repost from the blackhat convention about web parts/apps
From: Greg Merideth (gmerideth.remove_at_this.forwardtechnology.net)
Date: 07/28/04
- Next message: raviv76: "Block web mapping"
- Previous message: marc: "An easy one!"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 28 Jul 2004 01:18:07 -0400
This is a repost of an article I saw from the rss feed at Watchguard.
-
My first day at BlackHat was well spent listening to Charl van der Walt,
a South African security consultant. His class, entitled "Hacking by
Numbers: Chief of Staff," provides an overview showing what attacks have
been overhyped, and what attacks Chief Security Officers should spend
their time addressing.
Charl is a founder of SensePost, a penetration-testing group whose
clients are predominantly financial institutions. In the last year of
scanning and auditing the networks of their multi-national clientele,
SensePost has concluded that Web server attacks and mass exploits, a
security focus since Code Red and Nimda rudely brought the issue to our
attention in 2001, are no longer the main battleground against hackers.
With Apache and IIS patched to a fair-thee-well, hackers have moved on
to Web applications, commonly trying to intrude upon your network
through port 443 (the SSL port).
Fueling this trend: the fact that HTTP has evolved from a simple file
sharing protocol, into a full application framework. It now supports
ASP, PHP, .Net, Perl, ColdFusion, and all manner of sharable
applications are found all over the Internet. With Web apps wide-spread,
and more appearing overnight like mushrooms in the garden, attackers
have an appealing target for several reasons. The apps are usually
public-facing, so the attacker can bang away at his target of choice
from the comfort of home. Web apps can encapsulate complex business
logic, such as moving money around with online banking, so there are
plenty of seams to attack. Web apps always provide a window into the
private network. And best of all, they're designed to be user-friendly.
It's a hacker's dream: Why waste time compromising Unix if you can steal
corporate jewels using a point and click interface?
With this trend, responsibility for network security problems shifts
partly from whomever is in charge of security -- the person patching,
securing infrastructure, etc. -- down to the company's lowly Web
developer, who may or (more probably) may not have had training in
secure coding. Watch for lots of discussion, press, and vendor offerings
to address this perceived trend in network security. --Scott Pinzon
CopyrightŠ 2004 WatchGuardŽ Technologies, Inc. You may copy and
distribute this article freely in any medium as long as you copy and
distribute the entire article without change and preserve this copyright
statement and notice.
- Next message: raviv76: "Block web mapping"
- Previous message: marc: "An easy one!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
