Skip to Content
Uncategorized

Web Attacks and Defenses that Could Affect Users in 2010

White Hat Security’s CTO talks about rising trends in Web application security–and why he’s changed his mind about writing down passwords.
December 28, 2009

As users and businesses trust more of their data to the Web, the state of Web application security becomes increasingly important. I talked recently with Jeremiah Grossman, founder and chief technology officer of White Hat Security in Santa Clara, CA, about attacks and defenses that could affect users in the upcoming year.

One key issue, Grossman notes, is that “our security systems are now fragmented and distributed.” For example, for the recent attack on Twitter, hackers didn’t break into Twitter’s site directly. Instead, they gained access to its account with its domain name system (DNS) provider, which is responsible for directing users who type the URL for Twitter’s site to the servers where the site is hosted. An internal security breach at Twitter is believed to have leaked the credentials needed to log in to its DNS account.

“End-users and employees have accounts all over the place,” Grossman says. In many cases, if attackers can get the credentials for one of a person’s accounts, those credentials will work for several other accounts as well. Though this problem has been around for a long time, it’s becoming a greater issue because of the increasing value of the data stored online.

Though experts have traditionally advised against writing passwords down, Grossman says he’s now changed his mind. He advises users to choose a different password for every account and write them all down, saying that the danger that a password doing double duty will be compromised online is greater than the danger of a thief stealing a physical list of passwords.

Besides this ongoing problem, Grossman says, several types of Web attacks are on the rise. In particular, he points to cross-site request forgery, an attack that forces a user to make unintended requests of a site. Malicious scripts hidden in compromised Web pages can exploit user credentials stored in the browser, potentially issuing requests to change passwords or withdraw money from online banking sites.

The news isn’t all bad, however. Grossman says he’s been encouraged by recent developments in Web application firewalls in the cloud, such as the products offered by Akamai. This technology can be used to stop Web-based attacks from reaching a customer’s website. The cloud-based offering should allow the technology “to get mass scale and adoption very quickly,” Grossman says, since many businesses find that trying to install Web application firewalls themselves slows down their performance too much.

Keep Reading

Most Popular

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

We reviewed three at-home covid tests. The results were mixed.

Over-the-counter coronavirus tests are finally available in the US. Some are more accurate and easier to use than others.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.