The World Cup is quite a conversation starter, to say the least. The entire world is shackled behind the screen, trying to endure the tension caused by their country’s football game. Football fan or not, everyone seems to show at least some interest in the Russian sports spectacle. That means a lot of traffic. To the many bars, parks and city squares that offer a big screen. And to the FIFA website.
But does FIFA know their attack surface? A quick look through the Sweepatic eye showed that fifa.com has a lot of subdomains and web applications. They might not be winning the world cup in Digital Footprint Size, but it is large none the less.
Fifa.com's Playing Field
There is no doubt that big events like the World Cup also attract criminals. Pick pocketers, thieves and scammers selling "legitimate" tickets? Sure, but often overlooked are cyber criminals. You can bet they are all watching which doors are open for quick access and often this is easier than you think. Just look at the fiasco at the World Cup 2014, held in Brazil.
When the way in is not as easy as reading the password from a screen/post-it note accidentally released to the public, hackers need to map the targets internet footprint so they can find vulnerabilities. Since the Sweepatic team has a strong Belgian presence, we took a quick glance at FIFA's internet footprint during the match against Brazil. Because, you know... cyber security pros don't take any breaks. A quick preliminary scan revealed that there are 300+ active subdomains exposed to the internet by FIFA with roughly 2/3 of them hosting various web applications. Although FIFA has a highly aggressive access policy, such as blocking access to their sites via various VPN providers, an alarmingly high number of these hosts were outdated and potential entry points into the infrastructure. Including:
- Loose CSP policies - considered a good practice, but whitelisting some sources as fk.github.io is very dangerous (confederationscup.tickets.fifa.com)
- Open AWS S3 buckets
- Mismatching SSL certificates for live API endpoints such as https://live.mobileapp.fifa.com/. Some of the endpoints have SSL certificates expired more than 690+ days ago!
- Suspicious login pages with links redirecting to even more suspicious Chinese hosts, because "Orenosp Secure Reverse Proxy" DNS homepage at http://preview.fifa.com/_formauth/login.html expired
- Several default unmaintained default installations for GlassFish Server and CMS servers exposing sensitive information via error messages such as local paths on disk
- DNS misconfiguration that might lead to subdomain takeovers
There is this old saying: "A chain is only as strong as its weakest link" and you can be damn sure that this holds even more true in cyberspace. It is very important for an organization to know what they are defending and what they have exposed to the internet. Unfortunately, what we often see here at Sweepatic is that organizations rely on asset listings managed by humans. So far, we haven't seen a single of those human managed lists to be as complete as our state-of-the art asset discovery. The latter always find much more exposed assets, in some cases even twice as many! As vulnerability management and GRC teams mostly use this human managed list, it means they miss a huge chunk of their growing and dynamic attack surface. It takes only one weak asset to be exposed and vulnerable to get a foot in the door of your organization...
Avoiding Penalty Kicks
What it all comes down to: keeping an eye on your digital footprint is important. The larger your attack surface, the greater the risks. Take cybersquatting for example, causing harm to your organization's reputation. Data leakage is another threat. One that is increasingly important in these GDPR times. Read all about data leakage and the infamous GDPR in our former blogposts.
At Sweepatic we found that, on average, the digital footprint of an organization doubles every 9 months. Additionally, 73% of published files contain sensitive information, in some cases similar as exposing a football game strategy. Gaining visibility on all your internet facing assets and their exposure around the clock should be your first step. Gather your defenders in front of the goal. Don’t let bad actors score.
For more information visit our website or directly contact us at info[at]sweepatic.com!