On March 12, McAfee's AVERT labs reported 10,000 Web pages using Active Server Pages (ASP) had been infected through SQL injection. A few days later, Microsoft employee Neil Carpenter detected 14,000 maliciously-modified Web pages. After the initial SQL injection, the automated attack injected a malicious Javascript or Iframe code to redirect visitors to criminal-controlled Web sites. The malicious Web sites then attempted to invisibly exploit end-users using multiple, previously patched vulnerabilities, or if no vulnerabilities were found, attempted to socially engineer the visitor into running additional software.
Following on the heels of this massive scale attack was another automated attack that made the first one seem small. McAfee reported more than 200,000 Web pages infected by an automated attack against phpBB software. phpBB is an open source Internet forum software product written in php. Users visiting an infected Web site were socially engineered into running additional (malicious) software programs.
Web site hacking is very popular. Zone-h, which tracks web site defacements, reported almost 500,000 hacked Web sites in 2007. And this is obviously a serious under-count, as most of Zone-h's data is self-reported by the hackers who hacked the Web sites. The professional criminal gangs involved in the majority of the Web hacks today don't report their activities to Zone-h. Even more interesting is Zone-h's track of the mechanism the hacker used to attack the Web site. By far the most popular method was simple password sniffing/cracking/guessing, but they track attacks against the DNS servers and routers that protect the Web servers.
One of the biggest changes over the past year, as reported by Google, is the inclusion of malicious advertisements on legitimate Web sites. Many legitimate sites end up unintentionally carrying advertisements from malware providers.
Perhaps the most interesting new Web hack trend is where inputted search phrases end up causing malicious cross-site scripting or poison normal search results. In the former attack, malicious hackers input dozens to hundreds of search strings into the search feature of a Web site that are in reality cross-site scripting attacks. In the latter hack method, the attacker poisons a legitimate search Web site by inputting hundreds to thousands of search strings to bring back specific malicious Web sites. An innocent user searching on the same key terms is inadvertently redirected to the malicious Web sites that have been artificially raised up in the search engine's rankings (based on the previous poisoned searches). Trying to prevent this latter type of attack is a new challenge for Internet search engines.
Web site penetration testers will tell you that most sites of even moderate complexity are hackable. The best Web site hackers say that no site is secure. Although that statement is certainly hyperbole, it isn't grossly inaccurate. There are probably more hackable Web sites than completely secure Web sites in the world.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
IDC Says Asia/Pacific Excluding Japan IT Market Will Remain The Bright Spot... 2008-12-04 15:04:00+11
MySpot SOS "Panic Button" Smartphone Application could save lone worker lives 2008-12-04 13:34:00+11
Charles Sturt University Commences Unified Communications Deployment With Interactive Intelligence 2008-12-04 08:30:00+11
AOC Launches 18.5” Widescreen Green 16:9 LCD Monitor in Australia and New Zealand 2008-12-03 15:30:00+11
Gaining Competitive Advantage Through Enterprise Planning
No matter how good its products or innovative its services, no organization can perform to its full potential without an adequate planning structure in place. Discover how this can be done by reading on.
Buying Guides
Buying Guides
