Don't Hack the Ox!
Home
eMarketing
Mobile Comm
Global e-Business
eSecurity
News & Insights
Contact Us

Articles
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

Don't Hack the Ox!

By: Szu Chang, eSecurity Columnist/Editor, Internet Journal

03/12/2009

Over the past few years, new efforts to hack into, terrorize and commit crimes on Web applications have become a major sore point. 2009, the year of the Ox, provides both challenges and opportunities for the Web application security field.

Web Applications like Ox

The year 2009 is the Year of the Ox, according to zodiac calendar.  The ox is the second animal in the zodiac and often associated with honesty, responsibility, faithfulness and gentleness. Web based applications provide all kind of Internet services to the end users and are often associated with same traits as the mythological ox.

Web applications, just like the ox, have lots of positive traits, such as being perceived as calm, dependable, honest, caring, intelligent, industrious, modest, patient, practical, and responsible.  The Internet is now being used for more and more business mission-critical applications and has become the lifeblood of many businesses now.

On the other hand Web applications, just like the ox, also have some of negative traits, such as being petty, inflexible, possessive, dogmatic, gullible, stubborn, intolerant, and materialistic.

From attackers' point of view, Web applications have the stupidity and stubbornness of an ox, and they can be hacked easily. Therefore, web applications have been thrust into the frontline of hacker assaults.  Not only have attackers become smarter and faster, it seems attackers are now more desperate and determined.

Vulnerabilities have Gone up Exponentially

Over the past few years, the number of vulnerabilities to mission-critical applications has gone up exponentially with the rise of Web based applications. New efforts to hack, terrorize and commit crimes online has become a major pain point for all types of organizations, including government and financial.

"Year after year, we see a growing number of applications within the enterprise creating security vulnerabilities that are easily prevented through better visibility across endpoints, and a more centralized patch-management process," said Harry Sverdlove, chief technology officer, Bit9 Inc.  "2008 has been no exception. This year, along with the widely reported huge increase in malware, the number of well-known applications causing security problems for companies has also increased."

Security threats that were once confined to retail and identity industries now have grown to a national security scale. According to the " December 2008 CSIS Securing Cyberspace Report", the Departments of Defense, Homeland Security, Commerce and NASA all suffered major intrusions by unknown foreign entities.

"We've seen a few targeted threats over the past year, that mark the advent of new types of exploitation of security vulnerabilities and pose threats for the future," said Mandeep Khera, chief marketing officer of Cenzic, Inc.

"Cyber terrorism attempts of this magnitude are not as difficult as one may think," said Khera. "With the current economic climate, there will be an increase in the number of people willing to take chances on exploiting various vulnerabilities especially in Web sites, and cybercrime is attractive because it is hard to identify the perpetrators. Web application security is now more important than ever, and organizations need to take extra precautions to ensure that security processes are instilled as part of their business practice."

What are Security Vulnerabilities?

When talking on vulnerabilities of Web applications, the OWASP Top Ten has been referenced widely. The Open Web Application Security Project (OWASP) is an open source community project staffed entirely by volunteer experts from across the world. 

OWASP has a list of top ten security vulnerabilities of Web applications, which spotlights the most serious and often overlooked risks. The OWASP Top Ten provides a powerful awareness document for web application security.

The OWASP Top Ten represents a broad consensus on the most critical web application security flaws. The Top Ten also provides basic methods to protect against these vulnerabilities and has been adopted widely.

The Top Ten from OWASP 2007

Cross Site Scripting (XSS)

XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Injection Flaws

Injection flaws, particularly SQL injection, occur when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

Malicious File Execution

Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.

Insecure Direct Object Reference

An internal implementation object is directly exposed its reference to as a URL or form parameter. Attackers can manipulate the reference to access other objects without authorization.

Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker.

Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy, and attackers use this weakness to steal sensitive data, or conduct more serious attacks.

Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.

Insecure Cryptographic Storage

Web applications do not use cryptographic functions properly to protect data and credentials.  

Insecure Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

Failure to Restrict URL Access

Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

The Moving Target

However, this Top Ten is not a static list and having the right security is not one-time event. As new vulnerabilities are reported and as hackers use new attack techniques, the Top 10 list also changes. The Top 10 list was first published in 2004 and it has been revised in 2007. In this year of Ox, Top 10 will be updated as well. 

In fact, since 2006, the industry has seen malicious Web hacking become more sophisticated and damaging as additional business is conducted online.  According to WhiteHat Security, a provider of website security solutions, 82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity. 

"Web security is a moving target.  So, enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability life-cycle," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. 

For this moving target, new vulnerabilities will be detected, and new Top Ten lists will be published. For example, Cross-Site Request Forgery (CSRF) was not detected in 2004 but is a new vulnerability in 2007 Top Ten list. WhiteHat Security now reported that CSRF has moved up on the Top 10 vulnerabilities list, indicating its increasingly pervasive nature.

Proactive Solutions Are Needed

It is insufficient to secure the Web application code just by depending on the software developers and to just do it once. Enterprises have to stay on top of evolving website security challenges. The application code changes all the time, and new versions of applications will constantly be implemented. The web application may be vulnerable if its code is not continually changed to defend against attackers.

According to WhiteHat Security, vulnerability time-to-fix metrics are slowly improving, but continue to show significant room for improvement, typically requiring weeks to months to achieve resolution. Only about 50 percent of the most prevalent urgent severity issues were resolved during the assessment time frame.

Oxen are systematic in their approach to every task they undertake. With increasingly sophisticated attacks, Web application developers, like oxen, will soon find themselves reacting to attacks rather than building comprehensive defenses.

In order to win the cyber war, we must change the mode from reactive to proactive. This will be a great opportunity for Web application security solutions providers. More automation and more comprehensive solutions to defeat those Web application attackers are needed in the marketplace.   

More Sophisticated in 2009

A key phrase to bear in mind this Year of Ox is to 'hold fast'. There may be some setbacks or delays, but if Web based application are like oxen and remain calm and persistent, all will be well. 

As Web application security is a fast evolving field, there will be lots opportunity to study and learn.  This plus the pride that comes with achievement should appeal to the Ox.

In the Year of Ox, there are significant developments on the Web based applications, in particular on building defenses against attacks, as the attackers become more sophisticated. New technology areas such as AJAX and Web Services will make Web applications become more sophisticated, they will also introduce even more sophisticated security vulnerabilities.

As Web application security vulnerabilities continue to threaten cyberspace, Web application security solutions providers will start to provide more sophisticated, comprehensive defense solutions.

Sophistications on both sides will make the Year of Ox a very interesting year for Web application security developments. 

The hope is that the next generation of Web application security solutions can convey a clear message to attackers – don't hack Web applications.  Remember, after the year of Ox is the year of Tiger. Hoping by next year, hacking Web applications will just like hacking the tiger that for sure the hacker will get into trouble.  

About The Author
Szu Chang, CISSP, is the e-Security Columnist/Editor of the of the Internet Journal. http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to editor@intnetjournal.com. 

[Home] [eMarketing] [Mobile Comm] [Global e-Business] [eSecurity] [News & Insights] [Contact Us]

eMarketing