Opinions
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
Web-based attacks can take many forms, with effects ranging from mild inconvenience when a Web site no longer loads properly (such as the recent redirection of Barack Obama's Web site to Hillary Clinton's) to complete compromise of the user's system.
Recent attention has been focussed on the use of SQL injection, where database commands are able to be inserted into the site, and the terrible effects that such attacks have had recently.
Cross Site Scripting (XSS), and Cross Site Request Forging (CSRF) vulnerabilities have been considered by many as more distraction than vulnerability type, a problem which hasn't been helped when there is still some confusion about how some published vulnerability examples can be classed.
Most examples of XSS or CSRF vulnerabilities have been to steal authentication details from cookies set by various sites such as eBay, banking sites and webmail providers, or to temporarily replace Web site content for users when they follow a crafted link.
The problem that these attacks can have is that many of them take place in the user's browser, and not necessarily on the site. The impermanence of any attack makes it hard to tell when there is a problem and when there is something that needs to be done by the site developers.
There are teams of researchers working towards understanding more about XSS and CSRF problems, including those who are working to demonstrate cases where permanent effects can result from following a simple hyperlink.
The team at GNUCitizen are one of the leading groups to be looking at these problems and have already demonstrated a number of examples where a combination of the above vulnerability types can lead to the compromise of a common family of routers used by home broadband users in the United Kingdom.
More recently, there has been a case published where vulnerabilities in the uTorrent BitTorrent client can be leveraged and exploited through CSRF vulnerabilities, resulting in the eventual compromise of a victim's system. Users of the uTorrent client should update to the latest version and apply care from where they obtain their .torrent files.
If a number of these vulnerabilities look simplistic, it is because often they are.
The main problem for developers is in understanding how a feature or part of a site may be unintentionally exposed for manipulation, and then using secure development practices to implement their site. It has taken many years of major vulnerabilities and problematic exploits for the concepts of secure development and secure development practices to start spreading through the desktop and network application developer community.
Increasing reports and cases of online vulnerabilities should be a sign to online developers that they are going to have to apply the same sort of principles to their own work if they want it to withstand the online environment.
These problems are going to become of greater importance in the future as more devices and technologies are created to have a web interface for management, even if the user is unaware that such an interface exists. The Open Web Application Security Project (OWASP) has one of the best sets of online resources for finding out more about web based vulnerabilities and is comprised of many of the best minds currently working in this particular field of Information Security.
Computerworld Member Login
Realise Your VMware Vision: Storage Consolidation and Virtualization for Small to Medium Businesses
10:30 - 11am (EST, Sydney, Australia)
Wednesday, 4th June 2008
Screening live at your PC
Join Computerworld and our expert speakers:
- Jean-Marc Annonier, Research Manager, IT Spending, IDC
- Howard Porter, SMB Channels Manager, VMware
- Clive Gold, Product Marketing Manager Australia/New Zealand, EMC Corporation
to learn about the various virtualization technologies available today and what factors are driving it in small to medium businesses. Discover use cases and technologies that allow successful virtualization and storage consolidation for a more flexible IT infrastructure.
- +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future. - +
Data Management Edition #9: Data centre makeover 24/04/2008 07:43:06
This week CW Live looks at the death of the old style data centre which is undergoing its first makeover in more than 30 years. - +
IT Security Edition #9: Inside the bug trade. 16/04/2008 09:08:12
This week guidelines are released for the mandatory reporting of security breaches and we go inside the black market bug trade.
TechnologyOne wins new federal government, local council and commercial contracts for software and services 2008-05-12 16:05:00+10
North East Water to deploy Gentrack Velocity upgrade 2008-05-12 09:54:00+10
Kroll Ontrack Launches Hardware Erasure Solution 2008-05-09 08:42:00+10
Mitel Releases New Cordless Technologies for IP Phones 2008-05-08 18:11:00+10
Citect earns recertification under the prestigious Service Capability and Performance (SCP) Standards 2008-05-08 14:07:00+10
Essential Guide to Risk Management
Most IT professionals understand the basic concepts of risk management, however the number of potential risks is growing, and the impact of some risks is increasing rapidly. This paper will help you consider changing the way you evaluate and protect against risks to your IT operations.
