Most Websites Continue to be Flawed

WhiteHat Security, a global provider of security for Websites, on March 24, 2008 released its fourth part of the WhiteHat Website Security Statistics Report that shows that majority of the sites continue to be pitifully vulnerable to hacking attacks.

Since the years 2006 and 2007 that WhiteHat has been publishing its paper, there has been a rise in the type and number of Website hacks, threatening the security of sensitive and personal information, like credit card and Social Security numbers, and also consumers' medical and financial records.

Founder and Chief Technology Officer Jeremiah Grossman at WhiteHat Security said that the survey sample included about 600-700 Websites and sites that received some of the maximum traffic. The sample included sites of financial, insurance, retail, and IT companies, reported SCMagazine on March 24, 2008.

Further, according to WhiteHat, 90% of Websites are still riddled with serious holes with a median of seven flaws per site. In a statement to SCMagazineUS on March 24, 2008, Grossman said that these vulnerabilities are not like the well-known security holes that get plugged, but are mainly unknown weaknesses on active Websites.

Also, the key types of Web exploits, according to WhiteHat's observations, haven't moved much from their place during the recent months. These exploits typically include classic techniques like buffer overflows, cross-site scripting and SQL injection. However, the security firm is forecasting a multiplication of Cross-Site Request Forgery or CSRF threats soon.

CSRF is a Web attack that tries to trick end-users into installing a Web page having a harmful request, very much like the traditional phishing or XSS attacks.

Using the method, hackers then attempt to grab victims' privileges and identities to change their program passwords to be able to enter banking sites, or to access e-commerce sites where they can fraudulently buy items in the victims' names. Sometimes, the attacks are concealed on the poorly secured sites themselves.

Grossman said that it is hard to make a Website secure because it is not possible to simply patch vulnerability, which usually exists in the software code that its developer himself has to rectify. Hence, the time required to fix window is normally very large.

Related article: Most malware Use File Packing To Escape Detection

» SPAMfighter News - 3/29/2008