Seven reasons websites are not secure

**Glaswegian** · 09-14-2009, 01:37 PM

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from security firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages - one every 3.6 seconds - were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

In a recent interview with Techworld sister publication CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous.
1. Polluted ads

Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

"A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections."

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years.

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

"The hacker essentially takes advantage of flaws related to shoddy site development," Wang said.

http://features.techworld.com/securi...ecure/?olo=rss

**koala** · 09-15-2009, 06:30 AM

Quote:

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit.

I use AdBlock and NoScript, so I never see any adverts or Flash animations when using Firefox, but Google Chrome doesn't support these kind of extensions/addons yet, so does that make Chrome less secure and should it be avoided?

**Glaswegian** · 09-15-2009, 01:43 PM

Try here

http://www.infoworld.com/t/applicati...gle-chrome-443

**koala** · 09-15-2009, 01:52 PM

Thanks, Glas.

There's an interesting paragraph on page 2 of your link that covers what I was asking about.

Quote:

Questionable controls
But then reality hits hard. One of the most glaring lapses is the inability to disable JavaScript. Because JavaScript is involved with most malicious Web attacks, all of Google's competitors allow its use to be disabled globally, or per site or per zone (albeit Firefox requires a third-party add-on, NoScript, to be site-specific). The world has yet to create a virtual machine that was not able to be breached, so despite all the cleverness that went into V8, I cannot understand how Google committed such an oversight, even if the company is trying to promote JavaScript-enriched applications and sites. If a large JavaScript exploit happens against Chrome -- or rather, when it happens -- the only recommendation Google will be able to offer, it seems, is to stop using it.

I think I'll stick with Firefox as my main browser until Chrome improves its javascript security.

**Glaswegian** · 09-15-2009, 02:04 PM

Me too...

09-14-2009, 01:37 PM	#1 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,359 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Seven reasons websites are not secure Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from security firm Sophos, sites we take for granted are not as secure as they appear. Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages - one every 3.6 seconds - were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites. In a recent interview with Techworld sister publication CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous. 1. Polluted ads Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user. "A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections." Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said. Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data. 2. SQL injection attacks SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server. "The hacker essentially takes advantage of flaws related to shoddy site development," Wang said. http://features.techworld.com/securi...ecure/?olo=rss __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

09-15-2009, 01:43 PM	#3 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,359 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Seven reasons websites are not secure Try here http://www.infoworld.com/t/applicati...gle-chrome-443 __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

09-15-2009, 02:04 PM	#5 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,359 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Seven reasons websites are not secure Me too... __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner