Application Security News for August

German Man Behind IRC-Controlled WordPress Botnet

A German man is most likely behind a series of compromised WordPress websites that are linked together into a botnet and controlled with the help of a hidden IRC channel.

It's currently unknown how these sites are being compromised. According to WordFence, a vendor of security products for WordPress, the hacker works by adding a PHP file with 25,000 lines of code to all websites he manages to gain access.

This file is a bot client which connects to an IRC (Internet Relay Chat) server and listens to instructions posted in the main chat. Whenever the botnet's owner logs in and gives out a command, all infected websites execute it.

While WordFence has not elaborated on the bot client's technical capabilities, such botnets can be used to launch DDoS attacks, brute-force attacks, insert SEO spam on the compromised websites, or send spam email from the underlying compromised servers.

...
Webmasters that noticed their hacked websites, often asked for help in cracking this password, but to no avail. A Google search reveals requests as early as December 2012, meaning the crook's botnet has been around for almost four years.

LinkedIn sues anonymous data scrapers

LinkedIn’s case accuses the anonymous scrapers of building a massive botnet and circumventing the restrictions LinkedIn uses to prevent profile collection by undesirable third parties.

The lawsuit details several of LinkedIn’s automated tools that prevent data harvesting. Dubbed FUSE, Quicksand and Sentinel, these tools monitor the web traffic of LinkedIn users and limit how many other profiles a user can view, and how quickly a user can view those profiles. This tracking is intended to prevent scrapers from signing up for fake LinkedIn profiles and then vacuuming up vast amounts of data. The company also uses a tool called Org Block to block IP addresses it suspects of scraping and uses Member and Guest Request Scoring to track page requests.

But paradoxically, LinkedIn doesn’t want to prohibit scraping altogether. Search engines like Google use bots to index websites and turn up relevant results — and LinkedIn wants to allow this type of scraping to occur.

...

Similar CFAA lawsuits, like Craigslist’s against 3Taps and Facebook’s against Power Ventures, have been favorable to the plaintiffs, so LinkedIn has a good shot at shutting down its scrapers. Twitch filed a comparable CFAA lawsuit against view-bots earlier this summer, in which the live stream site alleged that using bots to inflate a channel’s view count amounts to an unauthorized access of Twitch’s ‘protected computers.’ However, Twitch’s complaint also claims a number of other violations, including trademark infringement.

Clearly, companies are interested in stamping out certain kinds of bots. But other scraping, like that done by search engines and web archiving services like the Wayback Machine, is welcomed. That dichotomy could create an anti-competitive business atmosphere, the Electronic Frontier Foundation argues.

 

From DarkReading:  Hacking Lunch

August has been interesting in terms of the web security news – the attack on the Australian Census website, this news of LinkedIn being hit by web scrapers, the SWEET32 openSSL vulnerability, and research that shows that around 16 zero-days are added to Dark Web Marketplaces each month. Attacks against web applications, whether they are websites, mobile applications or API applications are growing. Attackers are continually finding new ways to compromise these web applications and use them for profit. Defenders are finding it harder day after day to keep up with the patches and fixes to ensure that applications are not compromised.

Securing web applications requires significant work. You need to keep on top of the latest software defects, both on the underlying OS and the web application software. When updates are released, they need to be tested and deployed quickly. If the updates break the site, then you need to revert them and keep a continual watch on the site to ensure no one breaks in till you can fix the problems and update.

Securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks (pdf), including application DDoS and Web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air. Try it in your environment for 30 days, risk-free.

---

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.