Talking Digital Security with RSnake Hansen
Robert “RSnake” Hansen is a well known digital security expert who is CEO and/or founder of a number of successful companies including Outside Intel and Smart Phone Exec. He is also on the board of some interesting tech companies, including Data World and FunCaptcha.
Namecheap had the opportunity to ask him to give an overview of online security and some best practices for keeping your digital presence secure.
With the development of the Web in 1991-1992, we witnessed a change in how the Internet was accessed. Browsers introduced new security issues. When did the first significant breach of the web occur and how was it done?
RSnake: It’s so hard to say what the most significant was, but probably the most well-known was when the Samy MySpace worm took over and took down MySpace. It was so prolific their servers simply couldn’t handle it. Its creator knew it would be exponential but it ended up taking over a million active users. He used a simple and well-known exploit called Cross Site Scripting. We had always theorized that it could be as bad as he made it, but I think that really opened people’s eyes, and put a lot more scrutiny on browsers.
From a security perspective, what would your timeline be for significant breaches versus reactions and program development to meet the growing issues?
RSnake: Generally speaking the timeline depends on if the adversary is noisy or not. If the adversary simply pulls data out of a database it might be weeks, months or even years before someone notices. It almost always is eventually noticed—typically when the data is resold on the underground. But when that happens, it’s typically a race to get ahead of it from a public relations perspective. It typically involves legal, law enforcement, dev/ops, and public relations in coordination.
When was the first firewall developed, and how good are the current ones used today?
RSnake: Firewalls have been around for over two decades. The original purpose of them was to do network isolation. Slowly that has become less and less in vogue because modern networks are so permeable. Jeremiah Grossman and I invented the attack where a browser could be used to hack internal devices, which remains unfixed to this day.
Another example is almost everything can be tunneled over HTTP/HTTPS. So if you can tunnel TCP over HTTP you can basically do anything. The real thing it seems to do in most enterprises these days is isolate groups of machines that have similar functionality. So your DMZ will be filled with production machines. Your HR team’s computers are isolated from the rest of the company, and so on.
What security measures do you recommend for online businesses?
RSnake: It depends on how draconian they want to get. The tools that work the best are the most draconian. For instance, application whitelisting is a very strong barrier to malware infections, but it means that people can’t install anything new too.
So as a middle ground, what I like to tell people is, “Always assume any machine will be compromised and then come up with another security control to protect against that eventuality.” For instance, let’s say you wanted to stop someone from compromising a web server. Maybe you’d start with something that limits the server from being able to write to disc from a software perspective. Well, if that control is put in place but then there is a vulnerability, there should be some other thing that protects you.
So what if you used something like a file integrity monitor on top of it, to validate that no changes were made to the file system at any time?
RSnake: That would provide a nice stop-gap if that first control failed. Nothing is perfect, but if you treat every control as just a piece of the overall puzzle instead of being the entirety of your security controls, you’ll be significantly safer. If you want an actual list of controls though—I’m afraid that would take days to write up. Yes, it’s that complicated (to do correctly). But there are organizations like OWASP and WASC that help companies understand the threat landscape—they’re both great references to get started.
Are there different levels of security for different types of websites?
RSnake: Absolutely. If you don’t care if a site goes down, or gets hacked—let’s say it’s a thin affiliate site or something, then why bother investing a large amount in protecting it? Or if you know you do need to protect a thin affiliate site, make it all static content, so that there are no avenues for attack via the web interface. That limits an adversary to network, host-based or social engineering type attacks. It all depends.
How effective are SSL certificates? Of the three major types of SSLs—OV, DV, EV—what type of sites should use which type of certificate?
RSnake:. There have been dozens of side channel attacks against SSL/TLS over the years…. That said, the real benefit for SSL/TLS is that is mostly limits what an attacker can see and inject into the datastream.
So for instance, malicious ISPs can’t inject banner ads when people connect to your website if you use HTTPS—so it can protect your revenue stream. It also limits what an average attacker can see. They can tell what site you’re going to, how long you’re on it and might be able to glean some of the pages you went to (the homepage and the last page you visited before clicking on a link to another website) but they probably can’t read the actual text of most of the pages. So for things like bank accounts or social media sites, SSL/TLS is very useful.
In the end, extended validation certificates make the most sense on sites where trust is a big factor of people’s use of a site and therefore the green bar at the top might help with conversions.
Look for a certificate that can easily be set up to auto-renew, which dramatically reduces the overhead and potential for inadvertent outages. No matter what, I’d recommend using SSLLabs to make sure your setup is secure once the certificate is in place.
What advice would you give to users of various websites to keep their information as secure as possible?
RSnake: Don’t give them any more data than is necessary—if you don’t have to use your real name and your real address and your main email address, don’t. Never ever use the same password—it’s dangerous and is often how attackers pivot into other sites. Use second-factor authentication like SMS based pins or Duo security or Google Authenticator—which helps with the password reuse and greatly reduces the risk of brute force attacks.
Use an ad-blocker, because that greatly limits the bad things you can do. I recommend using the freeware Sandboxie for Windows users, which limits what malware can do once it infects your machine. For Macs, there’s software called Little Snitch that tells you when your machine is making errant outbound calls. There are many more tricks that can limit exposure, but that’s a great start.
What do you think of the CMS options that are being used for website building these days? Are they more secure than sites built with static HTML?
RSnake: CMSs are never going to be as secure as static websites, but that’s a risk most companies are willing to deal with. It’s a cost/benefit tradeoff. Manually modifying HTML files is something most companies simply don’t want to get in the business of. Especially when you have large providers out there who can do all the management and patching for you.
Why bother with maintenance and learning HTML/CSS when you can leverage the hard work of others? Granted that comes at a cost of flexibility and security, but most of the time, it’s worth it to companies. This is why WordPress, for instance, makes up a significant portion of the entire web.
If I use WordPress, which security plugins do you recommend? And how important is updating your versions of WordPress and PHP?
RSnake: There’s a security headers plugin that enables users to turn on various different security HTTP headers, like X-Frame-Options, Strict-Transport-Security, Content-Security-Policy and so on. That dramatically improves the security of a site without that much effort. I also like the Google Authenticator plugin which adds second-factor authentication to the admin console for blogs.
And of course, FunCAPTCHA—because getting rid of spam/malware robots is key. As far as external stuff, Securi has made such great progress over the last handful of years, I’d be remiss if I didn’t mention them.
I highly recommend updating your site as regularly as you can afford to. There hasn’t been a good exploit in WordPress core or PHP in quite a while, but there are regularly exploits in plugins. So keep the number of plugins to a minimum and making sure they’re up to date is key.
Do you think the web is more secure today than before? Is there any new developing technology that will help make the web more secure?
RSnake: The web is certainly a lot less secure today than it was years ago, but that’s due entirely to the explosive growth in complexity. I think part of the problem with modern sites is they’re so frail and rely on so many external dependencies.
If you can limit those dependencies to a minimum you’ve increased your security a lot—similar to how static HTML is easier to secure than something that takes in and stores data. That additional complexity is what makes things far less secure, and much more difficult to build threat models around. There’s new technology all the time that makes things more secure.
For instance, 3rd-party credit card processing companies like PayPal and Stripe, or 2nd-factor authentication, or web application firewalls, and so on. I think all of it moves the needle, but just as fast as we seem to come up with some solution, you’ll see developers working around anything they perceive to be hindering their progress. So it’s largely a game of cat and mouse.
Check out Namecheap’s SSL certificate options. We have one for every website and every budget!