Zero-day exploits, vulnerable browsers and hijacked domains will keep IT professionals (and Google) awake in 2010, if attacks in recent months are anything to go by.
Add to this the number of vulnerabilities being discovered almost daily in client-side applications, such as Adobe Acrobat Reader and Flash player, and the proven success of social networking Web-applications as platforms for distributing malware, and business can also expect to see a lot more malware targeting end-users this year.
This is according to Ian de Villiers, associate security analyst at Sensepost, who will deliver a talk on “attacking Web application servers” at next month's ITWeb Security Summit, which takes place from 11-13 May at the Sandton Convention Centre.
The best example of the effects of zero-day exploits, says De Villiers, has been the successful breach of Google in China in December 2009.
“Hackers made use of a previously unknown vulnerability in Internet Explorer, which allowed attackers to execute code of their choice on machines with vulnerable browsers. In this specific incident, however, the purpose of the attack appears to have been to gain access to the Gmail accounts of human rights activists within China.”
At the time, news agency AFP reported the incident shows "a level of sophistication above that of typical, isolated cyber-criminal efforts".
Recent online reports also purport that Microsoft has acknowledged that it was a security flaw in Internet Explorer that hackers based in China exploited in the recent attacks on Google. As is often the case, the flaw is neatly summed up in the title of the advisory: "Vulnerability in Internet Explorer could allow remote code execution."
De Villiers also cites Twitter's domain hijack last year as another example of things to come.
“In December 2009, a 'Hacktivist' group claiming to be the 'Iranian Cyber Army' made DNS changes that redirected users requesting www.twitter.com to a third-party site containing a mash-up Web site; it claimed that Twitter had been hacked by the afore-mentioned group.
“While this attack did not necessarily exploit users of Twitter, the third-party Web site could just as easily have contained a dummy sign-on Web application for harvesting credentials. This may have led to the compromise of vast numbers of third-party applications due to the fact that social networking users, being average people, frequently use the same passwords for multiple Web sites.”
While De Villiers points out that this specific attack was not directed directly against application servers, he believes it highlights the vulnerable nature of the Internet, where shortcomings within one technical aspect of an organisation's infrastructure can result in progressively more serious compromise.
His advice to corporates? “Ensure servers are correctly configured and patched. Ensure Web applications have the appropriate controls in place. Ensure that the principle of least-privilege has been applied on all areas of the application and supporting infrastructure. Finally, ensure developers sanitise their inputs.”
In his talk on “attacking Web application servers” at Security Summit 2010, De Villiers will examine common (and some not very common) shortcomings within Web application frameworks and portal applications, as well as demonstrate scenarios where remote attackers can exploit vulnerable applications.
Share