1106 words
6 minutes
Being conscious about your attack surface

Nowadays, almost everyone in the world is connected somehow to a piece of software. It doesn’t matter if it’s your smartphone, your PC or just the app you use to talk with your friends. It’s very important to note that although this has made our life easier, every day we will have new access points for an attack to happen.

But getting straight to the point, what is your “attack surface”?. According to Wikipedia, “The attack surface of a software environment is the sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment”. So, whatever application or system you’re using, as I said before, takes part of your attack surface, and it’s your responsibility to keep it as low as possible.


But, how can I identify my attack surface?#

Well, as I said before, everything that you’re connected to is a possible access point for an attacker and, more access points means bigger attack surface, for example:

  • Bluetooth devices: We all use Bluetooth, it doesn’t matter if it’s for your headphones, your portable speaker or any other device.
  • Laptop: Let’s say you don’t use VPNs to connect to networks and you also don’t care about software updates (or you take too long to do them)
  • Smartphone: Again, you don’t have a VPN and you always have the wireless ON. And again, you don’t care about software updates.
  • Human errors: Of course, this is the thing that increases the most your attack surface.

This hypothetic user has a very big attack surface that can be exploitable overtime. In the future, I will talk specifically about different tools or techniques that can help you perform these attacks, but for now, let’s describe what a hacker can do with this:

  • Being in the same network as a possible attacker (aka anyone) is a very risky thing to do. From the same network, malicious hackers can:
    • Redirect you to malicious pages (DNS spoofing). This can lead to phishing attacks, for example.
    • Listen and capture your traffic
    • Get advantage of nonupdated software versions. There are a lot of places on the internet with the latest exploits available for anyone to check. For example https://www.exploit-db.com/
  • Also, by having your Bluetooth/Wifi always active, hackers can:
    • Try to connect to your Bluetooth devices
    • Connect to you via Bluetooth: By “plugin off” your existing devices (i.e. smartwatches) and taking its place
    • Open a public network, that your smartphone will log into, and you already know what could happen if you’re in the same network.
  • Apart from that, and talking about human errors, you should never ignore your antivirus/browser/firewall security warnings (unless you really know what you’re doing). Also, you should be really careful about emails (mostly phishing), images, and links from weird websites. I always try to check the URL from the bottom left corner of my browser to verify that I’m redirected to the desired place.

So, to sum up, these are the things you can do to decrease your attack surface in a local environment:

  • Disable Wifi and Bluetooth when you’re not using it.
  • Don’t ignore security warnings from any device/software.
  • Never connect directly to a public network. You can use a VPN. I personally prefer to connect to my smartphone network (to whatever internet provider you have) via a VPN.
  • Always update your software. Updates are not only for new features.
  • Always suspend/shutdown your PC/smartphone if you’re not using it.
  • Use different passwords in different sites. You can take advantage of password managers like 1password, which also includes password generators (very recommended).
  • Do not plug your phone into anything that you don’t own. For example, recharge stations in airports, a friend’s laptop, etc.
  • Nitpicky one: People behind you/watching your screen is always a bad sign. You want to give as little information you can to possible attackers (like watching your keyboard in this case). I will elaborate a bit on dictionary generators in the future, which is kind of related to this.

Developers perspective#

Developers are the ones that introduce those new software versions we were talking about before. Software development is not trivial, and because of that, developers can forget about sanitizing certain inputs in your frontend and/or backend applications. I really think that it’s important to note that updating your smartphone applications (as a normal user) and updating your software libraries have the same importance level. Let’s go back to the famous exploit-DB website and let’s look for Spring. For instance, you could use this exploit: https://www.exploit-db.com/exploits/36130. Although this is an old bug, you can see how important is to update your frameworks/libraries. You can keep playing with that website to find other cool vulnerabilities.

Developers attack surface#

Apart from versions, developers should be conscious of their system. Do you REALLY need that Redis host for your application? Keep in mind that more infrastructure means a wider attack surface, and also you will spend a lot of time by securing these hosts (by not exposing unnecessary ports, keeping them behind a bastion host, etc).

You may think that all your infrastructure is safe in the eyes of people. “Who will know I’m using Redis? Or that I have a MySQL DB?” you may ask. You can’t imagine the amount of service/domains discovering tools hackers have so knowing what technologies your system is using isn’t, in general, a real challenge. This topic deserves its own post so I’ll keep that for the future.

Apart from that, as a developer, you should know which parts of your company are in use and which not, and you must stop anything that is not used (S3 buckets, old GitHub repositories, unused server instances…). Again, thanks to reconnaissance tools and/or hacker’s expertise, you are just allowing people to know more about your systems.


Reducing human errors#

The weakest point in a system is the people that are part of it. From developers to managers to CEOs, everybody is part of your security. It doesn’t matter if a possible ransomware attack started by a manager clicking an email or if a developer inserted a conference gifted USB in one of the company laptops.

The point is that we are all responsible for our security breaches. If a developer setups a server with default credentials (silly but realistic example) and he/she doesn’t know about its consequences, it’s probably because your company is not taking enough care about security. Talk with your people about this periodically, give them some examples of possibles cases were a security breach could happen, train your people. No one is going to do it.

It’s never too late to start, and you don’t want to be that guy that will have to pay 100,000$ to rescue its data (or worst, its clients data). Remember that you are not the target of anyone, yet.

Being conscious about your attack surface
https://j2hacks.com/posts/attack_surface/
Author
Juanjo
Published at
2020-03-19