Network World - Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability that hackers want to exploit, according to experts at the RSA Conference.
Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics Inc., an Atlanta based security products vendor.
“If you’re a business where users browse the Web [legitimately] and hackers take over a browser, they can use it as a tool to look at the internal network and send data outside the network,” Sima said.
Similarly, this can lead to hackers stealing from individual users, he said. For instance, once a browser is commandeered, a hacker can learn passwords and activities an individual uses on the Internet. “They can go to stocktrader.com and trade your stock while you’re logged in. It will do it and you won’t know it,” Sima said.
Gaming sites and social networking sites are particularly vulnerable because they have such large numbers of users who routinely send content to and from the sites. “If [hackers] find a vulnerability in a site, they can broadcast phishing attacks. They’ll have millions and millions of victims available,” he said.
“It’s really getting rather scary,” said David Cullinane, chief information security officer at eBay Marketplaces, a site that is a desirable target for hackers. “It’s really getting very sophisticated.” Professional hackers looking to make as much money as possible are jumping on vulnerabilities faster than ever, he said.
In 2004, exploits using man-in-the-middle attacks to replay one-time user passwords were seen as a looming threat that would hit on a large scale in 2008, but they came in 2006, Cullinane said. Network protection technologies that shield Web applications could be put in place, but they're expensive and any money you spend on them goes down the drain if hackers find ways around them, he said.
“If I spend $1 billion on security that’s good for six months, what’s the [return on investment] for that?” he asked.
Cullinane said some applications are put into production perhaps before they are thoroughly secured because customers using corporate Web sites for business want new Web interactions with the company.
“We want code that’s written properly, but other factors matter. The rate of change [in Web business applications] is amazing, and the throughput is mind-boggling. If you do too much security, you bog down the Web site,” he said.
Some businesses accept the risk of attacks because they can’t tightly secure their networks; instead they wait for fixes from security vendors that can stop specific exploits using signature-based blocking, said William Geimer, a consultant at Newington, Va.-based Open System Sciences, which is working on a project to secure Web sites for the U.S. Agency for International Development. “You’re hoping someone else gets burned first,” he said.
One possible cure is writing more secure software. But that's difficult because software designers aren’t trained to write securely; they’re trained to write programs that perform functions, Sima said. Security is an afterthought, he said.
Better frameworks for how software is written could help, said William Scherlis, a computer science professor at Carnegie Mellon University. That includes looking at the software as it is being written using a hacker’s perspective to find potential vulnerabilities. “We should try to find patterns of behavior against the application that might damage the site,” he said.
Sima wasn’t very hopeful about that approach. Thinking like hackers is tough, he said. A hacker’s strength is thinking outside the box, he said, and it’s not possible to identify all the places they might attack an application. “Things like threat modeling are hard to create,” he said.
He encouraged audience members to make sure that programmers have all their applications verify every piece of input they accept before acting on it. Just that one step, if followed religiously, could eliminate 80% of attacks, he said.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
