New attack methods target Web 2.0, VoIP

By Bill Brenner, Senior News Writer 17 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Researchers from two different security firms are seeing fresh evidence that attackers are targeting Web 2.0-based business applications and VoIP with increased vigor, and warn that companies are ill-prepared to meet the threat.

Attackers may have found a blind spot in today's popular defenses, as most security products are not looking for Web 2.0 XSS attacks over SIP. Paul Henry, vice president of technology evangelism, Secure Computing

Secure Computing Corp. announced Tuesday that it has uncovered a potential new method to gain control of a user's PC by launching an XSS attack via the VoIP protocol known as SIP. This is the first time Secure Computing seen a Web 2.0 attack using the VoIP protocol, said Paul Henry, vice president of technology evangelism for the San Jose, Calif.-based vendor.

Separately, researchers at Websense Security Labs issued an alert about a spike in new spam techniques over Skype, the widely-used VoIP service. Spam is being sent over Skype warning users that their system has been infected with malware. The spam is designed to dupe the user into buying software that claims to clean the spyware from their systems. Instead of removing spyware, however, the spammer is able to steal sensitive data that could be used for identity fraud.

In an interview Tuesday, Henry said that the vendor's researchers discovered proof-of-concept code attackers could use to run malware on any PC via the user's VoIP connection.

"The issue is simple," he said. "Attackers may have found a blind spot in today's popular defenses, as most security products are not looking for Web 2.0 XSS attacks over SIP. Secure Computing recommends using a solution that scans for malicious scripts and malware across every protocol that is permitted to enter the enterprise network."

While users have gotten used to not opening email attachments or being careful when visiting Web sites they're not familiar with, the new VoIP SIP protocol vulnerability is another reminder that "we're living in the Web 2.0 world now and not everything is as safe as we assume," Henry said.

San Diego-based Websense, meanwhile, has labeled the appearance of Skype spam as "SKAM,".

Attack techninques: New attack technique threatens broadband users: Millions of broadband users across the globe are threatened by a new attack technique called drive-by pharming, Symantec and Indiana University researchers warned Thursday. Researchers highlight new database attack method: Expert penetration testers demonstrate how cyberthieves can reach into corporate databases without exploiting a specific software flaw. Cisco routers threatened by drive-by pharming: Millions of Cisco routers in circulation could be compromised by a newly-discovered attack technique Symantec calls drive-by pharming, the networking giant warned in an advisory.

"Traditionally, email [has been] the only conduit for SPAM," a company spokesman said in an email. "However, increasingly the Web and other communication platforms are also being utilized as attack vectors."

The Skype spam Websense has been seeing warns users that their system is infected with malware and tries to trick them into buying software to remove spyware from their systems. "This serves as example of spam propagating on Skype, with malware authors utilizing social engineering to pass their malware off as legitimate software, and attempting to collect money directly at the same time," Websense said in its online analysis.

Henry said he is particularly concerned about what he's seeing because companies have deployed Web 2.0 applications and implemented VoIP systems at a fast and furious pace in the last couple years with little attention paid to the potential security ramifications.

"I don't think companies are using VoIP any more securely than they were two years ago," he said.

That assessment mirrors the concerns raised last summer by Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. The duo gave a presentation on the various ways attackers can exploit the SIP, IAX and H.323 VoIP protocols during Black Hat USA 2007 in Las Vegas. While Henry warns about SIP being targeted, the iSEC researchers warned that H.323 is particularly vulnerable to attack but that most users assume H.323 is secure because little evidence to the contrary has been presented.

They urged the audience to build a layered defense, noting, as Henry did Tuesday, that the state of VoIP security is as bad now as it was a couple years ago.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  Emerging Information Security Threats,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary