Navigation
Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET
Sep 16, 2009

Computerworld - A dangerous combination of a massive increase in Web server attacks and poor patching practices is a major cause of concern for experts, according to a report issued today by several security organizations.

In a groundbreaking study that matched attack trends with patching cycle data, some conclusions came as a shock, said Rohit Dhamankar, the director of security research at 3Com TippingPoint, which contributed real-world attack information -- acquired from its intrusion detection systems -- to the report.
"From our point of view, this is a big deal, said Kandek, speaking for security professionals in general. "There are real-life examples, where you can see attackers attacking corporate Web servers, then from there infecting client machines, until eventually a client machine is compromised that has full access to the network. Then [attackers] are stealing that corporation's data." "Attackers have realized that patching of these third-party apps is complex," added Dhamankar. "They know that a lot of people are focused on patching operating systems rather than patching applications like Flash or Reader." And thus they dig into the most widely-installed applications, looking for flaws.

The combination of hacked servers and unpatched client applications is critical. "The lack of patching opens up a huge window of vulnerabilities," Kandek acknowledged. "It shows that patching is crucial."

Adding salt to the wound, said Dhamankar and Kandek, is that while users are patching, they're patching the wrong software. While operating systems, particularly Windows, are patched by users and organizations at a relatively rapid -- and complete -- clip, the number of attacks exploiting OSes has dropped precipitously.

"Enterprises are focused on OS patching rather than on application patching," said Dhamankar. "They don't have their resources allocated properly."

Putting a stop to the threat trend won't be easy, but it is possible, argued Kandek.

"Some enterprises have patching policies in place for third-party applications, and there are industry-standard tools to do this," he said. "The technical solutions are out there. [Third-party] patching could be much better, and I see vendors being pressured to do more to integrate their patching into these tools.

"But we've done this before," Kandek continued, referring to the security situation several years ago, when Windows was the main target of attackers. Microsoft beefed up its then-OS, Windows XP, dedicated itself to writing more secure code and pushed customers to update religiously.

"That means we can do something about this, too," Kandek concluded.

"The sheer number of attacks against Web servers was surprising," said Dhamankar. "In terms of attack volume, they were almost 60% of all so far this year. Hackers are after a foothold in the corporate network, to conduct client-side attacks against visitors of the site, but also once they have that foothold, to gain much higher privileges and use those to also steal data."

Dhamankar pointed to the recent spread of malware from the New York Times Web site as a perfect example of the alarming increase in server attacks. Over the weekend, hackers duped the newspaper into using a malicious ad, which in turn tricked users into downloading and installing fake antivirus software. "The New York Times is a respected brand, and so it's a perfect avenue to infect lots and lots of users," he noted.

Some servers, once compromised, are even attacking other servers to pillage back-end information and to host malware fed to unsuspecting users, said Dhamankar.

The report -- which can be read on the SANS Institute's Web site -- correlated the high number of Web server attacks with another trend: poor patching practices by the Web's highest-profile third-party applications.

"Applications that are widely installed are not being patched at the same speed as the operating system," said Wolfgang Kandek, the chief technology officer of Qualys, which contributed its patching data to the study. "For Adobe Reader, Adobe Flash, Sun Java, Microsoft Office, Apple QuickTime, the patch cycles are much much slower than for operating system," he added.

That's a major problem.

PREVIOUS POSTS
Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more

Feb 25.08 | MONERIS SOLUTIONS LAUNCHES NEW E-PHILANTHROPY INITIATIVE WITH C.N. WYLIE GROUP!

Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Helpforcharities.com Web site so organizations can easily accept electronic contributions and purchases online
read more

Jan 18.08 | Silent Banker Trojan..Banking in Silence

Beware the Silent Banker Trojan which sits quietly between your computer and your online banking to steal away payments. It can silently change the user-entered destination bank account details to the attacker's account details instead. read more

Jan 14.08 | November 6, 2007 92 Convio Clients Hit In Security Breach

November 6, 2007 92 Convio Clients Hit In Security Breach
Firm says no financial data was accessed
By Mark Hrywna The NonProfit Times read more

Nov 13.07 | VISA PLANS TO RAISE $10 BILLION IN IPO

read more

Oct 24.07 | Court filing in TJX breach doubles toll

Court filing in TJX breach doubles toll
94 million accounts were affected, banks say
By Ross Kerber, Globe Staff | October 24, 2007 read more

ARCHIVE