Weak spots in the fortress
Vulnerabilities in Web-based software put agencies and citizens at risk
- By John Pulley
- Apr 30, 2007
In what now seems like a more innocent era, attacks against computer networks a decade ago had names like smurf and teardrop. Hackers then typically targeted operating systems, Internet and e-mail servers, firewalls, and other vulnerable network components. Upstart hackers known as script kiddies were motivated by the challenge of taking down a network and earning a measure of notoriety.
Information technology security professionals responded by bolstering firewalls, reconfiguring and scanning networks, and stiffening perimeter defenses. The measures impeded the rash of computer worms that burrowed into networks and relied on unrestricted connectivity to spread.
“Most of the spending [on security] was at the network level,” said Mike Weider, chief technology officer at Watchfire, a Web application security company. “The mentality was on perimeter defense…to build the walls of the castle high.”
Realizing that hardened networks were increasingly difficult to breach using head-on attacks, hackers switched tactics. They turned their attention to finding application-level vulnerabilities. Bugs that reside in programs running on PCs and Web-based applications are as insidious as termites in a wood-frame house. When exploited, they do their damage from the inside out.
“The Internet came along, and applications that were on the inside [of an organization], we put them outside” via the Web, Weider said. “Hackers discovered that you could exploit vulnerabilities in the software applications that were put outside the walls and…steal data, perform fraud, deface Web sites or cause other malicious acts.”
Today, application-level attacks outpace attacks on networks by 3-to-1, according to industry sources. Even as organizations have fortified network security, the threat from application vulnerabilities has expanded.
“This problem has been steadily growing over the last 10 years and has reached a feverish pitch,” Weider said. “We’ve seen a huge shift in attack focus.”
The objective of hackers has also changed. “They are no longer just trying to get attention,” said James MacDougall, South Carolina’s chief information security officer. He said he has seen huge numbers of application-level attacks that seek to steal data or take over computers.
“What they want is personal identifiable information,” he said. “They want credit cards. They want to make money.”
In a recent attack that affected a nine-state area, including South Carolina, hijacked computers were used to create a botnet — an illegal network that can be used for nefarious purposes, such as generating spam on behalf of paying customers.
“It’s almost like a service-level agreement,” MacDougall said of the financial arrangements struck between illegal spammers and their clients.
As governments at the federal, state and local levels expand their Web presence, the vulnerability of public-sector IT will also grow, experts predict.
“The DMV and benefits departments and Medicare are starting to put more applications online,” said Brian Laing, chief security officer at RedSeal Systems, a provider of security risk management solutions.
Most organizations, including government agencies, have been slow to recognize and respond to the changing threat, security experts say. “Network security has been around for eight or nine years now,” said Mandeep Khera, vice president of marketing at Cenzic, which sells application security risk management products. “Most organizations have spent a lot of money on securing the network.”
That is no longer enough. You have to have network security and applications security in place to keep up with current threats, Khera said. People charged with keeping systems and data safe “have to get over the fiction that network security will protect them from all threats. Application security is a different animal.”Most common ploys
Russian hackers breached the security of a Web site managed by the state of Rhode Island in January 2006. The thieves boasted in an online forum of having stolen credit card data for about 53,000 transactions, the Providence Journal newspaper reported. State officials did not divulge how the hackers were able to access the confidential data.
However, the hackers almost certainly used a strategy that is well-known to security pros. Cross-site scripting and SQL injection are two of the most prominent techniques for exploiting application-level vulnerabilities.
Cross-site scripting allows hackers to inject code into Web pages viewed by other users, such as comments posted on public discussion boards, or exploit vulnerabilities in the way Web sites exchange data with visitors’ browsers.
Such ploys often involve the hackers masquerading as trustworthy online entities to send e-mail and instant messages. The messages dupe victims into visiting phony sites that look authentic and thereby trick them into giving sensitive personal or financial information.
SQL injection exploits vulnerabilities in the database layer of applications. Using nothing more than a Web browser, hackers look for gaps in software security that let them trick an application into retrieving and divulging information that shouldn’t be released from its database.
The vulnerability is often a poorly secured interface, such as a user log-in page. Instead of entering valid log-in information, such as a name and password, the hacker injects a string of Structured Query Language, a protocol computers use to communicate with relational databases.
On pages with poorly written code, a hacker “can craft stuff on those fields to have you give up all the secrets on your database,” MacDougall said. “I can go through and steal everything you’ve got.”
The practice has become so well-known that people can easily find software utilities that automate SQL injection attacks. A simple Google search using “.gov” and common error messages that indicate software vulnerabilities will return thousands of hits, MacDougall said.Added risks of custom software
The rapid expansion of government Web sites has increased the likelihood of hackers breaching security, experts say. Another cause for concern is the government’s preference for customized software, which tends to be much more vulnerable to attacks than commercial applications. Microsoft and other large vendors of commercial applications routinely issue patches to fix known vulnerabilities. Users of customized applications are often on their own.
Custom-developed, Web-based applications tend to be several orders of magnitude less secure than commercially developed programs, said Gunter Ollmann, director of security strategy at IBM’s Internet Security Systems (ISS) division.
“When ISS’ professional services consulting team looks at upcoming commercial products, a typical report may identify 20 to 30 vulnerabilities, of which, on average, two to five would be high-risk or critical,” Ollmann said. “Looking at applications developed internally, which may be deployed on thousands of desktops or servers, the report is 20 or 30 pages long, with 100-plus high-risk security vulnerabilities.”
Web applications, which can share and replicate components, are inherently more vulnerable to attack. In addition, the software developers who create custom Web applications tend not to put a premium on security.
“The two things we ask developers to do is cool functionality and get the application out the door on time,” said Michael Sutton, security evangelist at SPI Dynamics. “Those two things often work in opposition to security.”
Developers’ inattention to security also raises the possibility of programmers intentionally creating hidden vulnerabilities, including backdoors that allow unauthorized access to programs.
“There is so much [application development] outsourcing to India and China and other countries. Anyone can put backdoors in there,” Khera said. “If you don’t do thorough testing for backdoors and other security testing, you have no idea what might be in there. You just don’t know what’s in the code.” Pulley is a freelance writer based in Arlington, Va.