Is Your Site Being Hacked Without Your Knowledge?
by Yuval Ben-Itzhak - Friday, 10 October 2003.
Hackers manage to successfully break into systems much more often than you might realise. Just ask any member of a penetration testing team. These people hack for a living, with the explicit permission of the companies whose systems they are targeting, in order to highlight weaknesses. And in around three quarters of all cases, they manage to break through even the most secure e-commerce sites and firewalls.

Criminals, too, are finding that hacking is getting easier as more companies move their business onto the Web. Not always because the systems are using inadequate protection systems, but because the designers and programmers have made basic, fundamental mistakes. And such mistakes can cost companies dearly. If someone lowered the prices in your online product catalogue, how quickly would you notice? Or if someone raised them, and orders stopped coming in, how soon would you make the connection?

Remember the Microsoft Hotmail hack from a couple of years ago, when someone discovered just how easy it could be to access the mailbox of any Hotmail user? Just include details of that user's account on the end of the URL and the system would divulge their details without thinking to ask for an ID or password.

Bringing a commercial Website to its knees is often no more difficult than running a freely-downloadable (and free!) hacking tool, then typing in the URL address of the Web server and watching as it crashes because of a default settings and configurations.

Keeping your Web-based business secure in today's hacker-ridden internet means more than installing traditional network firewalls and intrusion detection, neither of which will detect or prevent the type of attacks mentioned above. You also need to ensure that the program code which drives your Web site is bug-free and, most critical of all, designed with security in mind from the start. Hackers know all the tricks, so you can't hope to keep your system safe unless you know them too. Or unless you can find a way to automatically scan your application for known programming faults.

For example, financial institutions that allow their customers to execute money transfers or to apply other changes to their private bank accounts should make sure that Web application will not allow a hacker to do the same from his browser. Insurance companies that allow customers to purchase policies or adjust them to their needs should be extra cautious to hackers buying an insurance policy for accidents that have already occurred by starting a new policy with a retrospective start date before the accident occurred.

Here is another example, does your e-commerce site pass the cost of an item to your credit card processing system via a parameter in the URL? If so, it's easy for a hacker to alter the price by simply changing the URL. Hackers have used this technique in the past to get products or services at a discount. Some even changed the prices to negative values, which credited their account each time they placed an order!

Although such attacks are easy to defeat if tangible goods are being sold and delivered, this is not the case for intangible items such as downloadable software or expensive reports. Once a hacker has obtained the file there's nothing to stop him posting it on a public Web site for everyone to see and for all the search engines to find.

Not all hacks require such a degree of technical competency. Every popular Web browser lets users view the HTML source code of the current page, and many developers leave comments in HTML and Javascript code. Even something as innocuous as the name and phone number of the programmer can be exploited by hackers skilled in social engineering.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th