Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2009
02:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Factoring Malware Into Your Web Application Design

Web developers need to consider the complexity of their Web apps' design, as well as beefing up application monitoring and anti-fraud tools on the back end

Vulnerabilities, exploits, and end-user security controls are all the rage in Web application security, but there's another element that Web developers often ignore: how the design of the application itself can leave the door open for attack.

The bad guys increasingly are using malware that's built to bypass end-user security controls and take advantage of a user's trust on a known Website, resulting in man-in-the-middle attacks, sophisticated SQL injections, and social engineering exploits that capitalize on browser flaws or other vulnerabilities.

"Assuming the statistics that 30 to 40 percent of the Internet is compromised, what does that mean to corporations trying to do business on the Net? That means 40 percent of your customers are compromised, and you probably can't trust anything coming from their systems," says Gunter Ollmann, vice president of research for Damballa.

To protect themselves and their online customers, Ollmann says Web developers need to take into account the complexity of their Web apps' design, as well as beefing up application monitoring and anti-fraud tools on the back end. That's in addition to regular patching and scanning, says Ollmann, who gave a presentation at the Hacker Halted conference last week on Web design issues and malware.

"We've forced more security to the end user," such as HTTPS and multifactor authentication, he says. And meanwhile, malware, such as banking Trojans, are able to bypass those security measures altogether with clever social engineering ploys, he says.

In online banking and retail, for instance, a transaction requires multiple page click-throughs. Not only is that more complex for the end user, but it also makes it easy for an attacker to insert a page or manipulate the user's experience with malicious pop-ups or a man-in-the-middle or other attack, Ollmann says. "And [studies have shown] users are going to click through no matter what the message says," he says.

If an end user's machine is infected, then even if he goes to his online banking portal with a secure token, that can be breached, as well.

Ollmann says reducing the complexity of a Web app and making it easier to navigate can help an end user spot fraud, too. "And more importantly, companies are spending valuable development resources in the wrong area. While they're trying to increase users' security, it has [often] already been defeated in the presence of malware," he says. "Spend more on the back end and make sure there are security processes on the server side, such as technology to identify fraud, to correlate [activity]."

Some tips Ollmann recommends are exploring whether your Web app's interface could be simplified; whether customers can spot additional fields or pages they must navigate; and whether customers would be able to recognize that changes had been made to page content.

Sites that require customers to make all of their contact, passwords, and other information changes online should consider an out-of-band verification process, for instance, Ollmann says. "If your phone number can be changed online, that means a cybercriminal can change the number to one he controls," he says. "When you design your application, think carefully about how much needs to be done online and how you will validate any online changes using an out-of-band process."

As for adding or augmenting your back-end processing protections, Ollmann suggests looking at thresholds for transactions per minute, and including anomaly detection for funds transfers to spot money mules, for example.

And look beyond tools that merely alert you of a potential attack. "These have no real way of responding besides alerting an admin," which gives the botnet operator a leg up, for instance, in transferring stolen money or funds with their tools. "Given the speed and pace of these attacks, we now have to factor in automated response beyond alerting about an attack," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.