Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

As users and businesses trust more of their data to the Web, the state of Web application security becomes increasingly important. I talked recently with Jeremiah Grossman, founder and chief technology officer of White Hat Security in Santa Clara, CA, about attacks and defenses that could affect users in the upcoming year.

One key issue, Grossman notes, is that “our security systems are now fragmented and distributed.” For example, for the recent attack on Twitter, hackers didn’t break into Twitter’s site directly. Instead, they gained access to its account with its domain name system (DNS) provider, which is responsible for directing users who type the URL for Twitter’s site to the servers where the site is hosted. An internal security breach at Twitter is believed to have leaked the credentials needed to log in to its DNS account.

“End-users and employees have accounts all over the place,” Grossman says. In many cases, if attackers can get the credentials for one of a person’s accounts, those credentials will work for several other accounts as well. Though this problem has been around for a long time, it’s becoming a greater issue because of the increasing value of the data stored online.

Though experts have traditionally advised against writing passwords down, Grossman says he’s now changed his mind. He advises users to choose a different password for every account and write them all down, saying that the danger that a password doing double duty will be compromised online is greater than the danger of a thief stealing a physical list of passwords.

Besides this ongoing problem, Grossman says, several types of Web attacks are on the rise. In particular, he points to cross-site request forgery, an attack that forces a user to make unintended requests of a site. Malicious scripts hidden in compromised Web pages can exploit user credentials stored in the browser, potentially issuing requests to change passwords or withdraw money from online banking sites.

The news isn’t all bad, however. Grossman says he’s been encouraged by recent developments in Web application firewalls in the cloud, such as the products offered by Akamai. This technology can be used to stop Web-based attacks from reaching a customer’s website. The cloud-based offering should allow the technology “to get mass scale and adoption very quickly,” Grossman says, since many businesses find that trying to install Web application firewalls themselves slows down their performance too much.

1 comment. Share your thoughts »

Tagged: Web, security, web applications, passwords, Web security

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me