Weak spots in the fortress

Vulnerabilities in Web-based software put agencies and citizens at risk.

In what now seems like a more innocent era, attacks against computer networks a decade ago had names like smurf and teardrop. Hackers then typically targeted operating systems, Internet and e-mail servers, firewalls, and other vulnerable network components. Upstart hackers known as script kiddies were motivated by the challenge of taking down a network and earning a measure of notoriety.Information technology security professionals responded by bolstering firewalls, reconfiguring and scanning networks, and stiffening perimeter defenses. The measures impeded the rash of computer worms that burrowed into networks and relied on unrestricted connectivity to spread.“Most of the spending [on security] was at the network level,” said Mike Weider, chief technology officer at Watchfire, a Web application security company. “The mentality was on perimeter defense…to build the walls of the castle high.”Realizing that hardened networks were increasingly difficult to breach using head-on attacks, hackers switched tactics. They turned their attention to finding application-level vulnerabilities. Bugs that reside in programs running on PCs and Web-based applications are as insidious as termites in a wood-frame house. When exploited, they do their damage from the inside out.“The Internet came along, and applications that were on the inside [of an organization], we put them outside” via the Web, Weider said. “Hackers discovered that you could exploit vulnerabilities in the software applications that were put outside the walls and…steal data, perform fraud, deface Web sites or cause other malicious acts.”Today, application-level attacks outpace attacks on networks by 3-to-1, according to industry sources. Even as organizations have fortified network security, the threat from application vulnerabilities has expanded.“This problem has been steadily growing over the last 10 years and has reached a feverish pitch,” Weider said. “We’ve seen a huge shift in attack focus.”The objective of hackers has also changed. “They are no longer just trying to get attention,” said James MacDougall, South Carolina’s chief information security officer. He said he has seen huge numbers of application-level attacks that seek to steal data or take over computers.“What they want is personal identifiable information,” he said. “They want credit cards. They want to make money.”In a recent attack that affected a nine-state area, including South Carolina, hijacked computers were used to create a botnet — an illegal network that can be used for nefarious purposes, such as generating spam on behalf of paying customers.“It’s almost like a service-level agreement,” MacDougall said of the financial arrangements struck between illegal spammers and their clients.As governments at the federal, state and local levels expand their Web presence, the vulnerability of public-sector IT will also grow, experts predict.“The DMV and benefits departments and Medicare are starting to put more applications online,” said Brian Laing, chief security officer at RedSeal Systems, a provider of security risk management solutions.Most organizations, including government agencies, have been slow to recognize and respond to the changing threat, security experts say. “Network security has been around for eight or nine years now,” said Mandeep Khera, vice president of marketing at Cenzic, which sells application security risk management products. “Most organizations have spent a lot of money on securing the network.”That is no longer enough. You have to have network security and applications security in place to keep up with current threats, Khera said. People charged with keeping systems and data safe “have to get over the fiction that network security will protect them from all threats. Application security is a different animal.”Russian hackers breached the security of a Web site managed by the state of Rhode Island in January 2006. The thieves boasted in an online forum of having stolen credit card data for about 53,000 transactions, the Providence Journal newspaper reported. State officials did not divulge how the hackers were able to access the confidential data.However, the hackers almost certainly used a strategy that is well-known to security pros. Cross-site scripting and SQL injection are two of the most prominent techniques for exploiting application-level vulnerabilities.Cross-site scripting allows hackers to inject code into Web pages viewed by other users, such as comments posted on public discussion boards, or exploit vulnerabilities in the way Web sites exchange data with visitors’ browsers.Such ploys often involve the hackers masquerading as trustworthy online entities to send e-mail and instant messages. The messages dupe victims into visiting phony sites that look authentic and thereby trick them into giving sensitive personal or financial information.SQL injection exploits vulnerabilities in the database layer of applications. Using nothing more than a Web browser, hackers look for gaps in software security that let them trick an application into retrieving and divulging information that shouldn’t be released from its database.The vulnerability is often a poorly secured interface, such as a user log-in page. Instead of entering valid log-in information, such as a name and password, the hacker injects a string of Structured Query Language, a protocol computers use to communicate with relational databases.On pages with poorly written code, a hacker “can craft stuff on those fields to have you give up all the secrets on your database,” MacDougall said. “I can go through and steal everything you’ve got.”The practice has become so well-known that people can easily find software utilities that automate SQL injection attacks. A simple Google search using “.gov” and common error messages that indicate software vulnerabilities will return thousands of hits, MacDougall said.The rapid expansion of government Web sites has increased the likelihood of hackers breaching security, experts say. Another cause for concern is the government’s preference for customized software, which tends to be much more vulnerable to attacks than commercial applications. Microsoft and other large vendors of commercial applications routinely issue patches to fix known vulnerabilities. Users of customized applications are often on their own.Custom-developed, Web-based applications tend to be several orders of magnitude less secure than commercially developed programs, said Gunter Ollmann, director of security strategy at IBM’s Internet Security Systems (ISS) division.“When ISS’ professional services consulting team looks at upcoming commercial products, a typical report may identify 20 to 30 vulnerabilities, of which, on average, two to five would be high-risk or critical,” Ollmann said. “Looking at applications developed internally, which may be deployed on thousands of desktops or servers, the report is 20 or 30 pages long, with 100-plus high-risk security vulnerabilities.”Web applications, which can share and replicate components, are inherently more vulnerable to attack. In addition, the software developers who create custom Web applications tend not to put a premium on security.“The two things we ask developers to do is cool functionality and get the application out the door on time,” said Michael Sutton, security evangelist at SPI Dynamics. “Those two things often work in opposition to security.”Developers’ inattention to security also raises the possibility of programmers intentionally creating hidden vulnerabilities, including backdoors that allow unauthorized access to programs.“There is so much [application development] outsourcing to India and China and other countries. Anyone can put backdoors in there,” Khera said. “If you don’t do thorough testing for backdoors and other security testing, you have no idea what might be in there. You just don’t know what’s in the code.”






























Most common ploys
















Added risks of custom software














Pulley is a freelance writer based in Arlington, Va.

4 defenses against application attacks
Agencies can take steps to limit their vulnerability to application-level attacks. The first step is to ignore Britney Spears.
In April, hackers lured unsuspecting users to sites that exploited a vulnerability in .ani files that Microsoft operating systems use to read and store animated cursors. Taking advantage of the vulnerability, the bogus sites injected hostile code into visitors’ computers that allowed hackers to take control of machines.
The enticement? Spam e-mail messages promising nude photos of the troubled pop star.
You can never make yourself impervious to application-level attacks because many vulnerabilities have yet to be discovered. However, focusing on user education and technology solutions can lessen the chances of being victimized by such an attack.
As noted above, hackers often succeed in breaching security with the assistance of unwitting victims.
“Some of these attacks require the collaboration of users,” said Max Caceres, director of product management at Core Security Technologies. “In the Britney Spears attack, somebody needs to click on that” link.
Here are four ways to avoid application-level attacks:
  • Offer security awareness training. Teach employees to identify attacks and not fall for them, Caceres said. Core Impact, the company’s network security product, can test the likelihood that employees will be duped by hackers’ tricks, he said.
  • Remove unused applications. It is good policy to remove unnecessary applications from users’ machines, Caceres said. An attack that exploits a vulnerability in QuickTime, for example, is not a threat if you’re not running that application.
  • Patch high-risk software vulnerabilities. As a matter of course, security administrators should find and patch high-risk vulnerabilities in commercial applications. Scans and penetration tests can identify and determine the risk level of many of them. A word of caution: Software patches can be buggy, too. The Britney Spears attack exploited a vulnerability in a patch issued to correct a previously identified problem.
  • Teach your developers to write secure code. Custom applications tend to have more vulnerabilities than commercial products. Microsoft won’t help you debug programs you’ve created in-house.
“If you create a vulnerability, you are totally on your own,” said Michael Sutton, security evangelist at SPI Dynamics, which focuses on Web application security. That company, along with Watchfire and others, is part of an emerging market built around identifying new vulnerabilities on custom Web applications, Caceres said. 
The bottom line is that organizations are responsible for securing their systems and the data they hold, said James MacDougall, South Carolina’s chief information security officer. His staff developers undergo off-site training that teaches them to write secure code. MacDougall regularly visits with contract developers to ensure security, and he tests applications for security vulnerabilities well before they go into production.
“Even if an outside vendor does the application, we are the steward of the information,” MacDougall said. “It is our responsibility. If there is ever a lawsuit, South Carolina would be a co-litigant.”
— John L. Pulley
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.