Risk
11/30/2006
05:12 PM
50%
50%

E-Tailers Leaving Money On The Table Thanks To Weak Web Sites

One week after I'd already bought three holiday presents online I learned that the vast majority of Web sites are vulnerable to attack by malicious hackers and that such security concerns are expected to drive away potential customers who would have shelled out nearly $2 billion online this year. The only real surprise is why those numbers aren't higher.

One week after I'd already bought three holiday presents online I learned that the vast majority of Web sites are vulnerable to attack by malicious hackers and that such security concerns are expected to drive away potential customers who would have shelled out nearly $2 billion online this year. The only real surprise is why those numbers aren't higher.Eight in 10 Web sites are vulnerable to attack, according to a sneak peek WhiteHat Security offered this week at its new Web application security risk report, which the company will begin issuing quarterly starting in January. To put this in perspective, that's the same percentage of dentists who recommend sugar-free gum to their patients who chew gum. For any company worried about how a Web-site outage would affect their brand image this gift-buying season, if you haven't already audited your Web apps for vulnerabilities, it's already too late.

WhiteHat founder and CTO Jeremiah Grossman fingered the culprits during Wednesday's presentation. Cross-site scripting vulnerabilities were found in 71% of the 300 sites WhiteHat researched. Grossman pointed out that this percentage jumps to 90% when sites offering e-commerce were evaluated. No other category of vulnerability--including information leakage, predictable resource location, or content spoofing--was found in more than 30% of the sites WhiteHat evaluated.

Of course, not all vulnerabilities are created equal: more than one-third of the sites evaluated had a high level of severity, meaning the exploitation of a vulnerability could lead to the loss of customer data, passwords, or other critical information. Nearly three-quarters of the sites contained a vulnerability--in most cases a cross-site scripting problem--that would have a middling-level of impact on a business. Many sites have multiple vulnerabilities with different levels of severity.

"If there are 100 million Web sites out there, it's a Swiss cheese type of environment," said Grossman, who's the embodiment of converged IT and physical security, given that he's a well-respected security researcher and holds a blue belt in Brazilian jujitsu.

That's not to say the news is all bad. The prevalence of buffer overflows has dropped, to the point where they didn't even make WhiteHat's list. Grossman pointed out that buffer overflows aren't too common in custom-built Web applications, which were present in all of the sites evaluated.

Does this mean that e-tailers will continue to leave money on the table when potential customers are scared off by security risks? Gartner thinks so, saying that $1 billion is lost because of shoppers who refuse to spend money online, while another $913 million is lost because those who do shop online are wary of online security.

One obvious measure of relief is for businesses to regularly audit their Web applications for security vulnerabilities, particularly after changes have been made to those apps. Although no online shopping strategy is foolproof, consumers should stick with well-known retailers and use their credit cards rather than debit cards when making a purchase (gift cards are best, but you probably won't have many of those until after the holidays). They should also save all e-mails sent to them by the e-tailer acknowledging the purchase.

If a loss of confidence in online transactions seems like a big deal, that's because it is. Businesses can offer all of the discounts, personalization features, and customer conveniences they want, but that won't help them win back the business of a customer who's been burned by identity theft.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.