7 Reasons Websites Are No Longer Safe

Click here to find out more!
By Bill Brenner

CSO — Conventional wisdom is that
Web wanderers are safe as long as
they avoid sites that serve up pornography,
stock tips, games and the like.
But according to recently gathered
research from Boston-based IT security
and control firm Sophos, sites we take
for granted are not as secure as they appear.

Slideshow: 11 Security Companies to Watch

Among the findings in Sophos' threat report

for the first six months of this year,

23,500 new infected Web

pages -- one every 3.6 seconds -- were

detected each day during that period.

That's four times worse than the same

period last year, said Richard Wang,

who manages the Boston lab.

Many such infections were found

on legitimate websites.

In a recent interview with CSOonline,

Wang outlined seven primary reasons

legitimate sites are becoming

more dangerous.

1. Polluted ads

Many legitimate sites rely on paid advertisements

to pay the bills.

But Wang said recent infection statistics

gathered by his lab show that they

are often hiding malware, without

the knowledge of the website owner

or the user.

"A lot of sites supported by advertisers,

rather than contracting directly with

the advertiser, work through ad agencies

and network affiliates," Wang said. "Some

of these affiliates are less than

diligent in reviewing content for flaws

and infections."

Ads that incorporate Flash animation and

other rich media are often rife with

security holes attackers can exploit.

When the user clicks on the ad,

the browser can be (and often is) redirected

to sites that download malware in

the background while the user

is reading the legitimate site.

Someone in the ad-providing supply chain

can be the culprit, though tracing a

compromise back to them can be

exceedingly difficult, Wang said.

Whatever the case may be, a

downloaded Trojan is then free to gather up

usernames, passwords and

other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the

most popular of tactics and have been

used in several high-profile incidents

in the last couple of years.

For example, see "SQL Injection Attacks

Led to Heartland, Hannaford Breaches."

SQL injection is a technique that exploits

a flaw in the coding of a Web application

or page that uses input forms.

A hacker might, for example, input SQL

code into a field that is intended

to collect email addresses.

If the application doesn't include

a security requirement to validate

that the input is of the correct form,

the server may execute the SQL command,

allowing the hacker to gain control

of the server.

"The hacker essentially takes advantage

of flaws related to shoddy site development,"

Wang said.

3. User-provided content

It doesn't take a genius to write a comment

to a blog posting or something they see

on a social networking site like Facebook

or Twitter.

The bad guys know this and are therefore

taking the opportunity to pollute discussion

threads and other sources of

user-supplied content with

spam-laden links. (See "Seven Deadly

Sins of Social Networking Security".)

"You can get comment spam, completely

irrelevant comments including links

to sites trying to sell you stuff," Wang said.

"They can also try posting full links

to malicious sites or work in a little scripting,

depending on the filter they are trying

to work around."

4. Stolen site credentials

Using the types of malware and social networking

tactics described above, as well

as other means, attackers can steal

the content provider's log-in credentials.

From there it's no sweat logging into the site

and making changes.

It typically is a change so subtle and small

that it escapes notice.

The tiny bits of code added in can then

steal the site visitor's credit card or other data.

5. Compromised hosting service

This one is similar to number 4, where

the credentials of the content provider

are stolen and hackers log in to make

sinister changes.

Through this vector, Wang said the bad guys

could potentially poison thousands of sites

the provider is hosting in one strike.

6. Local malware

The website you visit may be perfectly safe,

but if there's malware hidden on your

own machine you can unwittingly become

part of the attack, Wang said.

For example, the user can visit their online

banking site, and when typing in a

user name and password the Trojan is

there to record that information and

pass it back to the attacker, allowing him

to go in later and empty out

your account or that of others.

7. Hacker-engineered fakes

Finally, there's the problem of hackers trying

to sell you fake merchandise that includes

phony security software.

If a box appears warning that your machine

may have been infected and that you

must immediately download a particular

security tool to remove it--a common

occurrence if you have visited a site

that surreptitiously downloads malware

onto your computer--it's a sure sign of trouble.

"You spend your $39.95 and you get a

worthless piece of software, and at the

same time you have given them your

credit card data," Wang said.

What is one to do if their website relies on
ads and open access?

Wang suggested IT security administrators
use security scanners against anything coming
in by way of third-party hosts and,
for in-house apps and other online property,
that developers redouble efforts
to write more ironclad code

For those who heavily rely on third-party forums,

a wise practice is to take a daily scan

of vulnerability reports that may affect

those providers and to keep up to date

on security patches that will harden

your own environment against

these threats, he added.

Click here to find out more!Link here

             J-L K.
Procurement Consultant
Gsm:    (250) (0) 78-847-0205 (Mtn Rwanda)
Gsm:    (250) (0) 75-079-9819 (Rwandatel)
Home:  (250) (0) 25-510-4140
    P.O. Box 3867
  Kigali - RWANDA
    East AFRICA
Blog: http://cepgl.blogspot.com
Skype ID: kayisa66

No comments:

Post a Comment