Journey into Website Security

I recently received a $5 check in the mail from Equifax. It took me a minute to remember that I had filled out a form months (years?) back to get compensation from Equifax as part of their massive 2017 data breach and it got me thinking about how ubiquitous these kinds of data breaches have become. There was the 2013 data breach that happened to Yahoo affecting 3 billion accounts, the 2021 LinkedIn data breach (700 million), the 2019 Facebook data breach (533 million), another Yahoo data breach in 2014 (500 million) just to name a few (https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html). What this has resulted in is a laissez faire attitude when people hear of the latest breach, as it’s now just a matter of throwing another log on the ever increasing pile.

In the modern digital age you have to assume your passwords personal information will inevitably be stolen so it is imperative that we are cognizant of password reuse and setting up two factor authentication. Hackers earn millions of dollars (https://www.tomsguide.com/news/hackers-have-earned-millions-selling-your-data-on-the-dark-web-how-to-stay-safe) selling data they get from these data breaches in large part because many people still reuse a lot of their authentication information which allows someone to take a password you used on Yahoo! and try that password on other commonly used sites. Former President Trump’s twitter account has famously been ‘hacked’ multiple times, in part because he was reusing passwords and more often simple to guess phrases (https://www.vn.nl/trump-twitter-hacked-again/).

One solution many people have turned to is using password managers like LastPass, which allows users to auto generate new passwords for their many accounts, significantly reducing the chance that old passwords can be used against them. However, as one might expect this has led to Password Manager services to become victims of hacking themselves, as evidenced by what happened with LastPass just recently (https://www.techtarget.com/searchsecurity/news/252529329/LastPass-faces-mounting-criticism-over-recent-breach).

We are all told it’s imperative to take your data security very seriously but it’s disheartening to have your data stolen and receive a $5 check in the mail 6 years later. Ultimately, one of the ways I’ve tried to combat this is by significantly reducing my digital footprint. This includes reducing my social media use and limiting the PII (Personally Identifiable Information) I give out even when the expectation is I’m anonymous. Someone can’t steal what they can’t find.

In my last post I referenced a few different podcasts that got my mind thinking about cyber security. The one I want to highlight today is Darknet Diaries and in particular an episode about a virus called Stuxnet (podcast located here: https://darknetdiaries.com/episode/29/ or on a podcast app).

Stuxnet was a virus discovered back in 2010 that infected over 200,000 computers and was designed to target industrial computers, in particular Iran’s nuclear facilities. What makes this virus particularly interesting is that it was programmed to travel via USB flash drive which enabled it to infect computers that were segregated from outside networks. Furthermore it took advantage of four zero-day vulnerabilities, which is a vulnerability in a system or device discovered by hackers before the vendor has become aware of it. Because zero day vulnerabilities allow hackers to perform exploits on fully patched machines, these kinds of exploits tend to be extremely valuable to hackers (and quite pricey too, some zero days fetch more than $1 million) . A lot of viruses don’t even use a single zero-day vulnerability, instead they rely on known patched exploits and try to take advantage of machines that are behind in the patch cycle. More sophisticated viruses may use 1 or 2, but 4 is something almost unheard of. This is because if the virus is discovered, every included zero day may end up getting patched, which could have otherwise been used in future malware.

No one has ever been able to concretely point out who was behind Stuxnet but what is almost universally accepted is that a nation state was behind its creation (the most commonly believed theory is that it was a joint operation of the US and Israel). The cost of the zero days and the sophistication of the code makes it very unlikely a lone actor or small group of hackers could have pulled this kind of exploit off.

While the ethics of what Stuxnet was trying to accomplish can be debated (it’s purpose was to slow down the enrichment of Iranian uranium), what cannot be ignored is that it showed how critical cyber security is in the digital age. Stuxnet showed us: 1) Increasing involvement of nation state in attacks against rival nations and companies, 2) How industrial systems can be targeted to cause real world harm, and 3) How air gaping your network from the outside world isn’t sufficient to make sure you are secure. It took over three years after Iranian machines were infected by Stuxnet to be discovered, and even then it was discovered more or less by accident by a small security company outside of Iran, inside a machine the code was not supposed to effect. This poses an important question: how many more sophisticated Stuxnet’s are out there today 12 years later?

I suppose if you’re going to start a tech and coding related blog then the infamous ‘Hello World’ phrase that is commonly used for the start of coding projects fits the bill. In this blog I’m going to share what I’ve been learning about Website Security as a relative novice (currently) in the area in hopes that what I learn can prove to be useful to someone starting on their own journey into this field.

I currently work as a full stack Software Engineer primarily working on web apps in React JS and C#. However, in part because the apps I work on are internal and protected by firewalls the need to focus on the security aspect of the App has never been something I’ve had to personally deal with, at least beyond a very rudimentary understanding.

Security has always been something that I’ve had a lot of interest in but have really never taken the time to seriously look into. Maybe you’re reading this and thinking the same thing. It’s incredibly important yet we learn so little about it in school and as someone in the industry for the last 3 years you don’t necessarily have to learn a lot about it on the job. However, in a world where website attacks have only been increasing, the need for people to be knowledgeable in this is becoming more and more important everyday.

Before I sign off on this post I wanted to share a few Security related podcasts that were a big part in inspiring me to learn more: https://darknetdiaries.com/ and https://malicious.life/. Well worth a listen.

-Zach