Web Security for emerging web-application threats

15 March 2010

Web 2.0 is thriving, and so too are applications that take advantage of this technology. Interactive sites like LinkedIn, Twitter and even company websites are becoming ever more popular, and yet, many IT departments are unprepared for today’s emerging threats. As more companies take to the web to conduct business, the opportunity for attack is increased and organisations need to re-adjust security practices for the Web 2.0 world.

Traditionally, potential security breaches, or vulnerabilities, target personal and business information that is created and stored in certain Web 2.0 applications, such as Google Docs and Mobile Me. Using JavaScript programmes developed to capture data, hackers can redirect users to a perfect copy of the site they’re expecting to see. When log-in details are entered, they’re unknowingly sent to the attacker, providing them with information they need to access sensitive business information.

New attack methods are constantly being employed by hackers, taking advantage of technologies that are already in place. Attackers continuously try to bypass security systems in place on sites such as Facebook, and gain access to information using the code that is running on the browser through the third-party.

There is a difference in the way attackers operate; some choose to exploit web applications, like Twitter, while others choose to exploit the web browser. Here hackers pepper large numbers of websites with JavaScript which enables them to collect data on visitors to targeted sites. Rather than specific web applications being targeted, the browser instead acts as the delivery mechanism, where links can be used to either redirect users to other ‘fake’ sites, or load damaging content.

In early web attacks, it was all about site defacement where content would be edited, with messages being incorporated or offensive images being added. This has changed and the emphasis is on remaining undetected so that site owners will not know that security has been compromised. JavaScript enables hackers to use these attacks for financial gain instead of to just be a nuisance.

Many people associate hacking with credit-card and bank fraud – but this is not the case. ID theft is not just about being able to spend somebody else’s money; it can be used to set-up credit accounts with business suppliers or open-up new premises, all at another’s expense.

Whilst hackers are constantly evolving and adapting to new technologies, businesses are responding just as well. Employees, as well as IT departments, are now aware of security risks and most companies have IT security policies in place. Patches, security alerts and updates are now issued regularly from vendors and should be monitored and downloaded when available.

In addition, there are a number of tools which can help prevent attacks – web application scanning in particular. This is an automated process which searches for software vulnerabilities in websites by launching its own attacks and analysing the results.

Technology continues to advance at an alarming rate – and with it those people who are willing to exploit others for financial gain. By staying informed of potential risks and combining the tried and tested preventative methodologies, IT departments can ensure they are well-equipped to deal with the constant threat of Web 2.0 attacks.

Qualys Technologies is exhibiting at Infosecurity Europe 2010, on 27th – 29th April, Earl’s Court, London, www.infosec.co.uk.