Hobbyist Dan Thompson created a website in 2000 for music fans to discuss and trade lyrics of one-hit wonders – think “Come on Eileen” or “Ice, Ice Baby” – he never thought the site would become a cyber target.
But that's just what happened last month, when hackers launched injection attacks against the vulnerable site by inserting a simple, customised script into the URL string. This query manipulated the contents of the Structured Query Language (SQL) Server database – common on most dynamic websites – causing the comment sections below message board threads to disappear.
Luckily (and perhaps stupidly), the vandals failed to initiate their script tags, meaning the 5,000 daily visitors to Thompson's site were not silently redirected to a rogue China-based website that was included in the script. Had they been, there is a strong chance the machines of unpatched users would have been infected with a trojan.
“I wrote [the site] eight years ago when I was first learning programming,” he says. “People like it. It's kind of organically grown because of the users. I've never really checked it for vulnerabilities. I guess now I need to start working on it.”
It was a wake-up call for Thompson, who lives in Kansas City and works full-time as a systems analyst. “I'm sure there's some amount of responsibility for me to give people a site that's not going to turn their computer into a zombie,” he says.
Thompson is far from alone in his predicament. Since last fall, when attackers began using tools to automatically search for and then compromise vulnerable websites, hundreds of thousands of pages – almost all of them as innocuous and legitimate as Thompson's website, onehitwondercentral.com – have been silently overtaken.
This is causing some of the largest websites to take action. Retail bellwether Overstock.com, home to some one million unique visitors a day, is well aware that the internet is today's preferred attack surface.
Just last year, Overstock rebuilt its entire site in Java, partially out of security fears.
“The security concerns were the fact that it was more of the unknown [with the old site],” says Sam Peterson, 32, senior vice president of technology at Overstock and the company's first-ever software developer. “If we're changing something here, what else are we changing? What [other vulnerabilities] could I be introducing?”
Salt Lake City-based Overstock has made it a point to only hire senior software engineers, he says. The belief is that these 60 men and women have been in the business long enough to appreciate not only novel application features and quick turnaround times, but also the value of security.
“We now have a team dedicated to security,” Peterson says. They are responsible for testing code before and during the production process and running regular tests once it has gone live.
“Since we know the code base and have access to the servers, we can run a much deeper scan than someone externally,” he says. “The bar is even higher for us. We're making sure security is above and beyond what it needs to be. If your application is secured, no matter what they throw at you, you're not going to have a problem.”
Increase in infected sites
Still, most websites seem slow to respond at best, or caught completely off-guard at worst.
According to San Diego-based Websense's “State of Internet Security,” a report released in July, 75 percent of today's websites containing malicious code are legitimate sites. That marks a 50 percent increase over the previous six-month period.
Among the trusted web destinations that have been hit are MSNBC, Wired, the United Nations, the Association of Tennis Professionals and Sony PlayStation.
Websense says 60 percent of the 100 most heavily trafficked websites have fallen victim to similar malicious activity.
Jeremiah Grossman (right), founder and chief technology officer of Santa Clara, Calif.-based WhiteHat Security, which estimates that nine out of 10 websites contain a serious vulnerability, says URL filtering and corporate proxy servers dramatically have improved. This has forced cybercrooks to refine their strategies.
“The bad guys used to try to get you to come to their website,” Grossman says. “Instead of putting their malware on an untrusted site, now they put them on a trusted site – the sites you can't block.”
And how have cybercriminals been able to so easily overtake these highly visited sites? Grossman says insecure coding is almost entirely to blame.
“Most of them are riddled with vulnerabilities because those who coded them didn't know of particular issues, didn't care, or weren't educated in such things,” he says.
Website developers can protect users from internet-borne threats
By Dan Kaplan on Sep 26, 2008 12:22PM