As users and businesses trust more of their data to the Web, the state of Web application security becomes increasingly important. I talked recently with Jeremiah Grossman, founder and chief technology officer of White Hat Security in Santa Clara, CA, about attacks and defenses that could affect users in the upcoming year.
One key issue, Grossman notes, is that “our security systems are now fragmented and distributed.” For example, for the recent attack on Twitter, hackers didn’t break into Twitter’s site directly. Instead, they gained access to its account with its domain name system (DNS) provider, which is responsible for directing users who type the URL for Twitter’s site to the servers where the site is hosted. An internal security breach at Twitter is believed to have leaked the credentials needed to log in to its DNS account.
“End-users and employees have accounts all over the place,” Grossman says. In many cases, if attackers can get the credentials for one of a person’s accounts, those credentials will work for several other accounts as well. Though this problem has been around for a long time, it’s becoming a greater issue because of the increasing value of the data stored online.
Though experts have traditionally advised against writing passwords down, Grossman says he’s now changed his mind. He advises users to choose a different password for every account and write them all down, saying that the danger that a password doing double duty will be compromised online is greater than the danger of a thief stealing a physical list of passwords.
Besides this ongoing problem, Grossman says, several types of Web attacks are on the rise. In particular, he points to cross-site request forgery, an attack that forces a user to make unintended requests of a site. Malicious scripts hidden in compromised Web pages can exploit user credentials stored in the browser, potentially issuing requests to change passwords or withdraw money from online banking sites.
The news isn’t all bad, however. Grossman says he’s been encouraged by recent developments in Web application firewalls in the cloud, such as the products offered by Akamai. This technology can be used to stop Web-based attacks from reaching a customer’s website. The cloud-based offering should allow the technology “to get mass scale and adoption very quickly,” Grossman says, since many businesses find that trying to install Web application firewalls themselves slows down their performance too much.
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
Data analytics reveal real business value
Sophisticated analytics tools mine insights from data, optimizing operational processes across the enterprise.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.