Network Security News

The origins of the possible security threats can be everywhere. Not just inability to follow strict security rules, lack of knowledge or carelessness of human beings. There are also complex, intertwined reasons that can lead to severe problems. SANS comments on this in The Top Cyber Security Risks.

The essence is this: Application Vulnerabilities Exceed OS Vulnerabilities. During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.

Web Application Attacks: there appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites.
Windows: Conficker/Downadup

Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.

Apple: QuickTime and Six More: Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems.

Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. In order to show these results, we have characterized and presented the data in relation to the most prevalent attack categories. The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks. As you might expect, there is some overlap in these categories, with the latter three being subsets of the first two categories. However, the trends we see in separating this data is worth pointing out.

The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks for a very small HTTP request that includes a link to another website as a parameter that contains a very specific evasion technique used by a number of attacks to increase the reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP" application, the only single application that made the top attacks. The final type of attack included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, which remains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for sending spam emails via mis-configured HTTP servers.

In conclusion, we cannot overstate the importance of protecting DMZ-based web applications from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisition of sensitive data. While the media may consistently report attacker targets as being credit cards and social security numbers, that is more due to the popular understanding of the marketability of this data. They are not the only valuable data types that can be compromised. Since SQL Injection attacks offer such easy access to data, it should be assumed that any valuable data stored in a database accessed by a web server is being targeted.

Although "PHP File Include" attacks have been popular, we have seen a notable decline in the overall number of attacks that have taken place. With the exception of a major attacks originating from Thailand in April, the number of PHP File Include attacks in August is less than half the March/May average.

There are many ways to protect against these attacks. Apache configuration, input sanitization, and network security equipment are all very good at deterring these attacks, so it seems likely that the drop in total attacks is at least partly due to a positive response by application developers, system administrators, and security professionals. However, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain popular for some time.

Application are currently most vulnerable part of computer systems. All the system-level components are in most cases well-protected; whereas the applications, especially those developed for end-users with little or no experience in following security guidelines - those applications are the main goal of attacks. The recommendation may seem obvious, yet underestimated: there should be no component or application that may deem safe or well-protected; all the security holes should be handled as soon as there are means to do that.

This article was brought to you by the developers of IPHost Network Monitor, network and server monitoring software.