Targeting Administrative Interfaces

Years ago, vendors pushed to make administrative interfaces manageable with Web browsers, unknowingly making large enterprises more vulnerable to security risks.

"That was a sad decision that they made years ago," said Ed Skoudis, founder and senior security consultant with InGuardians. "Now, enterprises must cope with it."

Attackers use browser hooking and exploit client-side software flaws to target administrative interfaces. These interfaces control an organization's endpoint security suites, network administration tools, Enterprise Resource Planning software, and even HVAC and electrical management systems. When an attacker gets a user within the company who has super-user privileges to access attacker-provided content on a website, the attacker then can push down browser scripts to the user's browser that query the history. Sometimes the scripts come from an attacker's own site or even a trusted third-party source. The scripts check to see whether the browser was previously used to mange some administrative interface of importance.

The number of vulnerabilities this allows for is mind-numbing. Literally.

"Bad guys can take over and control your heating ventilation and air conditioning," Skoudis said. "They could make your buildings very uncomfortable. Worse yet, they could shut down cooling to your data center, resulting in massive shutdown and loss of data."

An organization's computer infrastructure is connected via IP networks, and those networks are increasingly managed by administrators using browsers to connect via HTTP to a Web server that controls said infrastructure.

In order to protect your company, an old piece of advice comes to the fore. Make sure users who administer systems via a browser use a different login account and a different browser for their admin activities.

"The real big thing here is to separate out admin browsing use from non-admin browsing use," said Skoudis. "Separate accounts and the use of separate browsers is really important."

Besides that, the problem also can be aided with the use of cross-site script filters. They don't solve the issue because sometimes even trusted sites are compromised. However, they do help.

It's also worth mentioning that this is a fairly new attack vector, one that hasn't been picked up yet by organized crime and nation state actors. But that doesn't mean it won't, and if it does the potential for doing bad things is not a nice thought.

"It gives an attacker a way to blind the administrators of a target enterprise to what is actually happening on their infrastructure, including their own security tools," said Skoudis.

Adam Ross is managing editor at the SANS Institute and wrote, edited, and Web produced for The Washington Post's opinions and politics sections, online and in print. You can reach him at aross@nextgov.com.