Hackers Hitting Popular Apps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:49 PM
Connect Directly

Hackers Hitting Popular Apps

Cybercriminals have shifted targets. Until recently, hackers went after operating systems and Internet services like Web servers and E-mail servers. In 2005, they took aim at software applications and set Internet security back six years.

Cybercriminals are stepping up their efforts to hack popular software applications and network devices, where efforts to close operating-system vulnerabilities have had little impact.

At a London press conference on Tuesday, the SANS Institute and government representatives from the United States and the United Kingdom plan to release a report on the 20 most critical Internet security vulnerabilities for 2005.

The computer security research organization's report reveals that cybercriminals have shifted targets. Over the past five years, most hackers went after operating systems and Internet services like Web servers and E-mail servers. In 2005, they took aim at software applications.

The applications under fire span a variety of operating systems. They include enterprise backup software, anti-virus software, PHP applications, database software, peer-to-peer file sharing software, DNS software, media player software, IM software, and Internet browsers.

The second major finding of the report is that vulnerabilities in network operating systems such Cisco's Internetwork Operating System (IOS), which powers most of the routers and switches on the Internet, represent a significant threat.

"The bottom line is that security has been set back nearly six years in the past 18 months," Alan Paller, director of research for the SANS Institute, says in an E-mail. "Six years ago, attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching."

Security experts credit Microsoft's efforts to improve its software with forcing hackers to look for lower hanging fruit. "Part of the reason we're seeing a more of the attacks go against things other than the Windows operating system is that the Windows operating system has gotten better," says John Pescatore, VP and research fellow for information security at market research firm Gartner.

Gerhard Eschelbeck, chief technolgy officer and VP of engineering of vulnerability-management company Qualys Inc. says some credit goes to Microsoft and some goes to overall improvements in patching behavior. Patching as soon as possible is critical: As Eschelbeck notes in "The Laws Of Vulnerabilities," a study released by Qualys in November, 80% of exploits are available within the first 19 days after the disclosure of a critical vulnerability.

Patching has its limits, however. Ira Winkler, author of "Spies Among Us" and global security strategist with CSC Consulting, says attacks against vulnerabilities that can be repaired by patching represent less than a third of hacking attacks. "When the Department of Defense did studies on the matter, they found that actually these attacks account for only 30% of hacking," he says. "Attacks against configurations, essentially poor system hardening, account for 70% of successful attacks. And that means that automated patching probably won't help."

The vulnerability of backup systems, in particular, puts businesses at great risk because backup software provides one-stop shopping for critical corporate data. As the SANS report points out, "An attacker can leverage these flaws for an enterprise-wide compromise and obtain access to the sensitive backed-up data."

And criminals are doing just that: Exploits for many of these vulnerabilities have been publicly posted and are in use today.

What's significant about the SANS report, says Pescatore, "is that the most dangerous attacks are the targeted attacks that are going after specific vulnerabilities at specific companies."

Mark Richmond, network systems engineer for U.S. District Court, Eastern District of California, says it's widely recognized that cybercrime has been become increasingly professional. "The coordination of attacks over the last few years seems to be increasing," he says. "There are cooperative arrangements between various groups, formal or information, that seem to be facilitating the use of networks and computers for criminal activities."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll