Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos’ threat report for the first six months of this year, 23,500 new infected Web pages — one every 3.6 seconds — were detected each day during that period. That’s four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites

1. Polluted ads

Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

“A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates,” Wang said. “Some of these affiliates are less than diligent in reviewing content for flaws and infections.”

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. For example, see “SQL Injection Attacks Led to Heartland, Hannaford Breaches.”

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn’t include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

“The hacker essentially takes advantage of flaws related to shoddy site development,” Wang said.

3. User-provided content

It doesn’t take a genius to write a comment to a blog posting or something they see on a social networking site like Facebook or Twitter. The bad guys know this and are therefore taking the opportunity to pollute discussion threads and other sources of user-supplied content with spam-laden links. (See “Seven Deadly Sins of Social Networking Security“.)

“You can get comment spam, completely irrelevant comments including links to sites trying to sell you stuff,” Wang said. “They can also try posting full links to malicious sites or work in a little scripting, depending on the filter they are trying to work around.”

4. Stolen site credentials

Using the types of malware and social networking tactics described above, as well as other means, attackers can steal the content provider’s log-in credentials. From there it’s no sweat logging into the site and making changes. It typically is a change so subtle and small that it escapes notice. The tiny bits of code added in can then steal the site visitor’s credit card or other data.

5. Compromised hosting service

This one is similar to number 4, where the credentials of the content provider are stolen and hackers log in to make sinister changes. Through this vector, Wang said the bad guys could potentially poison thousands of sites the provider is hosting in one strike.

6. Local malware

The website you visit may be perfectly safe, but if there’s malware hidden on your own machine you can unwittingly become part of the attack, Wang said. For example, the user can visit their online banking site, and when typing in a user name and password the Trojan is there to record that information and pass it back to the attacker, allowing him to go in later and empty out your account or that of others.

7. Hacker-engineered fakes

Finally, there’s the problem of hackers trying to sell you fake merchandise that includes phony security software. If a box appears warning that your machine may have been infected and that you must immediately download a particular security tool to remove it–a common occurrence if you have visited a site that surreptitiously downloads malware onto your computer–it’s a sure sign of trouble.

“You spend your $39.95 and you get a worthless piece of software, and at the same time you have given them your credit card data,” Wang said.

What is one to do if their website relies on ads and open access? Wang suggested IT security administrators use security scanners against anything coming in by way of third-party hosts and, for in-house apps and other online property, that developers redouble efforts to write more ironclad code.

For those who heavily rely on third-party forums, a wise practice is to take a daily scan of vulnerability reports that may affect those providers and to keep up to date on security patches that will harden your own environment against these threats, he added.

from ComputerWorld

---

Filed under: Security - @ September 10, 2009 9:07 am