Auto-hacks turn web security from walled garden to leaky submarine

Scripted attacks can peak at 25,000 per hour

If reality were a summer blockbuster – the kind with sharks in it, not superheroes, alien invaders or too-old-for-boarding-school student wizards – a report today from data security vendor Imperva would be the frightening note that got Our Hero running down the beach yelling for everyone to get out of the water.

Except, according to estimates of the number of automated attacks most web apps suffer every day, the desperate, invisible threat would already have eaten everyone in the water, on the beach, in the town and at least the first dozen rows of the theater.

According to Imperva's own monitoring of illicit and malicious activity on a subset of the Internet, scripts, botnets and distributed applications launch "attacks" on web applications 27 times per hour on average, though the frequency can peak at more than 25,000 attacks per hour.

Imperva studied attacks on 40 top web applications during the six months between December, 2010 to May, 2011.

The attacks Imperva describes simply as "automated" are almost exclusively malware-based attempts using cross-site scripting, remote file inclusion, directory traversal and other scripted processes that can launch from poisoned web sites or active content in email.

Some are highly complex programs, others are relatively simple scripts, but all allow hackers to take themselves out of the process and make their attacks more efficient by pointing a single script at a large number of sites to attack them simultaneously or in sequence.

And they're commonly available on sites like Darknet.org.uk, along with instructions and advice on both targets and the tools to use against them.

Even the automated hacks use standard platforms and tools including the venerable Metasploit penetration testing platform, which was designed to improve security but is often used to exploit chinks in the wall instead of plug them. The free download includes hundreds of automated exploits and malware payloads to create either individual attacks on web applications from outside or malware to expand a botnet or attack web apps from inside the firewall.

The result almost eliminates the solo hacker's biggest problem – an inability to scale.

"You can't automate car theft or purse stealing, but you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact," according to a ComputerWeekly story quoting Amichai Shulman, lead researcher and chief technology officer at Imperva.

It also shows that the vast majority of web sites are homogeneous enough in the technology they use and the security flaws they fail to patch that using the same generic attack unchanged on dozens of sites will crack enough of them to make the whole process worthwhile for the hackers, he said.

Continually increasing productivity within IT – through the use of virtualization, cloud, distributed and automated management tools and other labor-saving processes – have vastly reduced the number of IT professionals required to run even sophisticated data centers and IT infrastructures.

Automated hacking doesn't show any signs of reducing the number of crackers on the 'net, but it does ramp up even higher the importance of installing and maintaining patches, antimalware updates and behavioral-security processes.

A few years ago it was still possible to rely on security through obscurity if you ran a relatively small site; it simply wasn't cost effective for hackers to spend time trying to crack a target that might not bring on a big return.

Automation eliminates that. Just as Google's spiders will eventually find your site and your content – even the content you'd rather wasn't made public but didn't secure well enough on your Web servers – auto-hacks will find your weaknesses.

They're changing online security so that it's no longer like building a castle wall that will keep out even determined, well equipped and agile invaders.

Now it's more like a submarine running deep, where the pressure of the water will crush a hull that's not built on a strong frame, or rush in every insignificant crack so fast and so relentlessly it will eventually drown even a boat without any "serious" weakness.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies