Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 14th, 2012 in Cybercrime, Vulnerabilities by Simply Security | Be the first to comment | Tags: cybercrime, Vulnerabilities

A recent attack on a military-themed online dating site has drawn into question the sensitive nature of user-created content and the potential need for higher data security for veterans and active military personnel.

A recent attack on a military-themed online dating site has drawn into question the sensitive nature of user-created content and the potential need for higher data security for veterans and active military personnel.

Poor user credentials

The attack in March against MilitarySingles, a site dedicated to matchmaking for those who currently or formerly served in the armed forces, resulted in the personal information of 170,000 users being posted for public viewing, including IP addresses, passwords and usernames. The hacktivist group LulzSec took credit for the attack, but the site acknowledged that the compromised users had some share in the blame; the majority of passcodes were weak and susceptible to basic dictionary attacks.

Retooling interfaces

The site administrators are also culpable here, though. A loophole in the user interface allowed LulzSec hackers to upload an executable file through MilitarySingles' photo service, which they subsequently used to attack other users and steal account information. This draws into question the security of user-created-content applications, especially for active military personnel whose location or status may be more sensitive than that of civilians.

Segregate, validate, integrate

Tal Be'ery of Imperva recommended in an InformationWeek interview that social networking sites and those that support user-created content should segregate uploaded content from storage tools used for the rest of the site in order to promote better server security. He pointed out that other sites like Facebook, Google and Twitter implement this ideology already, hosting their images outside the same infrastructure that keeps their sites intact. Identifying and verifying an image's status prior to allowing it on the site could prevent an attack like that executed on MilitarySingles.

The issue with simple image validation, which is what MilitarySingles was using, is that it only inspects file extensions. Content security should require a more stringent file review process and specifically deny execution properties, meaning even if a hacker uploads a convincing file embedded in an image, the constraints on legitimate images will still hold and no action will be available to the program or hacker.

Encrypted protection

Websites hosting user-created content might want to consider requiring better password protections and encrypt data to avoid similar data security issues in the future. It could also be beneficial to separate different kinds of content to ensure tampering and hacktivism can't get such a strong foothold in similar sites.