Infosecurity spoke to Ilia Kolochenko, CEO of High-Tech Bridge. Kolochenko recently launched ImmuniWeb, an online, automated SaaS-based penetration testing service designed to make pen-testing affordable to SMEs. He said that he could not demonstrate ImmuniWeb as thoroughly as he would like because the deep penetration testing it used required the authority of the website owner to remain legal. But what he could do was demonstrate why it was needed – armed with just a laptop, a default Firefox browser and Google Search he had found a string of major media organizations vulnerable to being hacked.
That list is surprising: it includes the two big hacked publications The New York Times and The Washington Post – who have still not fixed their websites despite their experiences. It includes the Wall Street Journal, Forbes, the Telegraph, the Times, Bloomberg, the Independent, the Financial Times and others. It includes the Guardian, currently publishing details on how everyone is being surveilled by national governments.
One month ago, the BBC technology correspondent Rory Cellan-Jones published a cheeky article on ‘glass houses’. He had received an announcement from KPMG which demonstrated that British business is “leaking data on an alarming scale.” Cellan-Jones asked researcher Graham Cluley to have a look at KPMG itself, and concluded, “it might be better to check your own defences before sending out shocking reports about the state of other companies.” But Kolochenko demonstrated to Infosecurity that the BBC itself is a glass house.
The majority of the vulnerabilities were found during July 2013. Kolochenko wrote to all of the organizations concerned, informing them of the vulnerabilities he had found; and Infosecurity delayed this article to allow ample time for the companies to fix their vulnerabilities. Even more shocking than the state of media security (this would probably apply to all market segments) is the response to knowledge of those vulnerabilities.
The Financial Times responded and fixed the vulnerability – but ineffectively. “Their patch can be by-passed,” Kolochenko told Infosecurity, “so they are still vulnerable.” The Wall Street Journal acknowledged Kolochenko and said it would fix the vulnerability, but hasn’t. No one else responded and none of the vulnerabilities are fixed.
This is not a trivial issue. Infosecurity asked Kolochenko what could be achieved by a hacker through these faults. “A hacker could inject arbitrary content on a website page, and post fake news or just ‘deface’ the webpage,” he told Infosecurity. “He could steal users’ cookies and sessions. The vulnerability could be used to perform various types of phishing and scam attacks, or set up the site for drive-by attacks to infect visitors.” The same would apply to all of the affected organizations.
But perhaps the main issue is the ease with which the vulnerabilities were found. No laws were broken in probing the websites. Each vulnerability was found in about 15 minutes simply through Google Search. And if Kolochenko can find such serious vulnerabilities so easily and so quickly, so can any competent hacker.
Update
High-Tech Bridge has pointed out that it did receive a few 'automated responses' to its emails.