Articles and Insights ,

Beware the wild west of Web applications

By Michelle Drolet
2 May 2012

Web applications – particularly those facilitating collaboration and communication – are a boon to sales, marketing and productivity. Teams work together more effectively, salespeople enjoy better leads and marketing tools and customer service reps can more closely connect with those they serve.

All of these gains, though, come at a cost: risk. By their very nature, Web applications circumvent many enterprise security controls. They are designed to enable communication, not security. A paper by Sophos reported one new Web threat every 4.5 seconds. Its researchers found an average of 19,000 new malicious URLs daily in the first half of 2011; with 80 percent of those URLs pointing to legitimate sites that had been hacked or otherwise compromised.

Recent data from the Open Source Vulnerability Database (OSVD) shows that the number of new vulnerabilities disclosed decreased significantly during the first half of 2011. At first glance, this may appear as good news. But hold on. It’s not the number of vulnerabilities, but the number of disclosures of new vulnerabilities that has decreased. A distinction without a difference? Unfortunately, no.

Despite the decrease in disclosures of new vulnerabilities, websites of organizations of all types and sizes are still teeming with existing vulnerabilities, and remain open to potentially devastating attacks.

Worse yet, OSVD data show an increase in Web application attacks. According to HP DVLabs, the number of attacks on Web applications is “Ten times the number of vulnerabilities being reported.”

Sophos’ mid-2011 security threat report stated, “Two of the most common and effective attack methods used are cross-site scripting and SQL injection.”  The bad guys even sell packaged exploit toolkits – complete with how-to user guides – enabling the least technical of cybercrooks to get up to speed on doing no good.

Attackers don’t need to develop new Web-based attack methods, yet many have been added to the arsenal in recent years – in part to take advantage of the larger attack surface.
Among the newer methods are SEO poisonings, drive-by hits, malware hidden by URL shorteners, and countless scams that make use of social network “oversharing” – or simply the opportunities resulting from the sheer number of active users (witness Facebook’s 800 million fans). Even the least effective hacker can be successful when targeting such a huge number of potential victims.

The Web is also a haven for geo-political attacks. Two recent examples include “hacktivism,” illustrated by the cascade of Denial of Service attacks related to WikiLeaks – and cyber-warfare, or the use of IT attacks to wage war between nation-states. Cyber-warfare is behind the release of Stuxnet, considered the first malware to include a programmable logic controller and aimed directly at taking down several of Iran’s nuclear power plants in 2010. Still active, Symantec noted that 60 percent of the world’s infected computers are in Iran. Kaspersky and F-Secure also studied the worm and concluded that its sophistication could only be the work of nation-states. (Israel and the US are not above suspicion.) Your average bear web app need not worry about Stuxnet.

Small wonder that Iran is closing down Internet access to the entire country, starting with blocking Google, Yahoo and Hotmail, and replacing it with a government controlled intranet. “All internet service providers must only provide national internet by August 2012,”said Reza Taghipour, Iran’s Communication Minister, who also cited its case for doing so as wanting “to provide clean and filtered internet services to the county.” Good luck!

In its study on Web apps, Sophos also reported that 19,000 web sites were newly infected each day, and that over 80 percent of the malicious URLs examined turned out to be those of legitimate organizations whose websites had been hacked.

Do you know whether your organization’s Web applications contain easy-to-exploit vulnerabilities? Probably not, but if you do, what can you do about it? Most likely the only way out of this mess is conducting regular, ongoing vulnerability scanning and application penetration testing.

By Michelle Drolet, founder and CEO, Towerwall

This article was recently published in Mass High Tech