CSO — Conventional wisdom is that
Web wanderers are safe as long as
they avoid sites that serve up pornography,
stock tips, games and the like.
But according to recently gathered
research from Boston-based IT security
and control firm Sophos, sites we take
for granted are not as secure as they appear.
Slideshow: 11 Security Companies to Watch
Among the findings in Sophos' threat report
for the first six months of this year,
23,500 new infected Web
pages -- one every 3.6 seconds -- were
detected each day during that period.
That's four times worse than the same
period last year, said Richard Wang,
who manages the Boston lab.
Many such infections were found
on legitimate websites.
In a recent interview with CSOonline,
Wang outlined seven primary reasons
legitimate sites are becoming
1. Polluted ads
Many legitimate sites rely on paid advertisements
to pay the bills.
But Wang said recent infection statistics
gathered by his lab show that they
are often hiding malware, without
the knowledge of the website owner
or the user.
"A lot of sites supported by advertisers,
rather than contracting directly with
the advertiser, work through ad agencies
and network affiliates," Wang said. "Some
of these affiliates are less than
diligent in reviewing content for flaws
Ads that incorporate Flash animation and
other rich media are often rife with
security holes attackers can exploit.
When the user clicks on the ad,
the browser can be (and often is) redirected
to sites that download malware in
the background while the user
is reading the legitimate site.
Someone in the ad-providing supply chain
can be the culprit, though tracing a
compromise back to them can be
exceedingly difficult, Wang said.
Whatever the case may be, a
downloaded Trojan is then free to gather up
usernames, passwords and
other sensitive banking data.
2. SQL injection attacks
SQL injection attacks are among the
most popular of tactics and have been
used in several high-profile incidents
in the last couple of years.
For example, see "SQL Injection Attacks
SQL injection is a technique that exploits
a flaw in the coding of a Web application
or page that uses input forms.
A hacker might, for example, input SQL
code into a field that is intended
to collect email addresses.
If the application doesn't include
a security requirement to validate
that the input is of the correct form,
the server may execute the SQL command,
allowing the hacker to gain control
of the server.
"The hacker essentially takes advantage
of flaws related to shoddy site development,"
3. User-provided content
It doesn't take a genius to write a comment
to a blog posting or something they see
on a social networking site like Facebook
The bad guys know this and are therefore
taking the opportunity to pollute discussion
threads and other sources of
user-supplied content with
spam-laden links. (See "Seven Deadly
"You can get comment spam, completely
irrelevant comments including links
to sites trying to sell you stuff," Wang said.
"They can also try posting full links
to malicious sites or work in a little scripting,
depending on the filter they are trying
to work around."
4. Stolen site credentials
Using the types of malware and social networking
tactics described above, as well
as other means, attackers can steal
the content provider's log-in credentials.
From there it's no sweat logging into the site
and making changes.
It typically is a change so subtle and small
that it escapes notice.
The tiny bits of code added in can then
steal the site visitor's credit card or other data.
5. Compromised hosting service
This one is similar to number 4, where
the credentials of the content provider
are stolen and hackers log in to make
Through this vector, Wang said the bad guys
could potentially poison thousands of sites
the provider is hosting in one strike.
6. Local malware
The website you visit may be perfectly safe,
but if there's malware hidden on your
own machine you can unwittingly become
part of the attack, Wang said.
For example, the user can visit their online
banking site, and when typing in a
user name and password the Trojan is
there to record that information and
pass it back to the attacker, allowing him
to go in later and empty out
your account or that of others.
7. Hacker-engineered fakes
Finally, there's the problem of hackers trying
to sell you fake merchandise that includes
phony security software.
If a box appears warning that your machine
may have been infected and that you
must immediately download a particular
security tool to remove it--a common
occurrence if you have visited a site
that surreptitiously downloads malware
onto your computer--it's a sure sign of trouble.
"You spend your $39.95 and you get a
worthless piece of software, and at the
same time you have given them your
credit card data," Wang said.What is one to do if their website relies on
ads and open access?
Wang suggested IT security administrators
use security scanners against anything coming
in by way of third-party hosts and,
for in-house apps and other online property,
that developers redouble efforts
to write more ironclad code
For those who heavily rely on third-party forums,
a wise practice is to take a daily scan
of vulnerability reports that may affect
those providers and to keep up to date
on security patches that will harden
your own environment against
these threats, he added.Link here
Gsm: (250) (0) 78-847-0205 (Mtn Rwanda)
Gsm: (250) (0) 75-079-9819 (Rwandatel)
Home: (250) (0) 25-510-4140
P.O. Box 3867
Kigali - RWANDA
Skype ID: kayisa66