Skip to Content
Uncategorized

Web Attacks and Defenses that Could Affect Users in 2010

White Hat Security’s CTO talks about rising trends in Web application security–and why he’s changed his mind about writing down passwords.
December 28, 2009

As users and businesses trust more of their data to the Web, the state of Web application security becomes increasingly important. I talked recently with Jeremiah Grossman, founder and chief technology officer of White Hat Security in Santa Clara, CA, about attacks and defenses that could affect users in the upcoming year.

One key issue, Grossman notes, is that “our security systems are now fragmented and distributed.” For example, for the recent attack on Twitter, hackers didn’t break into Twitter’s site directly. Instead, they gained access to its account with its domain name system (DNS) provider, which is responsible for directing users who type the URL for Twitter’s site to the servers where the site is hosted. An internal security breach at Twitter is believed to have leaked the credentials needed to log in to its DNS account.

“End-users and employees have accounts all over the place,” Grossman says. In many cases, if attackers can get the credentials for one of a person’s accounts, those credentials will work for several other accounts as well. Though this problem has been around for a long time, it’s becoming a greater issue because of the increasing value of the data stored online.

Though experts have traditionally advised against writing passwords down, Grossman says he’s now changed his mind. He advises users to choose a different password for every account and write them all down, saying that the danger that a password doing double duty will be compromised online is greater than the danger of a thief stealing a physical list of passwords.

Besides this ongoing problem, Grossman says, several types of Web attacks are on the rise. In particular, he points to cross-site request forgery, an attack that forces a user to make unintended requests of a site. Malicious scripts hidden in compromised Web pages can exploit user credentials stored in the browser, potentially issuing requests to change passwords or withdraw money from online banking sites.

The news isn’t all bad, however. Grossman says he’s been encouraged by recent developments in Web application firewalls in the cloud, such as the products offered by Akamai. This technology can be used to stop Web-based attacks from reaching a customer’s website. The cloud-based offering should allow the technology “to get mass scale and adoption very quickly,” Grossman says, since many businesses find that trying to install Web application firewalls themselves slows down their performance too much.

Keep Reading

Most Popular

Workers disinfect the street outside Shijiazhuang Railway Station
Workers disinfect the street outside Shijiazhuang Railway Station

Why China is still obsessed with disinfecting everything

Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.