Crooks have new chances as websites grow more complex

May 20, 2010 By Steve Johnson

Cyber crooks are increasingly targeting the growing array of Web applications -- everything from interactive maps to stock tickers -- potentially giving them access to the credit card and Social Security numbers of people using those sites.

Despite the increased security threat, experts say, some Silicon Valley companies and others that make the enabling many of these online features aren't responding quickly to fix the flaws.

"It's a wild, wild world out there," said Mandeep Khera, chief marketing officer at Santa Clara, Calif.-based Cenzic, which sells software to help ward off hackers. Despite a growing effort to beef up security on the Internet, he added, "consumers need to be aware of how vulnerable most of these websites are."

Hoping to attract the public, businesses and others on the Web in recent years have added more and more applications. This includes multimedia players, document readers, auction features, reservation systems, video games, calendars, stock tickers, currency converters and e-commerce payment systems.

But to make those features work requires layers of sophisticated software. And keeping all that code free of the cracks that crooks can infiltrate isn't easy, according to Tom Cross, manager of IBM's X-Force Advanced Research unit, which monitors cyber threats,

"The reality is that the more complicated this code gets, the more potential for vulnerabilities there is," he said. "We're also seeing an increased sophistication in the people committing these kinds of crimes."

In March, Miami computer hacker Albert Gonzalez was sentenced to 25 years in prison for orchestrating one of the nation's largest credit- and debit-card thefts, which he and his cohorts carried out after identifying vulnerabilities in various businesses' websites.

In January, Google revealed that a series of cyber attacks originating from China had pilfered its intellectual property and targeted about 30 other Silicon Valley companies.

In July last year, Twitter acknowledged that a French who broke into its site had accessed sensitive company documents and, reportedly, the accounts of President Barack Obama.

"Every 1.3 seconds a new Web page is getting infected," according to a recent report by Dasient, an Internet security firm in Palo Alto, Calif. "Users who interact on the Web ... are therefore at great risk."

"It's pretty bad out there now," agreed Jeremiah Grossman, chief technology officer of Santa Clara-based WhiteHat Security, which helps website operators spot vulnerabilities. But given how fast applications are being added to the Internet, he predicted, "it's likely to get worse."

The danger is acute for consumers, experts add, because just visiting a site can leave them exposed to a cyber attack.

Much of the software incorporated into Web applications comes from big corporations. But the speed with which they fix the problems varies greatly, according to a study in February by IBM's X-Force group.

By the end of 2009, the report said, Oracle left 38 percent of such flaws without patches, Google 25 percent and Apple 22 percent. Hewlett-Packard, Adobe Systems, Cisco Systems and Mozilla failed to provide patches for just 5 percent or less of what it called "their critical and high vulnerabilities."

Oracle declined to discuss the study, and Apple did not respond to a Mercury News request for comment. But Google issued a statement disputing the study's accuracy, saying "a sizable number of flaws" the report claimed hadn't been fixed actually were. "Google contributes substantial resources and expertise not only to improving the security of our own products but also to enhancing the security of the broader web," the statement added.

Several security experts said such differences of opinion can happen because not everyone agrees on what constitutes a vulnerability. Moreover, they said, many website operators use their own customized software and often aren't aware of the weaknesses lurking in their applications.

Even when holes are identified, those responsible for sealing them may be reluctant to do so because of the cost. Some flaws can be patched for a few thousand dollars, experts said. But to design, test and widely disseminate a complicated fix for a major glitch, "you are talking in the millions of dollars," said Francis deSouza, a senior vice president at Symantec of Mountain View, Calif., which provides information security services.

Another problem, experts said, is that colleges and universities do not routinely teach software engineering students how to keep crooks from compromising their code. Plus, the wide variety of software used for Web applications makes it difficult to establish uniform protections for the public.

"It's like editing a book with people of all different grammar styles," said Rob Lee, a faculty fellow at the SANS Institute, a Maryland-based cybersecurity education organization. "Are you going to catch every mistake? It's a challenge, but it's one that needs to be taken on."
___

PATCHING VULNERABLE WEB APPLICATIONS:

An IBM report in February found wide variations in how some companies responded to security holes in their software. Here are the percentages of "critical and high vulnerabilities" that it said were left without a security patch at the end of 2009.

• Oracle: 38 percent

: 25 percent

• Apple: 22 percent

• HP: 5 percent

• Adobe: 4 percent

• Cisco: 1 percent

• Mozilla: 0 percent

Source: IBM X-Force 2009 Trend and Risk Report
___

STAYING SAFE ONLINE:

Once credit card or other personal information is shared with a website, keeping that from hackers can be difficult, given the vulnerabilities of many web applications. Here are some steps consumers can take:

• Don't click on any Web ads or pop-ups

• Update to the latest version of your browser

• Use a virtual credit card that expires after one use. These are available from credit card companies and banks.

• Check with your credit card company about shopping sites you're considering using.

• Ask the site's webmaster how the site is secured.

Explore further: BPG image format judged awesome versus JPEG

5 /5 (1 vote)
add to favorites email to friend print save as pdf

Related Stories

Research on browser weaknesses triggers attacks

Jul 30, 2008

IBM's X-Force says cyber-criminals are using public research on Web browser weaknesses to launch attacks before most users are even aware of their vulnerability. The mid-year report from the security group indicates that ...

Cyber criminals cloak their tracks

Feb 13, 2008

The 2007 X-Force Security report from IBM finds a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cyber criminals are ...

Security gurus see even harsher browser attacks for '07

Jan 31, 2007

Another year, another round of sneaky online attacks. IBM security experts anticipate 2007 will see more sophisticated profit-motivated cyber attacks, including more focus on Web browsers as well as advances in image-based ...

Worms infesting computers worldwide: Microsoft

Nov 02, 2009

A Microsoft security report released Monday warns that cyber crooks are digging into computers for weak spots to penetrate with worms -- malicious software that steals control or data.

Recommended for you

BPG image format judged awesome versus JPEG

19 hours ago

If these three letters could talk, BPG, they would say something like "Farewell, JPEG." Better Portable Graphics (BPG) is a new image format based on HEVC and supported by browsers with a small Javascript ...

Atari's 'E.T.' game joins Smithsonian collection

Dec 15, 2014

One of the "E.T." Atari game cartridges unearthed this year from a heap of garbage buried deep in the New Mexico desert has been added to the video game history collection at the Smithsonian.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.