Attacks on web applications are likely to proliferate and worsen, according to AusCERT Security Analyst Macleonard...
"Web application mass exploitation is the biggest bang for buck for criminals since Windows 95," Starkey said at the Media Connect Kickstart conference. But while Windows 95 was largely exploited by "script kiddies" Starkey says criminals are now targeting web applications because they offer an easier route to reward than attacks on individual PCs, which he said are " very noisy and generates a lot of heat."
Infiltrating a web application, he said, is easy thanks to the proliferation of commercial infection tools that he described as "very easy to get hold of, extraordinarily powerful and very easy to use."
The result of this trend is that "the old advice of do not visit untrusted websites is obsolete," as any website can be compromised.
Starkey also said that social networks represent a security risk because criminals are using the information they contain to hone the social engineering aspects of their attacks. AusCERT has already detected attacks directed at University students designed to gather usernames and passwords for their university email accounts.
"Facebook and MySpace make this very easy because you can find out a lot about what will gain a target's interest before you even attack," he said, dubbing this new behaviour "spear phishing" or "selective malicious code" attacks.
Another technology Starkey said AusCERT feels will draw an increase in attacks is virtualisation, as virtualised servers represent a potentially richer target than a single server.
"Virtualisation can enable a significantly greater degree of compromise compared to a single server," he said.
Starkey said that another area of concern is content management systems. He cited popular blogging platform WordPress, which can be downloaded and hosted by its users, as one technology that is increasingly being exploited along with other PHP-based CMSes.