Web Site Vulnerabilities Continue Unabated, IBM X-Force Says
February 9, 2009 Alex Woodie
Hackers last year continued to compromise commercial Web sites using well-known techniques like SQL injection, putting corporate data in danger, but also raising the likelihood that businesses will infect their own customers with Trojan horses and malware. This was the warning issued by security researchers at IBM‘s Internet Security Systems subsidiary, which published its security report for 2008 last week. One of the bright spots: spam decreased slightly following the shut down of a major distributor.
In years past, the vast majority of security-related news and attention was related to Web browsers. Microsoft‘s Internet Explorer (IE), with a new security vulnerability popping up seemingly every other day, was vilified and ridiculed as a huge security liability. People moved in droves to alternatives like Mozilla‘s Firefox and Apple‘s Safari Web browsers, in the hopes of avoiding the viruses, worms, and other creepy-crawlies that could infect you via IE.
While IE did have its share of security problems, its attractiveness among hackers was largely a result of IE’s dominating popularity. And when Microsoft finally took action to lock down IE, hackers had already moved on to greener fields. First, they moved up the stack to browser add-ons, like Flash and Acrobat. Then hackers ramped up their attacks on applications, including MS Office. But the focus remained on client-side vulnerabilities, as opposed to server-side problems.
Now, the tide has shifted, according to ISS X-Force, and hackers are ramping up their attacks on popular Web sites, which are run on massive clusters of servers housed in data centers.
The new trend has hackers utilizing vulnerabilities in Web application servers and Web middleware to snare large groups of visitors in a short amount of time. Once a popular Web site has been compromised, the hackers can easily re-direct victims to malicious Web sites of their choosing, where victims’ PCs are loaded with browser exploit toolkits that do the hackers’ bidding. The end result is horrible and predictable: identities are stolen, bank accounts are drained, and lives are devastated.
Web application vulnerabilities–such as SQL injection, cross-site scripting, and file include vulnerabilities (most common in PHP apps)–grew to account for 54 percent of all vulnerabilities in 2008, according to ISS X-Force, which would make them easily the fastest growing class of security vulnerabilities. The biggest offender in the class was SQL injection, which grew 134 percent last year, the group says.
Unfortunately, Web application vendors, as a whole, have not kept up with the spike in SQL injection techniques. Of all the security holes found in Web applications last year (nearly 4,000 them), 74 percent of them had no patch for the problem. That is, quite frankly, unacceptable.
“It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed,” says Kris Lamb, senior operations manager, X-Force Research and Development for IBM Internet Security Systems. “This is one of the oldest forms of mass attack still in existence today.”
ISS X-Force could not determine why SQL injection attacks are spiking, but concluded that it’s likely a combination of several circumstances, including the widespread prevalence of vulnerabilities, stepped up research by hackers, and a lack of patches from the vendors. All in all, the Web application problem is the “Achilles’ heel of corporate IT security,” ISS X-Force says.
The rate of discovery of all critical vulnerabilities continued its march upward in 2008, increasing 13.5 percent over the previous year, after slowing down in 2007. However, despite the increase in vulnerabilities, hackers were not exploiting them as often as they had in the past, ISS X-Force found.
This led the company to question how the security industry responds to vulnerabilities, and suggest that a more nuanced approach–one that takes into account how much hackers could profit from a given vulnerability–into account. Currently, the Common Vulnerability Scoring System (CVSS) looks primarily at the technical aspects of vulnerabilities, and not the potential financial gain, ISS X-Force says.
Security researchers logged a major victory against spam when the Silicon Valley Web hosting firm McColo was shut down last fall. The operations of McColo, which was actually a front for a huge spam operation, was brought to light as a result of the work of Washington Post reporter Brian Krebs to track down the source of spam.
While bringing down the McColo operation resulted in an immediate drop in the amount of spam clogging the Internet’s byways, other operations picked up the slack to fill the void in spammy substances. ISS X-Force reports that China emerged as the number one spam provider immediately following McColo’s demise, but that Brazil claimed the top prize by the end of the year. Another BRIC country, Russia, was also a top spam generator for 2008 (India, where are you?), as was Turkey.
The complete 106-page ISS X-Force report can be downloaded at www-935.ibm.com/services/us/iss/xforce/trendreports.