Where The Web Is Weak

By Andy Greenberg, Forbes.com

Tolstoy wrote that happy families are all alike, while every unhappy family is unhappy in its own way. Something like the opposite might be said for Web sites. Many of the Web's millions of insecure pages can be hacked with just one or two tricks. But patching the bugs in each of those vulnerable sites requires a unique solution.

Case in point: Last month, a single attack ripped through the Web, infecting more than half a million sites including those of the Department of Homeland Security, the United Nations and the British Government. Using Google (nasdaq: GOOG - news - people ) searches, the attackers' software--written partly in Chinese characters--identified sites vulnerable to a hacking technique called SQL injection and infected them en masse with malware designed to steal the bank codes of the sites' visitors. (See " Google Hacking Goes to China.")

In late April, the sites hosting that malware were identified by security researchers who in turn notified the Chinese Internet service provider and had them disconnected from the Internet. But the job of cleaning up the Web's mess, says Jeremiah Grossman, the chief technology officer of White Hat Security, is far from over.

In fact, Grossman says that the majority of those sites remain vulnerable to the same attack. The typical SQL injection vulnerability, he says, takes a site's owner more than four months to locate and fix. That's because, unlike exploits that affect a typical software program, Web vulnerabilities can't be secured with an update downloaded from a vendor--every site has its own bug to excise.

"We can't issue a mass patch," says Grossman. "Each issue is unique. Together they present an almost catastrophic problem."

In Pictures: Eight Ways To Hack The Web

The 500,000 or so sites compromised in the latest attack are just a fraction of the threat to the Web. In a study released last February by Google, more than 3 million of the 60 million pages analyzed were found to invisibly download malicious software to users' computers. According to the study, about 1.3% of Google searches turned up at least one of those malicious pages, more than triple the percentage of malicious results from just eight months earlier.

The number of legitimate sites vulnerable to being hacked and corrupted with malware that infects visitors is far higher still. According to White Hat Security's most recent analysis of about a thousand major Web sites, 16% were vulnerable to SQL injection, an exploit based on mixing malicious commands with innocent user input to gain access to a site's server. Fully 65% of the sites analyzed were vulnerable to another exploit known as cross-site scripting, which can mix malicious elements into a legitimate site when a user clicks on a carefully crafted link.

Grossman has also repeatedly warned of another common Web vulnerability he calls a "sleeping giant." So-called "cross-site request forgery" can be used to steal information from many password-protected sites. If a Web user logs in to a Web service and then is tricked into visiting a compromised page, the second malicious page can steal the user's "cookies"--files collected by his browser used to verify his identity. Those identifying files give the coders of the malicious page temporary access to whatever sensitive information can be found on the password-protected site.

The persistence of vulnerabilities like these, says Johannes Ullrich, who teaches a class on Web vulnerabilities at the SANS Institute, is partly a cultural problem. To patch a vulnerability before it's exploited, an enterprise's security team has to convince Web developers to devote their resources to what may seem like a minor issue--but a big-time drain. Making fixes often involves wading through thousands of lines of code, Ullrich says, in some cases written by developers who left the company long ago.

Last month's massive round of SQL injections was the largest-ever round of malicious Web hackings, but hardly the first. Last February, the server hosting the Dolphin Stadium Web site was compromised just before the Superbowl began. In June, thousands of Italian-language sites were similarly targeted with SQL injections in an incident that security researchers now refer to as "the Italian Job." The same Internet service provider that hosted those sites was attacked again in early May, infecting another round of sites with malware designed to exploit users.

But securing the Web isn't just about protecting sites' visitors, Ullrich argues. It's also about protecting a company's own data. The attackers who used SQL injections to plant malware on hundreds of thousands of sites last month, for instance, could just as easily have stolen corporate data. "If the attackers hadn't left a trail by inserting malware on the sites, we probably wouldn't even have known that they had gained access to the databases," Ullrich says.

Even for a security conscious business, protecting against Web attacks isn't easy, Ullrich says. Because a Web page has to be accessible by all visitors, keeping out cybercriminals isn't as easy as building a firewall. "You can't block all visitors to your Web site. So quite frankly it comes down to the fact that only the code itself prevents an attacker from accessing your database," he says. "The Web is simply a very thin layer of defense."

Labels: , , ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home