Web Hosting Articles
Web Hosting FAQs
Web Hosting How-Tos
Web Hosting News
Web Hosting Security

IBM® developerWorks
Sun Developer Network
Weekly Newsletter

Developer Updates
Free Website Content

ASP Web Hosting
ASP.NET Web Hosting
Budget Hosting
Coldfusion
Colocation
Mobile Linux
APP Generation ROI
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Reseller Web Hosting
Shared Hosting
Small Business Hosting
Virtual Private Servers
Windows Web Hosting

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

WEB HOSTING NEWS

RSS

More Malware?

By: Michael Lowry	Search For More Articles! Disclaimer Author Terms
Rating: / 3
2008-02-13

Table of Contents:

More Malware?

Robot Zombies

The Definition of Hacker Safe

More Malware? - The Definition of Hacker Safe

(Page 3 of 4 )

According to an article in Information Week, at least “60 Web sites certified to be 'Hacker Safe' by McAffee's ScanAlert service have been vulnerable to cross-site scripting (XSS) attacks over the past year, including the ScanAlert Web site itself.” ScanAlert has since fixed their problem, but other sites are still vulnerable. However, “Joseph Pierini, director of enterprise services for the ScanAlert 'Hacker Safe' program, maintains that XSS vulnerabilities can't be used to hack a server.”

The problem with Pierini's statement arises when you look at how important the database server actually is to a hacker. It would seem that they would still be able to compromise users with XSS while they do business on the site. As long as the user is transferring sensitive information, a “Hacker Safe” server will be of no consequence.

Slowing down for a second, cross-site scripting is when malicious hackers are able to inject code into compromised web applications. If exploited properly by a hacker, they will be able to get around certain access controls like the same origin policy, which makes sure scripts are loaded and modified from the same origin. This can be especially useful for hackers in client-side scripts, because they are more likely to offer a user's sensitive information.

In the article, Oliver Friedrichs, director of Symantec Security Response said that XSS vulnerabilities are dangerous, but they “are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners.” The question is, how long will this take? Will ScanAlert notify them or will they have to read it in an article, or worse, hear it from an angry customer?

He also claims that “XSS vulnerabilities aren't material to a site's certification,” but the ScanAlert web site says that it is part of the certification process; these are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection. It seems also that the compromised web sites were found with the most general XSS vulnerabilities, something that ScanAlert should be able to find.

Please keep reading to see why one company thinks ScanAlert's methods, and the methods of companies like them, aren't as effective as they could be.

Next: More Problems >>

More Web Hosting News Articles
More By Michael Lowry

Comments On: More Malware?
· Thanks for this article about the new trends in malware. Feel free to add your...

>>> Post your comment now!

WEB HOSTING NEWS ARTICLES

- ICANN Ends Domain Tasting
- Fake Security is Big Business
- Microsoft Aims to Eliminate Piracy
- Spam Increasing, and This Time it`s Personal
- New Internet for Space, New Technologies to ...
- FCC Frees White Space Spectrum for Wireless ...
- An Old Trojan in New Clothing
- DNS Flaw Causes Global Panic
- ICANN Strives to Stop GoDaddy and Others fro...
- No Winners in the Battle for the Internet
- ICANN Decides To Expand Internet
- Other Methods of the RBN
- Around the Campfire with Google App Engine
- DoS: No One is Safe
- Russian Business Network: On the Fly
Find More Web Hosting News Articles