Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Websites Found to Be Vulnerable

Websites Found to Be Vulnerable

by platon on September 12th, 2001 RANDOM testing of three million websites over 18 months revealed that more than 70 per cent were vulnerable to security breaches.


The research was carried out by Unisys Australia architecture director of IT security consulting services, Ajoy
Ghosh, as part of his PhD thesis. It will be published this month by the Journal of Information Warfare, which is
produced by Perth's Institute of Information Warfare.



Mr Ghosh, who has a decade of experience in the area of computer crime and IT security, is a PhD law student at
Sydney's University of Technology.



He worked for Westpac and the NSW Police before joining Unisys, and is a member of Australia's e-security
coordination group.



For his thesis research, Mr Ghosh created a "hackers toolkit" to assess the security vulnerabilities of global
websites. It includes more than 100 tools that mimic the actions of those used by real hackers. Mr Ghosh found more
than 700 "exploit" tools that can be easily downloaded on the Internet, and used by hackers to breach, damage and
deface websites and Internet-based corporate networks.



Unisys sponsored Mr Ghosh's research, and creation of his Data Collection Toolkit. The research has been
supervised by Australia's Institute of Criminology.



"We built our own toolkit instead of using hackers' real world tools, because to do so would have been illegal, and
we wanted to ensure our activities did not disrupt or actually breach any of our targeted websites," Mr Ghosh says.



Over 18 months, Mr Ghosh randomly searched three million .com, .net, .edu, and .au domains for security holes.
The discovery that almost three quarters of these sites were vulnerable to security breaches did not surprise him.



"Organisations such as the Institute of Criminology have long been saying that opportunities for digital crime abound
in cyberspace. But till now we have been unable to size that opportunity -- we haven't been able to prove how
widespread cybercrime is.



"This project provides a statistical foundation for such claims."



A Computer Society Institute study found that one in three intrusions occurs even when a firewall is in place.



Mr Ghosh's research revealed that banks' websites were among those most vulnerable to online crime. Some
banks were unaware their online operations were exposed to security threats, thinking they had their Internet security in
order. Throughout his thesis research, Mr Ghosh's website exploits were not detected by Internet Service Providers or
telcos.



"In some cases we were not asked for identification details, or provided false ones to the ISPs for the whole of
those 18 months. This was done by purchasing prepaid accounts, or turning up to ISP offices to pay our accounts in
cash.



"Once you have prepaid Internet access, you can do whatever you like. Even if hack exploits are discovered, you
can't trace the perpetrators. The same detection avoidance tricks that work for real hackers, worked for us."



About 80 per cent of the website vulnerabilities identified by Mr Ghosh were Windows-based -- the pervasive use
of Windows on Web servers makes it a key target for hackers, he says.



Motives for hacking, denial of service attacks and website vandalism range from financial gain to curiosity and
"hacktivism" -- a new kind of protest to push messages to a broad audience.



Website defacements are common and their impact on business is subjective, he says.



"Damage to a business that requires customer trust will be high. Interestingly, businesses with strong `real world
brands', such as global banks, tend to recover their online credibility faster than those with weak brand images."



Mr Ghosh says his thesis research indicates slack management at many organisations.



"They aren't demonstrating commitment to computer security. It's a global problem."



His study also found that more than 90 per cent of .edu websites are exposed to cyberterrorism.



He says ISPs and telcos need to tighten up their security and detection procedures, to prevent hack attempts in the
first place.



"If the ISPs had blocked us, we could not have reached the target websites. They should be preventing port scans
-- this is starting to happen. They also need to demonstrate `capable guardianship' by collecting appropriate ID details."



Organisations in New Zealand and Australia should not assume that their sites are not being targeted by thieves and
hackers based in other countries.



"There is no such thing any more as distance. It is as easy for a hacker in Pakistan to target a site in Australia, as in
the US. That's globalisation for you."



Unisys employs 16 senior security experts in the Asia Pacific region. Information about its services can be found at



(C) 2001 The Dominion. All Rights Reserved



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »