Security Sense: Did You Really Think Websites Were Always Hacked for a Reason?!

Security Sense: Did You Really Think Websites Were Always Hacked for a Reason?!

Here’s one I hear a lot:

“Oh we’re not worried about being hacked, there’s no reason an attacker would want to break into our system”

When I hear this, I’m hearing something analogous to “There’s no reason anyone would want to spray paint our wall” or do that thing where you fill someone’s hairdryer with talcum powder or any other sort of activity that derives pleasure from the discomfort of others (regardless of how amusing the latter can be).

And so it is often the same with hacking:

Reason? You want a reason? How about “for the lulz”, there’s your reason! Granted, in this case I saw a few days ago there was also a little financial upside by way of a Bitcoin demand but c’mon, we all know that one is never going to happen.

But what about hacktivists? I mean those guys really have a cause, right? They’re out there taking on the big guys and keeping them honest on behalf of the little guys. Big guys like Sony Pictures back in 2011 (yes, they’d been this path before their encounter with the Axis of Evil):

Of course things didn’t end up working out real well for a bunch of the LulzSec guys and by all accounts, there’s a lot less lulzing going on these days. But the fact remains that they were opportunistic and when they did manage to break into Sony’s things it wasn’t a mission statement about any greater good that adorned the Pastebin dump of personal data, it was the ASCII art above complete with the aforementioned lulzing.

So if a valid reason isn’t the motivation, what’s driving these attackers to your site? Why choose you? I like the way InfoSec Taylor Swift summed this up last week:

Now firstly, for a parody account Swift is both insightful and hilarious and you should go and follow her / him / it right now but secondly, this absolutely nails it. Low-hanging vulnerabilities in websites are easily discovered not by targeting a specific victim, but rather by searching Google and then having a good grasp on copy / paste. Recently I watched a live-stream of exactly this sort of hacking by Abdilo on Twitter (it should come as no surprise that the account is now suspended) and that’s precisely what he did – search Google for websites built with antiquated technologies and passing query strings, copy the URL then paste is into sqlmap. Lather, rinse, repeat. Every now and then he’d get a hit and then their data would be public data courtesy of a low-hanging SQL injection vulnerability.

Every day I see automated crawling against my own web assets looking for exploitable resources. That these crawlers are often looking for resources such as admin.php on an ASP.NET website is merely evidence of the randomness of the whole thing. Got a URL? Yep? Cool, let’s see if we can break it!

That’s the reason many websites are attacked, not because they have something of immediate value, but because they have a URL. A reason is something that can be worked out later on.

Troy Hunt
Microsoft MVP - Developer Security 

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.