Securing Web services. Establishing a presence on the Web, ranging from simple HTML pages to advanced Web applications, has become an easy process. Even people with little technical knowledge can set up a Web service, but maintaining such a service and keeping it secure are still difficult. Many Web application frameworks require programmers to follow strict security practices, such as sanitizing and escaping user input. Unfortunately, as this burden is put onto the programmer, many Web applications suffer from vulnerabilities that can be remotely exploited. 12, 14 For example, SQL injection attacks are made possible by a programmer neglecting to escape external input.
Popular Web applications such as bulletin boards and blogs release security updates frequently, but many administrators neglect to update their installations. Even the Web server software itself, such as Apache or IIS, is often out of date. We previously found that more than 38 percent of Apache installations and 40 percent of PHP installations in compromised sites were not secure and were out of date. 10
To avoid compromising Web applications, it is important to develop mechanisms to keep Web servers and Web applications automatically patched. Some Web applications already notify Webmasters about security updates, but the actual installation of security patches is often still done manually and is complicated.
It is difficult to be completely safe against drive-by downloads. All that is required for someone to gain control over your system is a single vulnerability. Any piece of software that is exposed to Web content and not up to date can become the weakest link.
Many browser plug-ins and add-ons, such as toolbars, do not provide automatic updates. Furthermore, system updates often require a restart after installation, discouraging users from applying the security patches on time.
Even if a system is fully patched, the window of vulnerability for some software is often very large. Major
browsers were unsafe for as long as 284 days in 2006, and for at least 98 days criminals stole personal and financial data by using vulnerabilities for which no patches were available. 5, 6 Although progress is being made on providing fault isolation in browsers that may prevent vulnerabilities from being exploited,1, 4 a completely secure browser still needs to be developed.
Detecting social-engineering attacks. Many drive-by downloads can be detected automatically via client honeypots. When adversaries use social engineering to trick users into installing malicious software, however, automated detection is significantly complicated. Although user interactions can be simulated by the client honeypot, a fundamental problem is the user’s expectation about the functionality of a downloaded application compared with what it actually does. In the video case described earlier, the user expected to watch a video. After downloading and installing such a trojan, nothing usually happens. This could warn the user that something is amiss and might result in the user trying to fix the system; but the installed software could just as easily play a video, leaving the user with no reason to suspect that the system has been infected.
Similarly, some of the fake anti-virus software actually has some detection capability for old malware. The question then is how to determine if a piece of software functions as advertised. In general, there is no clear answer. For example, the popular Google toolbar allows a user to opt into receiving the page rank of a visited page. This works by sending the current URL to Google and then returning the associated page rank and displaying it in the browser. This is a legitimate feature that is desired by the user, but a similar piece of software might not disclose its functionality and send all visited URLs to some ominous third party. In that case, we would label the software as spyware.
Automated analysis2, 9 is more difficult when malicious activity is triggered only under certain conditions. For example, some banking trojans watch the URL in the
References:
Archives