Tuesday, August 15, 2006
Hacking AJAX is alot more fun now
Hackers Add Ajax to Bag of Tricks
Souce Taken from CIO-Today
The hot new technology behind slick Web pages has suddenly become the hot new tool for cybercriminals. The technology, Ajax coding and Web tools, enables popular Web sites such as Google Maps and MySpace.com to come alive. It is also the technology behind Windows Live, the slate of cutting edge online services Microsoft has begun testing.
But hackers and cybercrooks have discovered that Ajax can be tweaked in myriad ways. By corrupting one of the dozens of data exchanges Ajax handles while loading a Web page, a hacker can take over control of the PC.
At the giant Black Hat cybersecurity conference here, talks on what kind of Ajax attacks to expect and how to defend against them drew large audiences.
"Ajax has introduced a huge attack surface," says Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "Ajax works under the covers to make Web sites really responsive, but criminals can just as easily use it under the covers to do some bad stuff."
Recent high-profile attacks include June's Yamanner computer worm, designed to harvest e-mail addresses from Yahoo mail users and send them to spammers in Europe; and Spaceflash, which installed adware (advertisements and tracking programs implanted surreptitiously) on the hard drives of more than a million MySpace users.
Those for-profit intrusions were foreshadowed by last October's milestone Samy worm. Created by a youthful hacker, Samy used an Ajax attack to infect a million MySpace users for the express purpose of adding them to the hacker's friends list -- to make him seem popular. MySpace had to shut down for a day to clean up Samy.
"We've gone from kids screwing around to criminals looking for ways to make money in less than eight months," says Hoffman.
Dave Cole, director of Symantec Security Response, says social networking sites suggest a false sense of security: "You don't expect to be attacked when you go to Joe Bob's page."
Hemanshu Nigam, MySpace's chief security officer, said in a statement that the company uses strong security measures and works with law enforcement in the event of a breach. Since Ajax is well on its way to becoming a standard for the way interactive Web pages operate, security experts expect attacks to escalate.
"Imagine when the same flaws are used to steal money from financial institutions," says Alex Stamos, principal partner at security researcher iSEC Partners.
Security researchers are trying to help corporations stay a step ahead. At Black Hat, SPI Dynamics' Hoffman showed how Ajax attacks could be designed to break into and manipulate online stock trading accounts.
Jeremiah Grossman, CTO of WhiteHat Security, gave a well-attended demonstration showing how hackers could spread an Ajax attack through MySpace as a means to release an invasive program deep inside a corporation's internal network.
"This is just a natural extension of where things are headed," says Grossman. "We know these kinds of attacks always get better and better."
Souce Taken from CIO-Today
The hot new technology behind slick Web pages has suddenly become the hot new tool for cybercriminals. The technology, Ajax coding and Web tools, enables popular Web sites such as Google Maps and MySpace.com to come alive. It is also the technology behind Windows Live, the slate of cutting edge online services Microsoft has begun testing.
But hackers and cybercrooks have discovered that Ajax can be tweaked in myriad ways. By corrupting one of the dozens of data exchanges Ajax handles while loading a Web page, a hacker can take over control of the PC.
At the giant Black Hat cybersecurity conference here, talks on what kind of Ajax attacks to expect and how to defend against them drew large audiences.
"Ajax has introduced a huge attack surface," says Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "Ajax works under the covers to make Web sites really responsive, but criminals can just as easily use it under the covers to do some bad stuff."
Recent high-profile attacks include June's Yamanner computer worm, designed to harvest e-mail addresses from Yahoo mail users and send them to spammers in Europe; and Spaceflash, which installed adware (advertisements and tracking programs implanted surreptitiously) on the hard drives of more than a million MySpace users.
Those for-profit intrusions were foreshadowed by last October's milestone Samy worm. Created by a youthful hacker, Samy used an Ajax attack to infect a million MySpace users for the express purpose of adding them to the hacker's friends list -- to make him seem popular. MySpace had to shut down for a day to clean up Samy.
"We've gone from kids screwing around to criminals looking for ways to make money in less than eight months," says Hoffman.
Dave Cole, director of Symantec Security Response, says social networking sites suggest a false sense of security: "You don't expect to be attacked when you go to Joe Bob's page."
Hemanshu Nigam, MySpace's chief security officer, said in a statement that the company uses strong security measures and works with law enforcement in the event of a breach. Since Ajax is well on its way to becoming a standard for the way interactive Web pages operate, security experts expect attacks to escalate.
"Imagine when the same flaws are used to steal money from financial institutions," says Alex Stamos, principal partner at security researcher iSEC Partners.
Security researchers are trying to help corporations stay a step ahead. At Black Hat, SPI Dynamics' Hoffman showed how Ajax attacks could be designed to break into and manipulate online stock trading accounts.
Jeremiah Grossman, CTO of WhiteHat Security, gave a well-attended demonstration showing how hackers could spread an Ajax attack through MySpace as a means to release an invasive program deep inside a corporation's internal network.
"This is just a natural extension of where things are headed," says Grossman. "We know these kinds of attacks always get better and better."
# posted by David Low @ 9:24 AM 
