Website vulnerabilities continue to be exploited
1 April 2005 | 0
The Irish Honeynet Project has continued to be the subject of scans and probes from across the Internet. During September, the network recorded a further 435 attacks, from all continents and a wide range of countries. The suspected profile of those launching these attacks is of an opportunistic attacker who wishes to either cause downtime or use your organisations’ systems to launch an attack elsewhere.
The Honeynet is a research initiative sponsored by the professional services firm, Deloitte & Touche, operated by Espion, the security software and services distribution company, and hosted by Data Electronics. The Honeynet refers to a group of computers that are designed from the start to be attacked and compromised. A ‘default install’ server (typically without any particular security patches or other modifications), is placed out on the Internet, and monitoring tools are set up to record the activities of the attackers in action, allowing us to keep abreast of their ever-changing tactics.
Throughout the period that the Irish Honeynet has been in operation, we have seen a continuing rise in the number of attacks that aim to exploit known vulnerabilities in Web servers. Any organisation running a Website needs to ensure that the infrastructure hosting their Website is adequately secured against a wide range of types of attacks, especially those that are well-known.
One of the weak links in the Internet infrastructure is the number of poorly configured and poorly secured Web servers. Web servers are vulnerable to a number of common attacks, such as: URL flooding, buffer overflows, HTTP bypasses, Web code vulnerabilities, and cross-site scripting.
Of the top ten vulnerabilities recorded on the Irish Honeynet, five of them are related to vulnerabilities with Web servers, and in total they accounted for nearly 40 per cent of the attacks in the month. Similarly, these types of vulnerabilities feature prominently on the recently released SANS/FBI Twenty Most Critical Internet Security Vulnerabilities List (www.sans.org/top20)
By inundating a Web server with repeated, rapid, reload requests that the Web server is unable to handle, an attacker can cause a denial of service. This is known as URL flooding, which is a form of denial of service attack.
A buffer overflow occurs when an attacker induces errors in the Web server software by sending an overly large data request using the HTTP protocol that the Web server is unable to handle. A skilled attacker can use such an overflow to inject his own code into the Web server software. By exploiting this type of vulnerability, the attacker can create access to a command prompt or the ability to execute remote commands of his choice. Hence, with this kind of access, the attacker can take control of the server and make any changes they wish, including the ability to delete any files on the system.
Some implementations of Web servers allow what is known as HTTP bypass, granting access to a server’s activity logging functions. With these implementations, a Web page can be accessed and altered without the system’s Web server recording the change. This method is often used by attackers to deface Web pages.
Web-code vulnerabilities can appear in any language or application extension. An attacker will often seek to exploit a well known weakness in an application which will give them control of the application. For example, there is a well-known vulnerability in Microsoft’s Internet Information Server’s Remote Data Service that allows attackers use the Web server as a staging post to compromise the Web server’s backend database, either by stealing the database contents or by running commands on the hosting computer.
Through cross-site scripting, an attacker can inject his own HTML into a browser session so that it appears to come from a legitimate site. Using this technique, the attacker can dupe unsuspecting users into submitting confidential or sensitive information, such as credit card details. This type of attack is doubly subversive because the end user will suspect the legitimate company that appears to have hosted this page to have been involved in the theft. In this case, while these users may not be able to prove that your company was legally liable, they will certainly be left with a lasting negative impression, which they will share with friends and colleagues.
‘A large number of these vulnerabilities could be easily overcome if adequate resources are devoted and attention paid to information security,’ said Gerry Fitzpatrick, Enterprise Risk Services Partner at Deloitte & Touche. ‘In fact, if organisations were to proactively monitor these services, through the use of an appropriate information security management framework, many of these attacks would be caught before harm is done.’
‘It is alarming to consider the number of firms that have intrusion detection systems running, but do not monitor their logs, or that install firewalls, but do not configure them in accordance with their security policy,’ said Colman Morrissey, Managing Director of Espion Limited. ‘These technologies are very powerful and useful, but they should be used correctly.’