Forget zero-days, the most dangerous vulnerabilities are decades old, says ethical hacker

Ethical hacker Holly Grace Williams on the blind spots that lead to companies being compromised

"Everyone always wants to know what's the cutting-edge stuff, what's the latest class of vulnerability," said ethical hacker, penetration tester and technical director of Secarma, Holly Grace Williams during a keynote at last week's Computing Cybersecurity Live event. "But the truth is a lot of old stuff works."

SQL injections have been in in the OWASP Top 10 list of web application vulnerabilities, a ranking that balances prevalence and seriousness, since the 1990s and are still number 1 today. Indeed, SQL injections were the method of choice for Russia's GRU when it hacked the US elections in 2016, according to the Mueller report.

Another old favourite (c 1998) is cross-site scripting (XSS) which may have dropped down the table a little but is still widely used, in part because it's assumed to have been fixed. "The vulnerabilities are older than the hackers that are using them," Williams quipped.

The only class that could really be termed 'new' is speculative execution vulnerabilities which emerged in 2017, but even this category is technically a side-channel flaw, Williams said.

But what about zero-days? "Everyone loves talking about them but they're rarely used," said Williams, pointing to a statement by an NSA director that the agency has not responded to a zero-day in two years.

Aside from assuming that old vulnerabilities have largely been dealt with, many organisations still overestimate the strength of their perimeter defences and fail to implement an adequate layered strategy of overlapping protections.

"Once you're inside the perimeter a lot of companies get really squishy," said Williams, citing a case in which unencrypted admin passwords were found on a network share. This also leaves them open to ransomware like Wannacry and NotPetya which can spread through non-compartmentalised networks "incredibly quickly"

There are plenty of ways to get inside the perimeter, including various types of phishing and social engineering attacks using the XSS and SQL injections cited. Also, companies may be overconfident in their automated defences. Williams spoke of a case in which she had managed to copy credit card details held by a gambling company because the script she was using ran too slowly to trigger the alarm.

Not internet-connected does not mean not internet-reachable - Holly Grace Williams

And just because a device is not connected to the internet does not mean it is secure, "Not internet-connected does not mean not internet-reachable," Williams explained. There's the Stuxnet example, of course, but there are alternative ways in that don't involve distributing dodgy USB sticks in a car park, including DOM-based XSS (DOM-XSS) where the payload is executed client-side in the victim's browser. DOM-XSS also allows hackers to cover their tracks since it appears the attack originated with the victim.

Companies seeking to assess this risk will often find themselves coming up against a wall, where the information available online only takes them so far before they are asked to pay a bug bounty fee. Another problem is, there may be good awareness of the risk at the developer level, but clogged communication channels means that the information doesn't get passed up the chain to the decision-makers in the boardroom.

So if very few of the vulnerabilities in the wild are new, how come there are more and more data breaches? The reason is that these techniques are evolving to become faster and more efficient and also more automated. NotPetya was better at propagating itself than Wannacry, and a later ransomware variant SamSam was better at targeting its victims. Dwell times for attacks are shortening even for something like SamSam as perpetrators become more skilled at deploying it.

"It's that speed change," said Williams. "I think a lot of organisations might be thinking, ‘Oh I'll wait for an attack, get my incident response plan out, go down the call list, initiate the plan', but in the case of NotPetya by the time you've got to the bottom of that call list it's all over. So among the things we should look at is minimising the impact and also reducing the response times."