Security Watch

Top 10 Web 2.0 Attack Vectors

Plus: participate in ICSA Labs' security surveys.

• By Russ Cooper
• 01/08/2007

To anyone who is experienced in network security, the list will be very familiar, albeit with names that are less familiar. The vectors haven’t really changed that much, if you imagine there is no perimeter around your network. Web 2.0, with things like XML, AJAX, SOAP and WSDL, takes your clients outside of your traditional network perimeter and exposes them like a laptop without a firewall.

The author provides no insights into how to address these attack vectors, other than to be aware of security. The more obvious issues will be in determining whom you will trust to push content to you, and how you will prevent your users from sending content back (with or without their knowledge). Clearly, content filtering has a huge role to play in any solution.

While IE 7.0 provides a little more granular control than previous versions, it does not provide solutions for these issues. Think of Web 2.0 attack vectors the way we’ve come to think of ActiveX and Active Scripting attack vectors. Once again, Microsoft has provided plumbing to develop new ways to interact with its client software, but has failed to protect the client from what may get created.

Participate in Malware Surveys
ICSA Labs, an independent division of Cybertrust Inc. (my employer), is once again soliciting your help in collecting statistical information on real-world malware and its effects: http://research.zarca.com/clients/Cybertrust/survey.aspx?from=R7BXT5F8&test=0&sid=26

We are looking for people to participate in a series of online surveys throughout 2007 to accurately measure malware. Data will be kept strictly confidential and will be used to produce several studies. If you are willing to participate, you will receive the results of the studies as well as other tokens of our appreciation.

Here’s your chance to see the raw malware statistics and our analysis of it, and be able to understand how we come to the conclusions we do. The more of you who participate, the better our collective understanding of the effects of malware will be. Please consider helping out.

'Pump-and-Dump' Spam Linked to Russian Bot Herders
According to a respected security researcher, Joe Stewart, the SpamThru Trojan seeded a 70,000-victim strong botnet which is feeding a surge in penny-stock spam.

Stewart’s analysis suggests an extremely high level of sophistication with the controllers of the SpamThru-created bots. He indicated that the owners apparently were breaking into sites that had some relationship to stock trading in order to obtain information about their users. This information allowed them to focus their penny-stock spam more personally, and to people more likely to succumb to it. It also incorporates an illegal version of Kaspersky’s anti-virus product, in order to cleanse the machine of any other malware which might be present. This allows the controllers to maintain better -- and longer -- control over their victim’s systems. Furthermore, SpamThru is image-spam and it randomizes information in the image in an effort to defeat signature-based, anti-virus/anti-spam products.

All in all, this is not a pretty picture, but it is what can be expected from cyber criminals in the future. As evasion continues to be paramount to these criminals, the best way to reduce their effect is to target the money trail.

However, it should be pointed out that this is the third attempt at explaining an alleged spam surge, a surge which we at Cybertrust and others still have not seen.