The fragile Internet
It was a yesterday’s news that anonymous and other cracker’s crews attacked and defaced large number of corporate websites.
November 5 it is a very symbolic data in the anonymous underworld and a massive defacement attack was carry on, at least, against PayPal, Symantec and Telecom Italia
Anonymous and other crews activities tell us an old story: the Internet is fragile and your web applications can be attacked anytime, anywhere and most of them are breakable.
The same old refrain
It was 10pm when I had dinner last night. My wife and my son were sleeping and I checked https://twitter.com/thesp0nge.
Some friends were talking about a massive defacement activities carried on by anonymous hactivists and other cracker’s crews not connected to the former.
It wasn’t the first time both PayPal and Symantec were attacked. The latter suffered from a source code leakage some months ago.
The news that impressed me much was the attack against Telecom Italia. In the news it’s reported that attackers found more than 3.000 Cross site scripting vulnerabilities.
Even Owasp WebGoat web application has less XSS.
Of course, this is not the only hole they exploit. The report talks about poorly written .htaccess file and weak passwords that they lead to a successful attack.
The power of now
In a post about web agencies and about marketing driven choices I talked about the dangers of publishing a web application without a security program.
Marketing departments want to deploy new websites, new features, new dynamic content to promote goods and to increase business. This is completely fair but it can’t be done without security awareness. The problem is that they don’t have any clue about their websites can be attacked and sometimes they didn’t trust their security departments trying to make them aware.
If your web manager says the website has to be online now or even worse we must add this brand new feature ASAP, you must take care about the new content can’t be exploited on the wild and you have to make all the necessary security tests before the content has to go online.
Off by one
Yesterday’s anonymous attack makes me think about how hard is our work. Sometime people says that only banks deserve to be protected. But attacking broadcasting companies or telcos can amplify your activism claims tons of times.
Don’t trust Web Application Firewalls. They will help but clever attackers may override their rules. Force developers to write secure code instead.