How have you seen web hacking evolve since you started working in IT security?
When it comes to web hackers and bad guys on the Internet, I think the famous quote from Willie Sutton, a bank robber from the 1920s applies. When asked why he robs banks, Sutton said: “Because that’s where the money is.”
Since the Internet came along, the most important asset for today’s bad guys is personal/financial data like a person’s credit card number or social security number. This data is the new capital for today’s Willie Suttons because when they have this data they can do all sorts of things from outright theft and fraud to stealing a person’s identity. And the pursuit of this data for malicious intent has been their primary goal over the years.
Early on you would see the bad guys going directly after web sites that handled financial data like banks and brokerage firms to try and steal this data. Sometimes they were successful and sometimes they weren’t. But as the security improved on sites like that, the bad guys tried different methods like e-mail spam, or targeted retail sites and company web sites all with the goal of getting their hands on this crucial data.
However, at the end of the day, the attack methods and targets may change for the bad guys, but the ultimate goal of getting their hands on this data will not change.
How are today’s bad guys attacking web sites to steal important data?
And while this may sound like inside baseball, imagine that you are in charge of the physical security for a bank. You spare no expense to buy and install the latest cutting-edge technology including; secure and fire resistant vaults, bullet proof glass to protect the tellers, closed-circuit video cameras and silent alarms to notify police. It will be next to impossible for someone to walk into your bank and be able to steal any money. What you didn’t account for, however, is that it is possible for someone to use the ATM outside the bank to extract thousands of dollars from customer’s accounts by simply specifying a certain PIN code.
This real-world analogy is very similar to how criminals are wreaking havoc on the web by targeting ecommerce websites that interact with back-end databases. The criminals are using this specific attack technique, SQL injection, to steal customer data, hold customer data hostage by encrypting it or destroy data entirely by deleting it.
What new methods of attack should people be aware of in the coming years?
Our research this year showed tremendous growth in hacking incidents involving social networking sites, such as Twitter and Facebook. In previous years, these types of attacks barely registered, but we have seen that in the first half of 2009, social networking sites are the fastest growing target base for the bad guys and rank just below SQL attacks. We believe this trend will only continue the rest of the year and beyond. It isn’t a stretch, but I see social networking site being the number one target of hackers for a long time.
The reason for this is pretty simple: The bad guys are going where the users are and where they can get their hands on financial data. When there are millions of people using Twitter or Facebook every day, the bad guys are sure to follow. In addition, unlike banks, financial brokerages and online commerce sites, many of these new social networking sites do not the have extensive IT security safeguards in place. I think until these sites bolster their IT security, these types of attacks will continue to flourish.
And because criminals are smart and always looking for new places and methods of attack, it is important to make sure you have your web application security in order. It doesn’t take much for someone to exploit a web application vulnerability to plant malware and subsequently infect clients who visit the web site. By adding malicious code, attackers convert hacked web sites to a primary method of distributing viruses, trojans and rootkits.
When you think about it, people who use these sites are there for social reasons – sending photos, posting messages, whatever – and they don’t give much concern about their financial data being stolen. But all it takes is for someone to click on an infected link or a download a tainted video and the bad guys are in.