RSA - Hackers find a wealth of victims on corporate sites
- 08 February, 2007 15:28
Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability hackers want to exploit, according to experts at RSA Conference.
Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics.
"If you're a business where users browse the Web [legitimately] and hackers take over a browser, they can use it as a tool to look at the internal network and send data outside the network," Sima said.
Similarly, this can lead to hackers stealing from individual users, he said. For instance, once a browser is commandeered, a hacker can learn passwords and activities an individual uses on the Internet. "They can go to stocktrader.com and trade your stock while you're logged in. It will do it and you won't know it," Sima said.
Gaming sites and social networking sites are ripe for attacks because they have such large numbers of users who are routinely sending content to and from the sites. "If [hackers] find a vulnerability in a site, they can broadcast phishing attacks. They'll have millions and millions of victims available," he said.
"It's really getting rather scary," said David Cullinane, CISO for eBay Marketplaces, a place ripe for such exploits. "It's really getting very sophisticated." Professional hackers looking to make as much money as possible are jumping on vulnerabilities faster than ever, he said.
In 2004, exploits using man-in-the-middle attacks to replay one-time user passwords were seen as a coming threat that would hit in volume in 2008, but they came in 2006, Cullinane said. Network protection technologies that shield Web applications could be put in place, but if hackers find ways around them, they can be too expensive to use, he said.
"If I spend US$1 billion on security that's good for six months, what's the [return on investment] for that?" he asked.
Cullinane said insecure applications are put into production perhaps before they are thoroughly secured because customers using corporate Web sites for business want new Web interactions with the company.
"We want code that's written properly, but other factors matter. The rate of change [in Web business applications] is amazing, and the throughput is mind-boggling. If you do too much security, you bog down the Web site," he said.
Some businesses accept the risk of attacks because they can't tightly secure their networks, instead waiting for fixes from security vendors that can block specific exploits using signature-based blocking, said William Geimer, a consultant with Open System Sciences, which is working on a project to secure Web sites for the U.S. Agency for International Development. "You're hoping someone else gets burned first," he said.
One possible cure is writing more secure software, which is still proving difficult because software designers aren't trained to write securely; they're trained to write programs that perform functions, Sima said. Security is an afterthought, he said.
Better frameworks for how software is written could help, said William Scherlis, computer science professor at Carnegie Mellon University. That includes looking at the software as it is being written using a hacker's perspective to find potential vulnerabilities. "We should try to find patterns of behavior against the application that might damage the site," he said.
Sima wasn't very hopeful about that approach -- thinking like hackers is tough, he said. Hackers' strength is thinking outside the box, he said, and it's not possible to identify all the places they might attack an application. "Things like threat modeling are hard to create."
He encouraged audience members to make sure that programmers have all their applications verify every piece of input they accept before acting on it. Just that one step, if followed religiously, could eliminate 80% of attacks, he said.