[ISN] Cybercrooks add Ajax coding to bag of hacking tricks

From: InfoSec News (alerts@private)
Date: Fri Aug 04 2006 - 09:48:18 PDT


http://www.usatoday.com/tech/news/computersecurity/hacking/2006-08-04-ajax-attack-usat_x.htm

By Byron Acohido and Jon Swartz
USA TODAY 
8/4/2006

LAS VEGAS - The hot new technology behind slick Web pages has suddenly 
become the hot new tool for cybercriminals.

The technology, Ajax coding and Web tools, enables popular websites such 
as Google Maps (GOOG) and MySpace.com (NWS) to come alive. It is also the 
technology behind Windows Live, the slate of cutting edge online services 
Microsoft has begun testing.

But hackers and cybercrooks have discovered that Ajax can be tweaked in 
myriad ways. By corrupting one of the dozens of data exchanges Ajax 
handles while loading a Web page, a hacker can take over control of the 
PC.

At the giant Black Hat cybersecurity conference here, talks on what kind 
of Ajax attacks to expect and how to defend against them drew large 
audiences.

"Ajax has introduced a huge attack surface," says Billy Hoffman, lead 
engineer at Web security specialist SPI Dynamics. "Ajax works under the 
covers to make websites really responsive, but criminals can just as 
easily use it under the covers to do some bad stuff."

Recent high-profile attacks include June's Yamanner computer worm, 
designed to harvest e-mail addresses from Yahoo mail users and send them 
to spammers in Europe; and Spaceflash, which installed adware 
(advertisements and tracking programs implanted surreptitiously) on the 
hard drives of more than a million MySpace users.

Those for-profit intrusions were foreshadowed by last October's milestone 
Samy worm. Created by a youthful hacker, Samy used an Ajax attack to 
infect a million MySpace users for the express purpose of adding them to 
the hacker's friends list — to make him seem popular.  MySpace had to shut 
down for a day to clean up Samy.

"We've gone from kids screwing around to criminals looking for ways to 
make money in less than eight months," says Hoffman.

Dave Cole, director of Symantec Security Response (SYMC), says social 
networking sites suggest a false sense of security: "You don't expect to 
be attacked when you go to Joe Bob's page."

Hemanshu Nigam, MySpace's chief security officer, said in a statement that 
the company uses strong security measures and works with law enforcement 
in the event of a breach. Since Ajax is well on its way to becoming a 
standard for the way interactive Web pages operate, security experts 
expect attacks to escalate.

"Imagine when the same flaws are used to steal money from financial 
institutions," says Alex Stamos, principal partner at security researcher 
iSEC Partners.

Security researchers are trying to help corporations stay a step ahead. At 
Black Hat, SPI Dynamics' Hoffman showed how Ajax attacks could be designed 
to break into and manipulate online stock trading accounts.

Jeremiah Grossman, CTO of WhiteHat Security, gave a well-attended 
demonstration showing how hackers could spread an Ajax attack through 
MySpace as a means to release an invasive program deep inside a 
corporation's internal network.

"This is just a natural extension of where things are headed," says 
Grossman. "We know these kinds of attacks always get better and better."



_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Aug 04 2006 - 10:03:27 PDT