The top 10 reasons Web sites get hacked

Web developers ignore security flaws at customers' peril

Web security is at the top of customers’ minds after many well-publicized personal data breaches, but the people who actually build Web applications aren’t paying much attention to security, experts say.

“They’re totally ignoring it,” says IT consultant Joel Snyder. “When you go to your Web site design team, what you’re looking for is people who are creative and able to build these interesting Web sites… That’s No. 1, and No. 9 on the list would be that it’s a secure Web site.”

The biggest problem is designers aren’t building walls within Web applications to partition and validate data moving between parts of the system, he says.

Security is usually something that’s considered after a site is built rather than before it is designed, agrees Khalid Kark, senior analyst at Forrester.

“I’d say the majority of Web sites are hackable,” Kark says. “The crux of the problem is security isn’t thought of at the time of creating the application.”

That’s a big problem, and it’s one the nonprofit Open Web Application Security Project (OWASP) is trying to solve. An OWASP report called “The Ten Most Critical Web Application Security Vulnerabilities” was issued this year to raise awareness about the biggest security challenges facing Web developers.

The first version of the list was released in 2004, but OWASP Chairman Jeff Williams says Web security has barely improved. New technologies such as AJAX and Rich Internet Applications that make Web sites look better also create more attack surfaces, he says. Convincing businesses their Web sites are insecure is no easy task, though.

“It’s frustrating to me, because these flaws are so easy to find and so easy to exploit,” says Williams, who is also CEO and co-founder of Aspect Security. “It’s like missing a wall on a house.”

Here is a summary of OWASP’s top 10 Web vulnerabilities, including a description of each problem, real-world examples and how to fix the flaws.

1. Cross site scripting (XSS)

The problem: The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that’s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. “Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser,” OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. “If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries,” OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don’t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

“References to database keys are frequently exposed,” OWASP writes. “An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.”

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can’t avoid direct references, authorize Web site visitors before using them.

5. Cross site request forgery

The problem: “Simple and devastating,” this attack takes control of victim’s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or “remember me” functionality. Banks are potential targets.

“Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery,” Williams says. “Has there been an actual exploit where someone’s lost money? Probably the banks don’t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.”

Real-world example: A hacker known as Samy gained more than a million “friends” on MySpace.com with a worm in late 2005, automatically including the message “Samy is my hero” in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user’s language preferences.

How to protect users: Don’t rely on credentials or tokens automatically submitted by browsers. “The only solution is to use a custom token that the browser will not ‘remember,’” OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program’s configuration and internal workings.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP’S WebScarab Project to see what errors your application generates. “Applications that have not been tested in this way will almost certainly generate unexpected error output,” OWASP writes.

Another tip: disable or limit detailed error handling, and don’t display debug information to users.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

“Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update,” OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it’s often poorly designed, using inappropriate ciphers.

“These flaws can lead to disclosure of sensitive data and compliance violations,” OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

How to protect users: Don’t invent your own cryptographic algorithms. “Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing,” OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

It’s pretty common to store credit card numbers these days, but with a Payment Card Industry Data Security Standard compliance deadline coming next year, OWASP says it’s easier to stop storing the numbers altogether.

..............]

Hacker breaks into eBay server, locks users out

A malicious hacker broke into an eBay server on Friday and temporarily suspended the accounts of a "very small" number of members, the company said.

"We were able to block the fraudster quickly before any permanent damage had been done. At no point did the fraudster get any access to financial information or other sensitive information," eBay spokeswoman Nichola Sharpe said via e-mail.

EBay has "secured and restored" the affected accounts and is calling the affected users, she said, without specifying how many accounts the hacker accessed and tinkered with.

"The fraudster did this by accessing externally visible servers, not by hacking into the eBay site," Sharpe said.

She didn't immediately reply to followup questions from IDG News Service seeking clarification on what is an "externally visible" server and how it's different from an eBay site server.

EBay faces attacks to compromise its systems "every day," Sharpe said. "After learning of the recent situation, we quickly reacted to it," she said.

"As we continue to lock down on the traditional ways that bad guys have attempted to exploit our system, it is only natural that they will look for new ways to get in. It is an ongoing battle," she said.

The incident, first reported by e-commerce news site AuctionBytes, happened little over a week after someone used an eBay discussion forum to post confidential information about eBay users.

The previous incident led the e-commerce giant to shut down the forum, one that ironically was devoted to the discussion of security issues.

The perpetrator of that confidential data disclosure posted the names and contact information of 1,200 eBay members on the company's Trust & Safety discussion forum, along with credit card numbers that were later determined to be invalid.

EBay eventually concluded that the attacker obtained the information via a phishing scheme, tricking individual members into disclosing the data.

Friday's hack has quite a few eBay members rattled, judging by this long discussion forum thread about the incident.

In that thread, some affected eBay members report receiving e-mails from a hacker identified as Vladuz saying that he had targeted them for posting forum comments that were critical of him.

Vladuz has in the past reportedly stolen login information that has allowed him to post messages to eBay discussion forums as if he were an eBay employee.

In its article, AuctionBytes said Vladuz has been targeting eBay for about 10 months.

Sharpe didn't immediately reply to the question whether eBay knows who was behind Friday's attack.

7 things your IT department doesn't want you to know

T staffers have good reasons for restricting your use of company systems. To guard your organization's PCs, data, and bandwidth, the pocket-protector crowd may frown on IM software on company PCs, ban unauthorized software use, and limit transfers of large files.
But you can still safely transmit files of many sizes, chat on your favorite IM client, and use unapproved but legal and harmless software.
Read the latest WhitePaper - NAC: Managing unauthorized computers

Transfer huge files

Most businesses impose a ceiling on the size of e-mail attachments they'll accept, but you needn't let that prevent you from receiving the files required for your work.

Box.net, SendSpace, SendThisFile, and YouSendIt offer free file-transfer services, low-cost premium plans for sending giant files, and password-protected transmission. For example, YouSendIt lets you send files of 100MB or less without requiring you to register (see the image below); other sites insist that you provide an e-mail address when you sign up. Recipients usually have a week to click the link in their e-mail to download a file from the service's server.

The YouSendIt online file-transfer service lets you send files in capacities of up to 100MB for free, without registering. You must supply an e-mail address in order to make a password-protected transfer, however.

If you want to chat...

Most companies discourage or prohibit IM software, citing security concerns and the strain it places on network resources. Unfortunately, the workaround--Web-based instant messaging--probably uses even more system bandwidth; but at least offerings such as AOL's AIM Express and Google's IM service work without needing any additional software.

If your company's IT staff hasn't blocked multiple-IM clients, you can use Trillian Basic for added privacy because it encrypts the communication. Alternatively, use a third-party IM enabler like Meebo, which lets you IM from its home page on the Web, with the option of logging on anonymously.

Run any app at work

Policies that forbid nonapproved software needn't prevent you from legally and safely using programs that help you with your job or that are otherwise harmless.If your company hasn't deactivated the external ports on its PCs, simply load whatever software you want onto a U3-enabled USB flash memory drive or portable hard drive. The apps and data on U3 drives remain independent of your system. When you remove the drive from the USB port, the files and applications vanish along with it.

PortableApps.com offers free open-source software that you can save to any external storage device; all of the files temporarily stored on your work PC while you use the software disappear when you unplug the drive.

Unblock company-prohibiteded Web sites

Aware of possible legal entanglements, most companies block porn, gambling, and known malware-compromised addresses. But along the way, excessively zealous IT departments may block access to Web mail, instant messaging, and other everyday sites.

Fear not. By surfing via a proxy--an unblocked third-party site--you can circumambulate this roadblock. Go to the home page of Proxy.org for links to hundreds of third-party proxy sites. The major downside of surfing via proxy is the delay in page loads that results from having your desired site's page info pass through the proxy's server before it gets relayed to you. Be prepared to surf at a slower pace, and check out the proxy site's credentials in advance, to avoid security risks. Most proxy sites are free and offer anonymous surfing, but some are open to malicious content. On the home page of Proxy.org, you'll find a full explanation of how proxies work.

Another way to unblock a site is to use Google's translation page. Though originally intended to translate foreign language pages into the language of your choice, this tool also functions as a proxy if you use it to translate from English to English.

In your browser's address bar, type: http://www.google.com/translate?langpair=en|en&u=www.site.com as a single line with no letter spaces (including after the question mark), but replace 'www.site.com' with the blocked Web address.

Store your work files online

Your boss may expect you to get your work done even if you're not at the office, but your company's computer security policy may not afford easy (or any) access to the files you need. One option is to save them to a USB or other portable storage device before you leave the office. Another is to upload the files you know you'll need to an online storage site such as Box.net or AOL's Xdrive. Most of these services provide at least a couple of gigabytes of free storage. Gmail, Yahoo Mail, Hotmail, and other Web mail services provide anywhere from 5GB to unlimited mail storage, so a third option is to e-mail the files to your personal e-mail account, where you can access them as attachments.

Get your company mail when you're away from the office

Because companies are (rightfully) fearful of intrusions into their e-mail servers, they may prevent employees from accessing their work accounts from outside the office. Others lack support for BlackBerrys and other phone-based e-mail devices, thus preventing their employees from receiving work mail on those devices.

One way to get around this message dam is to forward your e-mail while keeping it on the original server. In Outlook, select Tools, Rules and Alerts. With the E-Mail Rules tab selected, click the New Rule button and choose the Start from a blank rule button. The rules wizard window will pop up with the first two steps already filled in. Click Next, check sent only to me from the "conditions" offered. Click Next, and in the Select action(s) window choose forward to people or distribution list. In Step 2, click the people or distribution list link. In 'Specify whom to forward messages to' type the e-mail address you are forwarding to. Click OK and Finish.

In Outlook Express, select Tools, Message Rules, Mail. A four-step selection window appears. Choose the appropriate rule in each window. In Step 3, click the Forward it to people link, enter your forwarding e-mail address, and click OK. In Step 4, type a name for your new forwarding rule (such as Forward to Yahoo address) and click OK.
Now your mail will appear as usual in your company inbox as well as at your forwarded address. Just remember that if you reply to messages at your forwarded address, recipients will see that address, not your company address.

Keep your e-mail private

Whether you get your e-mail on a company network or through a Web mail service, your company has the legal right to monitor your incoming and outgoing messages.

But you can shut out corporate snoops by encrypting your messages. Of course, doing so may raise a red flag in the IT department, if staffers there detect it (and they may). So if you're concerned about sending e-mail that your employer may not approve of, consider waiting until you're back on your own personal PC before sending it.

To encrypt any e-mail message, all you need is a Digital ID certificate. Various companies, including VeriSign sell these; VeriSign's cost $20 a year. To obtain a Digital ID in Outlook 2003, select Tool, Options, Security and click the Get Digital ID button. Once obtained, the ID will automatically install itself in your Web browser or e-mail program. A Digital ID acts as an electronic substitute for a sealed envelope and handwritten signature. It lets you encrypt e-mail and attachments, protecting them from being read by online intruders. Only your intended recipient can decrypt them. Of course, you'll have to share your password with your recipient to make this possible.

For Web mail, a quick trick is to add an "s" after the "p" in the "http://" portion of the address bar; this will switch you to a secure, encrypted connection. For example, https://mail.aol.com or https://mail.google.com will connect you to each service in such a way that only you can read your incoming messages, and only the intended recipients can read your outgoing mail. Microsoft automatically encrypts messages in its Hotmail accounts, but the "https:" trick does not work for Yahoo Mail.

Windows flaw could steer IE to hackers

Microsoft Monday said that a flaw in the way its Windows operating system looks up other computers on the Internet has resurfaced and could expose some customers to online attacks.
The flaw primarily affects corporate users outside of the U.S. It could theoretically be exploited by attackers to silently redirect a victim to a malicious Web site.
Read the latest WhitePaper - A Good Mobile Experience: Balancing IT Requirements While Giving End-Users the Mobile Experience They Want

Microsoft originally patched this flaw in 1999, but it was rediscovered recently in later versions of Windows and was then publicized at a recent hacker conference in New Zealand. "This is a variation of that previously reported vulnerability that manifests when certain client side settings are made," said Mike Reavey, a group manager at Microsoft's Security Response Center.

The bug has to do with the way Windows systems look for DNS information under certain configurations.

Any version of Windows could theoretically be affected by the flaw, but Microsoft issued an advisory Monday explaining which Windows configurations are at risk and offering some possible workarounds for customers. The company said it is working to release a security patch for the problem.

Here's how the attack would work: When a Windows system is specially configured with its own DNS Suffix it will automatically search the network for DNS information on a Web Proxy Auto-Discovery (WPAD) server. Typically this server would be a trusted machine, running on the victim's own network.

WPAD servers are used to cut down on the manual configuration required to get Windows systems working on the network. DNS suffixes are used to associate computers with certain domains of the network and to simplify administration.

To make it easier for the PC to find a WPAD server, Windows uses a technique called DNS devolution to search the network for the server. For example, if an IDG PC was given a DNS suffix of corp.idg.co.uk, it would automatically look for a WPAD server at wpad.corp.idg.co.uk. If that failed, it would try wpad.idg.co.uk and then wpad.co.uk. And that's where the problem lies: by looking for DNS information on wpad.co.uk, the Windows machine has now left the IDG network and is doing a DNS look-up on an untrusted PC

Reavey says that this problem only affects customers whose domain names begin with a "third-level or deeper" domain, meaning that even with the DNS suffix, users on networks like idg.com or dhs.gov are not affected.

source: networkworld.com

Webroot, Email Systems team for new e-mail security service

Will include e-mail archiving, encryption, antivirus services

Webroot announced this week that will be teaming up with Email Systems, a software-as-a-service security provider, to deliver e-mail security services to enterprise users.

According to Webroot, the two companies will offer a comprehensive e-mail security service that will include such features as e-mail archiving, image scanning and encryption, antispam, antiphishing and antivirus services. Additionally, the service will provide Web security through http Web filtering and other Web-based communications. Webroot says that it will begin integrating its new e-mail protection services to its antispyware and antivirus programs.
Read the latest WhitePaper - The quest for competitiveness: Business mobility and the agile organisation

“Our customers will now be able to easily engage a multilayered security strategy that includes industry-leading endpoint and SaaS-based perimeter security in a unique and integrated package,” says Mike Irwin, COO of Webroot.

Email Systems has been providing e-mail protection and management services to businesses since 2002. Its current package of e-mail protection services includes custom filtering rules for content monitoring; end-to-end e-mail encryption that allows content checking; a disaster recovery mechanism that queues and buffers e-mails that have failed to connect to servers; and a filter that detects spam by continuously scanning unsolicited e-mails that are sent worldwide on a massive scale.

Email Systems CEO Neil Hammerton says that his company will benefit from Webroot’s broader global reach, thus enabling Email Systems to reach a wider group of customers. He also notes that the two companies’ products complement each other and that “we feel like we are poised to take full advantage of a technology sea change.”

Brian Burke, a program director for security products at the IDC market intelligence firm, says he expects the use of hosted messaging security services such as Webroot’s and Email Systems’ to grow exponentially in the near future. Overall, IDC projects worldwide spending on hosted messaging services to nearly quintuple over the next four years, reaching $1.4 billion by 2011.


source: networkwold.com