Symantec Threat report stresses app security, Web security woes continue for Google, Banks, Government

Symantec Corporation issued their Internet Security Threat report recently confirming a lot of trends that Cenzic had published in its first two quarterly trends report. While there are many malicious activities going on on the Internet from network level worms to client side exploitation with tools like Mpack, Web application security continues to be the most critical concern. Symantec found that 61 percent of published vulnerabilities related to Web applications which tracks closely what Cenzic found in the first two quarters. So, what does that mean? It implies that very month roughly 300 to 500 new vulnerabilities are being reported for Web applications, and organizations not only need to catch up to all the vulnerabilities from the past many months but also keep up with the new ones every month. And, the worst part is that over 70% of these vulnerabilities are easily exploitable. So, what would the hackers do? They would attack where the majority of the vulnerabilities are. And, it's not in the network any more. Web 2.0 technologies, with Ajax, and other scripting languages continue to create even more headaches, from security standpoint, for corporations and governments.

In the last few months, we have seen many attacks including the cross-site-request forgery attack on Google, CBS News, Ukranian attack on US Government job site, and Chinese government attack on Pentagon site, to name a few. Also recently, the Homeland Security Department improperly disclosed details about a serious threat to the U.S. electrical grid to industry researchers just days after it produced a video showing simulated hackers remotely seizing control over a $1 million diesel-electric generator which raised a lot of questions about Cyber Security.

So, the big question is if every one knows that they are exposed, whey aren't they doing something about it. There are many reasons including: (1) Lack of Understanding - Many security professionals across all size companies still believe that they are secure because they have network firewalls, IDS, and other network security technologies in place. This is a complete fallacy. None of these technologies will protect them from Web application attacks; (2) Lack of resources - Even if organizations understand the exposure, they have too many applications to test and they are just scratching the surface; (3) Ostrich mentality - I have been told by many  CSOs and other security executives that they have never been hacked so they are not worried. When I ask how do they know that, they typically don't have a very good answer.

We think these attacks will only intensify as hackers are getting more organized with proper structures and attacks for major financial gains or to steal IP. We'll see more politically motivated attacks as well as governments are realizing Web sites as a weak link with easily exploitable assets underneath. Governments and Corporations need to move fast to start taking Web security seriously - before it's too late.

- Mandeep Khera, Cenzic Inc.

Web Security and Ease of Doing Business

The other day I was trying to send some money to some one using one of the money transfer companies. After going through a rigorous process and phone calls for half an hour, I gave up. Good news was that this company was taking extra precautions to secure their transactions through the Web given that in this case actual money was involved. Bad news however was that it made the transaction so complicated that they lost my business.   

Many companies that conduct online transactions with customers are going through the same predicament. How to provide adequate security without making it too difficult for the customer to do the transaction?

There are certain practices that certainly make sense like strong passwords (e.g. minimum 8 character alphanumeric etc.) , having security questions, and even a secondary key. Where it starts getting sticky is when there are phone verifications or additional pieces of information that customers don't like providing or it's too time consuming.

The worst part of some of these processes is that two fundamental principles of "Let the Good Guys In" and "Keep the Bad Guys Out" are reversed. So, the good guys have problems getting in because of all the additional measures and the bad guys still come in. How does that happen?  Very simple, the bad guys are coming in by exploiting the vulnerabilities in the Web applications that are sitting underneath the front-end. Most of the applications that we have seen are still vulnerable and hackers know how to easily exploit them through the user interface including forms and fields.

As a best practice, organizations should provide some best practices mentioned above for access by the "true" customers without making it too difficult. And, a much stronger emphasis needs to be placed on finding and fixing vulnerabilities in the code itself. Make it more difficult for the hackers to come in, not the customers.

I would love to hear some of the best practices people are following that are working well. Please post your comments.

- Mandeep Khera, Cenzic Inc.

Web App Security, not as Sexy as James Bond but Close

I saw a news story last week that was kind of surprising to me but really shouldn't have been. An article posted by the Financial Times discussed the Chinese military hacking into the Pentagon. http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html It surprised me because I never really thought of the military groups from different countries hacking into each other. Call me old school, but I still pictured spying and espionage between countries to be handled by the equivalent of James Bond. Thinking about it just a little and applying a tad of logic makes me realize how foolish that thinking is.

In the article, China was painted as the villain since they hacked into the Pentagon and had previously hacked into some German government computers. However, the article also mentions that the US is assumed to regularly scan Chinese networks. Both of these ideas simply emphasize how much easier it is to hack into a computer system than to directly risk the lives of your "super spies." It might be sexier to seduce foreign agents while stealing top secret documents but it's safer to do it online instead. No need to end up being strapped to a table while a laser preps to slice you in half.

How and where the computer was hacked wasn't mentioned but comments near the end of the article had me thinking it was an email account that was hacked. It could just as easily been via a Web site instead. Hopefully any Web sites being used by the Pentagon are performing some simple input validation. Most Web application vulnerabilities can be avoided by validating the data being entered. If asking for a person's name, accept only letters. If asking for a phone number, accept only numbers. At least block the simple stuff. It might not make you a super spy but you can still be a hero in your office. You can always hope for more excitement when ordering that martini shaken, not stirred.

How Web Application Security and Guns are Common

In an attempt to do the right thing, the Germans aren't really helping themselves. News.com is reporting that "As of Saturday, it's a crime in Germany to build, sell, distribute or obtain so-called 'hacking tools' designed to allow access to protected data or promote other illegal acts." http://news.com.com/8301-10784_3-9759051-7.html There are a few scary things about this.

A lot of the "hacking tools" fall into a nebulous classification of neither good nor bad. They are more along the lines of how you use the tool. It's not evil if I'm using Nessus on my own network to determine where a vulnerability might exist. The same is true for any Web application testing software. When used within an environment I am testing or responsible for, the results are positive and not negative.

The same logic can be applied to many open source tools that are used for more generic purposes. Paros and nmap would both fall into the realm of "hacking tools." You might be using them safely but this law would outlaw them.

Web application testing solutions don't fall into a bad category by themselves. This law might work for protecting messaging environments; it makes tools like Send Safe (automated spam generator created and operated out of Moscow) and other Russian 'bot exploiters illegal. However, the law is too generic and would also apply to simple load testing tools. All it would take to quickly deluge a lot of people with junk is a purchased list of email addresses, Load Runner and a little time to format a spam message. All with a tool that I should be using to verify my system can work properly.

While the law might only be enforced in situations where most of us would agree it is warranted, it is not a clear cut case. And I wouldn't want to trust that some overzealous prosecutor is not looking to form his reputation by putting away "evil hackers," especially when the bulk of the public don't understand the difference.

- Mike Kazmierczak, Cenzic, Inc.