Half of all retail web sites are vulnerable to hackers, a ScanAlert executive says.
As online retailing has evolved from a novelty into a thriving distribution and sales channel, criminals and thieves similarly evolved. With an increasing amount of the world’s wealth accessible online, the Internet now is where the money is for a growing number of criminals. If infamous “where the money is” felon Willie Sutton were still alive, he’d probably be working from home in his pajamas, seated in front of a computer. And he wouldn’t be alone online.
In fact, half of all web sites likely are vulnerable to database attacks based on security data we collected from 27,000 ScanAlert customers. 45% of web sites had a serious database vulnerability such as SQL injection while 50% had cross-site scripting weaknesses, before we helped them close these serious security holes.
It is a gloomy portrait involving software used by tens of thousands of Internet retailing executives. When you apply these percentages to the millions of web sites that sell products and services online, the big picture gets very scary very quickly. The scary stuff starts with SQL injection.
Categorized as critical Level 5 (the most dangerous) risks, SQL injection vulnerabilities are extremely dangerous for any web site, particularly those engaging in e-commerce activities. This class of software vulnerability enables hackers to penetrate databases to steal confidential information needed for fraud and identity theft. In this attack technique, hackers enter non-letter characters such as "&" and "<" to manipulate queries sent to applications and pull confidential information. Most web forms have no mechanisms in place to block data queries other than names and passwords. But if applications don’t also properly filter out characters used in SQL injection attacks, criminals can steal, modify or delete data from a database.
Blind SQL injection, a similar but potentially more troubling type of attack, is identical to regular SQL injection but more difficult for a criminal to exploit because of one important characteristic: an attacker cannot use messages returned from a database under attack to guide his success in pulling information from the database. Although this increases the criminal’s difficulty in detecting and exploiting a potential SQL injection vulnerability, criminals still can make blind SQL injection work.
Expert hackers access sensitive data by submitting a series of trial true-or-false questions through SQL statements until they find a way to unlock a database. Unfortunately this type of attack is becoming more common as hacker skills increase. In fact, the hacker community now is publishing blind SQL exploitation tools.
The blind SQL risk is further magnified because it has become commonplace for companies holding confidential data to “cure” discovered SQL injection vulnerabilities by changing them to blind SQL in the belief that criminals will not be able to detect or exploit the vulnerabilities. Since it is much easier to change to blind SQL than fully fix SQL injection problems, many developers unfortunately have chosen this “security through obscurity” route. It’s a Band-Aid fix that will not deter skilled, determined thieves.
A third threat-also relatively unknown among online retailers-is cross-site scripting. Although this will not provide access to a database, it is a growing threat for consumers.
Cross-site scripting occurs when criminals insert malicious code into web applications, such as features that allow online shoppers to post information for others to read. As unsuspecting site visitors click on such content, the embedded malicious code can steal information from their web browsers, such as the names of other sites they’ve visited and applications they’ve used. Criminals can use that information to launch targeted attacks.
Hackers typically combine cross-site scripting with e-mail and phishing links to trick unsuspecting people into visiting hacker-owned sites where they may unknowingly provide personal information.
Our research also generated interesting statistics on vulnerabilities related to web server applications. Web sites using Microsoft Corp.’s Internet Information Server software were twice as likely to have serious database vulnerabilities as those using the popular Apache open-source server software. Cross-site scripting, however, was slightly more prevalent on sites running Apache than Internet Information Server.
Looking at other e-commerce security trends, we expect the wildly popular PHP open-source programming language to continue to provide a bounty of opportunities for hackers. PHP, or hypertext preprocessor programming language, has been used to create every type of software needed to operate an online store, including shopping cart, payment system, customer relationship management and e-newsletter applications. Unfortunately, ease of use does not translate into a secure application. Indeed, PHP developers all too frequently have emphasized functionality over security. Many security researchers, including Hacker Safe Labs engineers, recently have discovered and announced critical security flaws in widely used PHP applications.
How do we see e-commerce security changing through the remainder of 2007? One catalyst may be the payment industry itself. Visa, MasterCard and American Express may have the greatest role in forcing change due to the Payment Card Industry Data Security Standard, or PCI DSS. The payment card industry, which introduced strict security standards three years ago, finally is demonstrating it is serious about mandating compliance (see story, page 16).
PCI DSS, which applies to almost every merchant that accepts credit card payments, makes it almost impossible for hackers to steal credit card numbers from an online store. With the January revelation by TJX Cos. Inc. that hackers had stolen card data that TJX stored on its servers fresh in the minds of the American consumers, regulators and legislators, the payment industry likely will turn up the heat on banks to force retailers to become certified with the standard.
One of the required steps, for example, is having companies like ScanAlert and others approved by the PCI Security Standards Council scan sites quarterly for vulnerabilities. If retailers fail to do this and meet other PCI-DSS requirements, the alternative could be a wave of new federal and state legislation.
Lawmakers, tired of waiting for the payment card and online retailing industries to take security seriously enough, have readied dozens of legislative proposals on data protection and consumer data breach notification. With the threat of this legislation casting a shadow over online stores, the payment card industry might be the catalyst this year of a greater industrywide emphasis on security.