Just when you think things are getting safer on the web, somebody comes up with a startling claim and spoils your party: “Our analysis paints a somewhat bleak situation on the state of modern web ecosystem.” That’s the conclusion of a 2016 study conducted by Carnegie Mellon University. The full title is worth noting:
We’ll save you the trouble of the long read and give you the highlights in this manageable blog post. The authors did some in-depth research on the subject. Their findings may surprise you.
All those network security guys out there seem to know a lot. Look around on the web and you can read all kinds of information about how to assess and protect against vulnerabilities. And we’ve covered a lot of them in this blog. We’ve written about the top 10 web application security risks as defined by the OWASP project. We’ve discussed the need for redundancy and proactive maintenance. And we’ve told you about such things as server hardening and change management. We’ve tried to cover all the bases. But here’s another issue that shouldn’t be overlooked: third-party web services.
“Internet infrastructure may be fairly resilient thanks to its distributed nature, but the web we’ve built on top of it appears to be rather fragile.”
What are third-party services? There must be a lot of them out there, but the researchers focused on three of them: domain name systems (DNS); certificate authorities (CAs); and content delivery networks (CDNs). As the British website The Register points out in their report on this study, “Internet infrastructure may be fairly resilient thanks to its distributed nature, but the web we’ve built on top of it appears to be rather fragile.” The real “painful truth”, as the writer of the article puts it, is that third-party services like these are the “Achilles Heel” for top websites.
The poster child for third-party vulnerability is a company called Dyn. In 2016, there was a “mega-attack” on the service provider that shook the foundations of the internet. Ok, that may be an overstatement. But the issue was big enough to reach the desk of the US Director of National Intelligence at the time, James Clapper. He told CBS that the DDoS attack on Dyn was likely the work of “non-state actors”. Some group called New World Hackers claimed responsibility.
Dyn claims on their website that they have “the world’s most trusted DNS product suite”. We don’t want to disparage Dyn here. In fact, their claim may very well be true. They say that they are “trusted by the best”, and list some famous companies as customers.
The introduction to the study gives us more information about the attack: “Dyn hosted the authoritative nameservers for many popular web services, such as PayPal, Twitter, and Github and as a result they were inaccessible to a sizable part of the East Coast.” There seemed to be a cascade effect since many other web services were also dependent on Dyn. As the authors stated, “the incident resulted in a massive impact on the availability of many popular web services.”
This major internet outage was caused by an attack on a third-party web service provider. DNS translates IP addresses into the website names that we type into the top of our browsers. Without the domain name service, the websites may as well be down — because nobody can get to them!
This major DDoS attack was a wake-up call for the internet. So the researchers at Carnegie Mellon dug in and analyzed the real situation out there. What are the risks related to third-party service providers? Here is what they found:
The authors distinguish between two types of dependencies. An example of a direct dependency, they say, is where a web service like Spotify uses Dyn as its DNS provider. Then there are “indirect or transitive dependencies that consider ‘multi-hop’ effects; e.g., loading Netflix.com entails loading Symantec which in turn depends on Verisign for DNS.” It is a tangled web.
The findings were pretty clear. The internet is at risk. And third-party services are the weak spot. The paper’s recommendations are:
The research paper goes into much more detail about such things as their methods and motives. They also mention something about the “attack surface” of a web service provider. To find out your attack surface, perhaps you should ask the question “Where can they hit us?” In this case, the authors — and the Dyn example — prove very clearly that attackers can hit us in unexpected places. Third-party services is definitely one of them.