside your code bases or inside your applications as they are served it is introducing negative code whenever the users browser is actually rendering that website which means can be very hard for a large enterprise organization to understand themselves and detect themselves if that issue is being exported it also has a temporal aspect because it could be that a system or an application that is used in this JavaScript is absolutely fine one day but then if that third-party code changes the next day then that could be runners who explored it so that the code can change quite quickly but one of the issues is that if testing is only done say every six months or every year it can be a large window where that type of an exploit can be happening before systems actually affixed of course what has to happen is the clients of a website start reporting the bad actions and that's how this gets burned very quickly or fine by websites by the enterprise's running them so how does an attacker exploit form jacking so we're gonna keep it quite simple here but essentially a classic example of form jacking is where a JavaScript script tag is used to introduce the JavaScript file to use so for example here this has a potential path to a JavaScript but that could boost in the form of form tracking that would actually be an external URL so for example HTTP colon slash slash bad guy calm slash JavaScript file J yes so in this case it could be that the website is wishing to use some functionality that is provided by the JavaScript it could be something as good as Google Analytics it could be tracking most flows around the the website it could providing different types of functionality that is commonly used and instead of the organization of the software engineering team within an organization creating this JavaScript themselves they bring it in from third parties so some very popular examples are things like ad nodejs things a big frame caption framers like that where essentially all of that is brought in from a third party and served from something like that bucket or get hopper from something popular like that so whenever those third-party JavaScript files are brought into the application they essentially have access to anything running on a particular website in the browser at that time so there's lots of different ways it could be an HTML we've seen here there's also different ways if you look it up after then JavaScript to bring in third-party JavaScript files from other resources but once they are in and once they are running within a web page running on a web browser they can essentially read anything in the document object model or the Dom for example they can read any of the assets on the web page so any text or any values are written there they can read anything that is entered into the website for example username and passwords passport numbers addresses and themes etc they will be able to have access to and read and then also even three things like at most flows and any URLs that were set as given through that website etc they have access to a lot of information and that is how they're using this to extract information such as credit card numbers such as passport numbers etc because they have access to that and they can send that straight back to repository which is owned by the attacker not only can they extracted it also as we mentioned that they can modify the data as well so if for example you're typing some information in like a credit card number or an address or a an element to have a code number that say money should be sent to they are able to modify that data before the sent to the server so that's another type of attack that could be costly in this reform jacking scenarios so it is interesting that the form jacking attacks they actually target the code that's part of the website they don't attack the business itself so they attack it then when it runs on the customers computer that's display in the website not many many websites these days run JavaScript it's actually there there are ways to turn off JavaScript on your web browser and if you've ever tried to do it a lot of websites simply feel to work they just can't operate these days javascript is very common in today's web sites um and it's actually it's better than the resources that you use in software security the load-in of these third-party em libraries it's actually called different things so they can be includes they can be called simple javascript includes or tools like burp we'll call them cross to me and script includes and organizations that go was call them tags for different types of functionalities such as analytics so the way the attack happens is that the web server inside an organization this could be a large airline this could be a bank etc the web server received serves back the webpage to the customer end user not as HTML and probably JavaScript that are served by the the banking application themselves as them its end users browser be a Chrome or whatever is rendering that web page it will look for any JavaScript includes that need to be rendered and if it finds one it will actually go off to the third-party repository something like github or bitbucket whatever and a lower using the bit bucket image here that does not mean at all that bit bucket is specific to this type of attack is just a murder started getting any sort of third-party repository that could host the JavaScript and as that browser in step two here is rendering those third-party includes its able to get that information outside of any interaction from the business from the airliner from the bank I was served up through step number one now I as the bank or airline etc has the this website and they have obviously done their own system test in their own unit testing and I've brought in that JavaScript library for a specific function and it operated properly at that time at some time later if this third pod repository is either maliciously breached if it's deliberately taken over for example maybe it's a third party open source library that has just fallen out of support and somebody else is taking it over or if there's other ways to get attacks into that third party then that is high this malicious JavaScript as form jacking brings in comes into the web page is being rendered on the end users browser and has access to all that bad information all that information because that is where the credit card numbers are either being shown in a web page or typed in that is where the passport numbers are and other personal information again are being typed in or displayed in response to a customer query sampled for the proper blanks horn accounts and things that gets a sale or TLS don't matter here at all things like attend acacia net cetera doesn't really matter because this form jacking javascript has been reloaded into that page I would cited the authentication outside of the SSL and has access to all the information inside it so wrapping this around SSL and TLS and Happiness authenticated does not at all protect against form jacking which is one of the main reasons why it says so popular as an attack so the nature of form jacking it attacks they attack the customers not the actual web sites themselves so that meaning that just one website effectively attacking just one website effectively attacks all the customers of that web site you're not getting access to the back-end infrastructure of the bank or the the airline you're not able to see anything in the backend you're not able to get inside the firewall you don't need to you're actually get access to the interesting data that is also sitting there on the user's browser as it's being displayed or typed in so form ducking attacks that's where they're incredibly if activist stealing information from customers here using the organization's so the classic examples have been British Airways in October 2018 where a single website breach affected over 500,000 customers and another one is Ticketmaster where a similar type of relationship factored over 40,000 customers and they're both examples of form tracking so we see here that one attack has been able to attack up one website for example the British Airways website that one breach or injection into the into the M the web website has been able to attack their 500,000 customers of that website because they are the ones that are using it so corner Symantec which in their internet the report last year had a couple of very interesting quotes I advise you to download that document and have a read of it because has lots of good information on form shocking they actually say that the Salama Tory shows that an often small and medium sized resellers selling goods ranges from clothing to gardening equipment to medical supplies have hard form jacking code inject it into the websites so it is a global problem where the potential to affect any business that accepts payments or from customers online night.we but extend that add Alaska to also include any web CSS accepts or displays sensitive information from customers or websites that are trusted by customers so as you can see the potential for form jack into effect numerous important sites on a global scale is has to be taken very very seriously as this scaling problem which actually allows it to be to be so popular these days you attack one website or you attack one project open-source project which gets onto home says a website and then you're able attack say 3 million users of each of those three websites have a million users each and this is one of the very interesting nature's of form jacking is that you are essentially attacking this smaller open source third-party types of projects you're not having the attack the large defended bank the airline which is spends 300 million on has security in the last few years you're able to attack a small revenue organization which is being trusted implicitly and maybe unknowingly by a lot number of these large or organizations and by doing that by attacking once a very very popular open-source project which is then used in say a hundred and different large company websites you're able attack all the customers of all those one hundred at different websites without having to go through the PN of attacking any of there was actual Oracle ed business organizations instead you're attacking one of the smaller organizations which has less security defense and that is why we have lots of large numbers of forum jacket attacks happening in 2018 and in 2019 you don't have to enter the business infrastructure you don't have to pass in the IDS as there's no firewalls that will stop you there's no code refuge that would potentially find this type of thing this is all the ability for you to get into an open-source project and have anybody who trusts that open-source project and be vulnerable to your particular attack so the question is what can we do about it so this setting a floor plan forms that can have been known about for a number of years in fact this is what used to be used for a lot of crypto mining problems that happened in the past so it used to be that this type of attack and was used but for 2 pi crypto mining which meant they still world CPU resources from your own PC to help them mine coins and they made money from that that's how the attackers used it now because the price of the crypto currencies all attended the drop and that became less of a business opportunity they have no turn to stealing the data because the obviously return on investment for stealing data from these types of systems is a lot better than the return on investment of my name cryptocurrencies so yet the form the flaws behind form Jack gonna be no one went for a number of years recent breaches have only slightly changed so far this is manifest and then who wast was advised these types of controls for some time so from their top ten item a nine has data for a long time that using components without with with no-one vulnerabilities is an issue may that's many times translated to actually be used in third-party components that have these types of issues because it could well be in this case that whenever the organization of the software team that were building the website whenever they were testing the the JavaScript library that it worked fine that there was no issues that there was no flaws but as we've shown since it
s a third-party project and since it's loaded dynamically by users browsers the software team has no control on when those updates are applied when those changes are applied to your website and there are a couple of libraries added to the HTTP specs that would allow them to control an element of that but unfortunately from a business point of view those life those headers would stop the website rendering rather than that's all the JavaScript functioning rather than providing a better way to mitigate these problems but what hasn't a thing called the ASVs which is the advanced security verification standard and is reasonably updated to version 4 but version 3 had this advisory that to verify all components such as libraries modules and external systems that are not part of the application but in which the application relies to operate so I cannot explicitly applies to what we're saying here this is a library which has been included into the website for whatever fair business logic reason whatever is needed there but because that is relied upon it's actually part of the website any flaw in that which is outside of the business control allows your customers to unfortunately be affected so there's some suggested solutions that could help mitigate your chances of being attacked by forum jockey the first one is to carefully select a third-party code that you're going to use on our website in pages right this means that you have to unfortunately have a list of third-party add JavaScript libraries and the like that you wish to use and that you trust and you would need to audit those third-party libraries to check if there's any potential as security flaws in those now after that you can take your third parties and consider them in two ways the first one is count the third party to share the code so you have organizations maybe like Google obvious one is Google Analytics and there's many other reputable businesses that there that have JavaScript which does get loaded into your code you're in the website at anomaly from the user browser so if you can make a decision to trust that third party a supplier if for example you've checked or Google or you've checked with these organizations and they have security policies or they have ways of assuring you that there the code the JavaScript they serve that will form part of your website has security checks and that other organizations or other developers don't have the ability to change that JavaScript then you can take a risk decision add two Bs your trust on that third-party code and continue to serve that if you have any developers in your organization that are trying to include libraries that are not on your trusted list then there should be a way to check that it should be a way to say no we are not going to allow this website to include that javascript and we're not going to let that go out the door hasn't be deployed that's a software design or a software implementation fears decision but it needs to be controlled in some ways it's best in our opinion to have that done jury in the development of a software project and not after it's gone into into the wild as it's already been released because you could already be being attacked and you'd have to change the website that's being used by users if the third party organization can't assure the code so if they are say a smaller open-source project if they are say an organization that just you know it doesn't have the ability to be contacted or to have any assurance of the code then you can if if you can if you're allowed to legally and if you have their resources you can bring that javascript in-house so essentially what you're doing as a design and implementation decision during your software development is you're identifying the need for this library for the functionality that this light provides and the problem is that you can't trust the way that library is provided because it is done outside your organization so if it's open source and if you have the ability to it you can bring that JavaScript in-house you can link to it from your own websites in a way that shows this is coming back to our own websites this is coming back to the business the banking application the airline application and you can then just white label and your own checks the ability to say write what we will trust ourselves obviously just apply this JavaScript library we have source controller but now we know if any changes are going to be applied we can test those changes we can ensure those changes are not going to happen without our knowledge and this allows you to identify ways to protect that code because if you are auditing yourself if you're hosting yourself that allows it a lot a lot made lots no more secure and also means about attacker did want to somehow try and change that third-party code for your website then they have to go through all the previous attack factors of getting inside your network of changing code that you have already tested or getting access to that code and that's a lot harder a mechanism a lot harder a proposition than attacking a small third-party open source open source library so that is our advisory on inform jacking and high it has become so prevalent in today's attacking infrastructure and society hi it's a manifests itself and how it can be protected against one of the reasons why you'll ask is covering this as a as a webinar is because an element of our product allows us to help with that assurance that we mentioned before many of the off-the-shelf projects a product sorry and even open source testing tools do not check for form jacking is not something that is in their remit and even if they did they would have to have the ability to input a list of whitelisted demyans from which you as a business or happy to serve JavaScript from Assam we take the precautions we mentioned there towards the end so what we have developed inside the Alaska platform is the ability to plug in will be called custom tools which means you can take as something you've developed a small testing script or a small Java program and you can wrap it inside the automation and orchestration provided by the Alaska platform and that allows you to implement these small types of checks across your whole organization and all applications so we have developed a small and custom tool which explicitly and only checks for form jacking you pass in the parameters of the whitelist of the millions from which you trust JavaScript to be served from and upon every deployment or every M software security tester and like a dev sec ops or a CI CD and test environment those checks are applied and if any Java scripts being included from it to me and outside of those whitelisted ones that is flight up with a very high risk at that point obviously the the organization can make their own echo no good decision but at least it gives you visibility and a risk prioritization on those form jacking risks so you can know if any development team is trying to bring in JavaScript includes without your knowledge and without the coverage are the the the whitelist coverage of your previous analysis and you know so be aware and be able to prevent any releases that do need to be stopped because of those third party includes if you have any questions we want to know any more about that form jacking or the Alaska platform please reach out to us at WWE a calm or reach out to us at info Archie Letts got to come I will be happy to set up a chat happy to show you a demo of the Alaska platform and happy to reach out and have a conversation thank you very much