Java Reference
In-Depth Information
in certain iles. he
SQL Slammer
was also a serious worm, which exploited the
bufer overlow
*
vulnerability in Microsoft's SQL Server, causing a Denial of Service condition. One of the most
signiicant hacks took place in the year 2007 when the U.S. store chain TJ Maxx was hacked and
46 million credit and debit cards were said to have been stolen. Hackers were able to gain access to
one store of the TJ Maxx chain through a nonsecure wireless access point and then gained access
to TJ Maxx's corporate systems. CardSystems, a payment processor, was breached in a similar
fashion. he CardSystems breach also resulted in the theft of over 40 million credit card numbers.
CardSystems had failed to secure its network and update its antivirus deinitions, which caused
the breach. As we move closer to the present-day scenario, there have been several cases of Web
application attacks. SQL injection has been one of the most devastating attacks where attackers
have gone after databases (it is quite understandable, as databases store information that is invalu-
able to attackers). here have been several SQL injection attacks, which have been caused by poor
database input validation and unpatched operating systems, applications, and database platforms.
he MySpace attack was one of the prime examples of Web application attacks. he MySpace Web
site was hit by a cross-site scripting attack
†
triggered by a clever user named Samy and was forced
to shut down for over 12 hours. Several banks like Barclays and American Express were found
to be vulnerable to Web application attacks. Google's Gmail and Google Apps were found to be
vulnerable to cross-site scripting and cross-site request forgery attacks. We will discuss these attack
types in detail in Chapter 3 and as we explore Web application security in detail throughout the
rest of the topic.
On reading the preceding paragraphs on the evolution of cybercrime and security incidents
on the Internet, one can easily see some commonalities emerging—namely, the causes of these
attacks over the years, even though these incidents have changed and evolved over time. Attackers
have been able to penetrate and successfully attack systems that have been improperly conigured
or improperly patched. Attackers have been successfully able to exploit the fact that a single slipup
from the organization's defense measures can render it open to attack. he Kevin Mitnick attack,
the TJ Maxx hack, the MySpace Samy worm—all were the result of errors and slipups by the
organization. his reemphasizes the fact that security is not a one-time exercise but a continuous
and constantly evolving process, which requires organizations and individuals to approach it in a
comprehensive and methodical manner.
2.4 Security—Myths and Realities
We have already explored some basic concepts of security and the need and motivation for the
same. Let us now explore another important aspect of security. Like everything, security is a
widely discussed topic, and like any widely discussed topic, security also has its fair share of myths,
some partly the result of ill-conceived grapevine and some others formed because of convenience.
he security myths that we will be discussing are as follows:
*
Bufer overlow is a vulnerability where data is stored in a bufer that has been speciically allocated by the
programmer. When an input causes the data to occupy more memory than what has been allocated, a bufer
overlow condition exists. Bufer overlow causes a Denial of Service, and in some cases the operating system or
application goes into an insecure state, which allows the attacker to execute commands and take control of the
system.
†
Cross-site scripting is an attack where the attacker injects malicious scripts, usually in the form of browser side
JavaScript to a diferent end user of a Web application. Cross-site scripting can result in anything from a Denial
of Service to hijacking of sessions.
Search WWH ::
Custom Search