Hacking at a glance
In the past 2 years, client side attacks such as XSS and CSRF have been on the increase. In a presentation I gave at OWASP a short time ago I discussed what I called the Attack Renaissance, where attacks move toward breaking-in via client-side holes rather then traditional server-side vulnerabilities; however, there is more to it then meets the eye.
I think many would agree that web applications have become target number 1. However, I would like to draw the glaze away from that for a second and point out that network-based intrusion is by no means dead and burried.
Services such as VOIP and BES are growing in popularity and often require significant network design and architecture changes to get working. Also, encryption within new protocols may provide attackers with tunnels to hide and mask traffic to avoid intruder detection systems.
Robert Moore is in prison for breaking into a number of VOIP providers, this is what he had to say:
“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0? as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. …
In summary, web applications are vulnerable yes, but it is only one area of concern. Currently SANS shows little traffic to BES (one service i’ve been researching lately), but this may very well change in months to come.
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
No comments yet.
Leave a comment