Are Web Applications a Security Concern?
Editor's Note: Here's an excerpt from an excellent article in today's New York Law Journal. I think it adequately explains "todays" risks inherent with transacting on the web. That said, I'm more worried about tomorrow than I am today. After all, yesterday "https:// was safe, SSL was safer and EV SSL was safest. Not today. Click any graph to enlarge...JBF
by Richard Raysman and Peter Brown
New York Law Journal - July 16, 2009
...Several high-profile computer hackers have recently been indicted or face prison time as a result of their unlawful activities. For example, a hacker named "Max Vision," who stole almost 2 million credit card numbers from financial institutions, merchants and other hackers, recently pleaded guilty to federal wire fraud charges and is awaiting sentencing. In another matter, a 19-year-old blind hacker was sentenced to 135 months in prison for unauthorized access to telecommunication company information, among other crimes.[FOOTNOTE 1]
Also, in ongoing proceedings, an accused British hacker, who allegedly accessed data on NASA computers, is seeking judicial review of a prior order permitting his extradition to the United States, arguing he should not be held criminally responsible because he is a sufferer of Asperger's syndrome.[FOOTNOTE 2]
Facing similar concerns to operators of government networks, private companies with external Web sites can be susceptible to attackers looking to commit defacement or infiltrate computer networks to steal sensitive information. The increased corporate reliance on complex applications and technologies contribute to the potential for security vulnerabilities and an increased need for computer security.
A growing concern, legitimate Web sites continue to be targeted by hackers, with a reported 30,000 pages affected every day by malware attacks.[FOOTNOTE 3] Successful attacks can compromise confidential resources or consumer data and harm an organization's image. Further, an improperly configured Web server can be attacked directly to obtain unauthorized access to an organization's internal resources.
This article will discuss Web application security concerns, common Web application attacks and some of the enforcement actions taken by the Federal Trade Commission against companies that have suffered security breaches allegedly due to inadequate security practices.
SECURITY CONCERNS
Business sites have become an indispensable means to communicate with prospective customers and conduct transactions. Sites have become more dynamic, giving users new capabilities to run applications, query databases and access personal and financial content.
Highly interactive sites boast multiple ways to reach out to users, namely through login and informational fields, electronic shopping carts and data uploading systems that collect, process and electronically transmit potentially sensitive consumer information.
Such interactions are performed by Web applications, which are programs that act as the intermediary between a site's servers and its database servers such that data submitted or requested by users can be transmitted from a company's database to users' browsers.
For example, a database might maintain information related to login credentials, financial information, statistics, pricing or inventory information, or other sensitive data that, when accessed legitimately, gives a site its functionality for users and customers.
When a user's submission requires additions to or retrieval from a company's database, whether it be a simple search, account information request or e-commerce transaction, the application accesses the database servers to run the particular request, with the information displayed on users' screens.
However, as hackers and identity thieves have become more adept at exploiting programming vulnerabilities to gain access to a company's Web and database servers, the use of Web applications raises cybersecurity concerns.
The intruders seek unauthorized access for several reasons, such as to deface a site (i.e., changing information on the server or redirect traffic to embarrass a company or make a political statement); steal sensitive data for illicit gains; plant malicious code to further a phishing scheme or other online scam; or create a distribution point for attack tools, spam, pornography or pirated software.[FOOTNOTE 4]
In addition, sensitive information transmitted unencrypted between the server and a user's browser may be intercepted or malicious entities may attempt to gain unauthorized access to resources elsewhere in the organization's network via a successful attack on the server.
Such attacks are consistent with a trend in malicious user behavior, which focuses on attacking applications accessible via the Internet, as opposed to attacking the operating system of the host platform.[FOOTNOTE 5]
Indeed, the growth of attacks has been fueled by the easy availability of automated programs or "rootkits" that can perform a sweep across the Web to detect which sites have known vulnerabilities. Thus, if a site's applications are not secure, then sensitive consumer information could be at risk from one of many common exploits.
COMMON ATTACKS
In recent years, as the security of networks and server installations have improved, poorly written software applications and scripts that inadvertently allow attackers to compromise the security of a Web server or collect data from backend databases are the routine targets of attacks.
Common attacks include "structured query language" injection, where an hacker is able to input commands to a database, and "cross-site scripting," where an attacker manipulates the application to store malicious scripting language commands that are activated when a subsequent user opens the Web page.[FOOTNOTE 6]
Generally speaking, XSS refers to the act of injecting a malicious code into a Web page, which is then executed in the user's browser, in order to perform some sort of manipulation. XSS exploits the browser's (as well as the user's) trust that the page they are viewing is safe for downloading information and/or clicking on links presented.
XSS often takes advantage of Web servers that return dynamically generated pages. A successful attack potentially allows the hacker to redirect the page to a malicious location, hijack a user's browser, engage in computer network reconnaissance or plant backdoor programs, all while being completely transparent to the end users.[FOOTNOTE 7] As a result, a hacker can typically gain access to a company's database servers, deface Web pages, spread worms or execute malicious computer script.[FOOTNOTE 8]
Another common attack, SQL injection, allows commands to be executed directly against the database, thereby permitting disclosure and modification of the data within.
SQL is a computer language for querying and modifying data and the management of databases. The most common pathway for an SQL injection attack occurs when a hacker is permitted to enter SQL commands into a certain Web feature (e.g., login form, search query boxes, feedback forms) or directly into the browser address bar and query the database without authorization.
SQL injection usually involves a combination of inappropriate security permissions, unfiltered user input, and software code errors or omissions. Since SQL injection is possible even when no traditional software vulnerabilities exist, mitigation is often more complicated than simply applying a security patch.[FOOTNOTE 9]
With more and more Web servers comprising a front end for a database server, there is an ongoing risk that an intruder can compromise the database unless adequate security precautions are taken.
Read the Article in Full
Richard Raysman, a partner at Holland & Knight, and Peter Brown, a partner at Baker & Hostetler, are co-authors of "Computer Law: Drafting and Negotiating Forms and Agreements" (Law Journal Press).
:::FOOTNOTES::::
- FN1 See Poulsen, "Superhacker Max Butler Pleads Guilty," Wired (June 29, 2009); Wilonsky, "The 19-Year-Old Blind 'Little Hacker' Gets 135 Months in Federal Prison For 'Swatting'," Dallas Observer Crime and Punishment Blog (June 29, 2009).
- FN2 Gibb, "Gary McKinnon, Hacker With Asperger Syndrome, Fights Extradition to U.S.," The Times (June 10, 2009).
- FN3 Shiels, "Legit Web Sites Face Malware Hits," BBC News (June 17, 2009).
- FN4 See generally "Guidelines on Securing Public Web Servers," U.S. Dep't of Commerce, Nat'l Inst. of Standards and Technology (Sept. 2007).
- FN5 See e.g., Ackerman, "Dangers Grow on Web From Attacks," Mercury News (July 6, 2009).
- FN6 See generally "Guidelines on Securing Public Web Servers," supra. n.4.
- FN7 See generally "CIRCTech08-003: Understanding Cross-Site Scripting (XSS)," U.S. Dep't of Energy Cyber Incident Response Capability (June 3, 2008).
- FN8 See generally "Recommended Practice Case Study: Cross-Site Scripting," U.S. Dep't of Homeland Security, Control Systems Security Program (Feb. 2007).
- FN9 See generally "SQL Injection," U.S. Computer Emergency Response Team (US-CERT) (2009).
- FN10 See generally "Web Server Security Technical Implementation Guide Version 6, Release 1," U.S. Dep't of Defense, Defense Information Systems Agency (Dec. 11, 2006).
- FN11 See "CIRCTech06-001: Protecting Against SQL Injection Attacks," U.S. Dep't of Energy Cyber Incident Response Capability (Sept. 6, 2006).
- FN12 Under the statute, deceptive practices includeacts that "cause or are likely to cause consumers substantial injurythat is neither reasonably avoidable by consumers nor offset bycountervailing benefits to consumers or competition." 15 U.S.C. § 45(n)(2007). Courts have also stated that the FTC has broad authority todeclare trade practices unfair. See E. I. Du Pont de Nemours & Co. v. FTC, 729 F.2d 128, 136 (2d Cir. 1984).
- FN13 See generally Joel B. Hanson, "Liability for Consumer Information Security Breaches: Deconstructing FTC Complaints and Settlements," 4 Shidler J. L. Com. & Tech. 11 (May 23, 2008).
- FN14 A list of the FTC's privacy-related actions taken over the past decade is available at http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html (last visited July 1, 2009).