The Downward Spiral Into Crypto-Criminal Chaos | Best of ECT News
This story was originally published on Sept. 25, 2018, and is brought to you today as part of our Best of ECT News series.
As if e-commerce companies didn’t have enough problems with transacting securely and defending against things like fraud, another avalanche of security problems — like cryptojacking, the act of illegally mining cryptocurrency on your end servers — has begun.
We’ve also seen a rise in digital credit card skimming attacks against popular e-commerce software such as Magento. Some of the attacks are relatively naive and un-targeted, taking advantage of lax security on websites found to be vulnerable, while others are highly targeted for maximum volume.
As for server-side problems, you might be out of luck. A lot of e-commerce software lives in a typical LAMP stack, and while there is a plethora of security software for Windows-based environments, the situation is fairly bleak for Linux.
For a long time, Linux enjoyed a kind of smug arrogance with regard to security, and its advocates pooh-poohed the notoriously hackable Windows operating system. However, it’s becoming ultra clear that it’s just as susceptible, if not more so, for specific software such as e-commerce solutions.
Roads and Bridges Falling Down
Why have things seemingly gotten so much worse lately? It is not that security controls and processes have changed dramatically. It’s more that the attacks have become more lucrative, more tempting, and easier to get away with, thanks to the rise of cryptocurrency. It allows attackers to generate money quickly, easily and, more important, anonymously.
Folks — this is the loudspeaker — our digital roads and bridges are falling down. They are old and decrepit. Our security controls and processes have not kept pace with the rapid advancement of malware, it’s ease of use, and its coupling with a new range of software that allows attackers to hide their trails more effectively.
Things like cryptocurrency, however, are just the symptom of a greater issue. That issue is the fact that the underlying software foundations we’ve been using ever since the first browsers appeared are built on a fundamentally flawed architecture.
A Different World
The general purpose operating system that allowed every company to have a whole slew of easy-to-use desktop software in the 90s, and that built up amazingly large Internet companies in the early 2000s, has an Achilles heel. It is explicitly designed to run multiple programs on the same system — such as cryptominers on the server that runs your WooCommerce or Magento application.
It is an old concept that dates back to the late 1960s, when the first general purpose operating systems, such as Unix, were introduced. Back then, the computers had a business need to run multiple programs and applications on them. The systems back then were just too big and too expensive not to. They literally filled entire walls.
That’s not the case in 2018. Today our computers are “virtual,” and they can be taken down and brought up with the push of a button — usually by other programs. It’s a completely different world.
Now for end user computing devices such as personal laptops and phones, we want this design characteristic, as we have the need to use the browser, check our email, use the calendar and such. However, on the server side where our databases and websites live, it’s a flaw.
Crypto-Criminal Bar Brawl
This seemingly innocuous design characteristic is what allows attackers to run their programs, such as cryptominers, on your servers. It is what allows attackers to insert card skimmers into your websites. It is what allows the attackers to run malware on your servers that try and shut down other pieces of malware in order to remain the dominant attacker.
Yes, you read that right — many of these variants now have so much free rein on so many thousands of websites that they literally fight against each other for your computing resources. This is how bad it’s gotten. It’s as if the cryptocriminals threw a party at your house while you were gone and then got into a big brawl and tore up all your furniture and ransacked your house. Then they woke up the next day and laughed all the way to the bank.
This isn’t the only way to deploy software, though. Consider famous software companies such as Uber, Airbnb, Twitter and Facebook. If you talk to their engineers, they’ll tell you that they already have to isolate a given program per server — in this case, a virtual machine. Why? It’s because they simply have too much software to begin with.
Instead of dealing with a single database, they might have to deal with hundreds or thousands. Likewise, the old concept of allowing multiple users on a given system doesn’t make a lot of sense anymore. It has evolved to the point where identity access management lives outside of the single server model.
Hack Attacks Are Not Natural Disasters
Unikernels embrace this new model of software provisioning yet enforce it at the same time. They run only one single application per virtual machine (the server). They can not, by design, run other programs on the same server.
This completely prevents attackers from running their programs on your server. It prevents them from downloading new software onto the server and massively limits their ability to inject malicious content, such as credit card skimming scripts and cryptomining programs.
Instead of scanning for hacked systems or unpatched systems waiting to be attacked, you could even run outdated software that has known bugs in it, and these same styles of attacks would fall flat, as there would be no capability to execute them. This is all enforced at the operating system level and backed by hardware baked-in isolation.
Are we going to continue to let the cryptocriminals run free on our servers? How are you going to call the cops on people you can’t even see who might live halfway around the world? Don’t fall prey to the notion that hackers are natural disasters and it’s only inevitable that they’ll get you one day. It doesn’t need to be like that. We don’t have to deploy our software like we are using computers from the 1970s. It’s time that we rebuilt our digital infrastructure.