This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Byron Acohido and Jon Swartz
LAS VEGAS - The hot new technology behind slick Web pages has suddenly
become the hot new tool for cybercriminals.
The technology, Ajax coding and Web tools, enables popular websites such
as Google Maps (GOOG) and MySpace.com (NWS) to come alive. It is also the
technology behind Windows Live, the slate of cutting edge online services
Microsoft has begun testing.
But hackers and cybercrooks have discovered that Ajax can be tweaked in
myriad ways. By corrupting one of the dozens of data exchanges Ajax
handles while loading a Web page, a hacker can take over control of the
At the giant Black Hat cybersecurity conference here, talks on what kind
of Ajax attacks to expect and how to defend against them drew large
"Ajax has introduced a huge attack surface," says Billy Hoffman, lead
engineer at Web security specialist SPI Dynamics. "Ajax works under the
covers to make websites really responsive, but criminals can just as
easily use it under the covers to do some bad stuff."
Recent high-profile attacks include June's Yamanner computer worm,
designed to harvest e-mail addresses from Yahoo mail users and send them
to spammers in Europe; and Spaceflash, which installed adware
(advertisements and tracking programs implanted surreptitiously) on the
hard drives of more than a million MySpace users.
Those for-profit intrusions were foreshadowed by last October's milestone
Samy worm. Created by a youthful hacker, Samy used an Ajax attack to
infect a million MySpace users for the express purpose of adding them to
the hacker's friends list =C2=97 to make him seem popular. MySpace had to shut
down for a day to clean up Samy.
"We've gone from kids screwing around to criminals looking for ways to
make money in less than eight months," says Hoffman.
Dave Cole, director of Symantec Security Response (SYMC), says social
networking sites suggest a false sense of security: "You don't expect to
be attacked when you go to Joe Bob's page."
Hemanshu Nigam, MySpace's chief security officer, said in a statement that
the company uses strong security measures and works with law enforcement
in the event of a breach. Since Ajax is well on its way to becoming a
standard for the way interactive Web pages operate, security experts
expect attacks to escalate.
"Imagine when the same flaws are used to steal money from financial
institutions," says Alex Stamos, principal partner at security researcher
Security researchers are trying to help corporations stay a step ahead. At
Black Hat, SPI Dynamics' Hoffman showed how Ajax attacks could be designed
to break into and manipulate online stock trading accounts.
Jeremiah Grossman, CTO of WhiteHat Security, gave a well-attended
demonstration showing how hackers could spread an Ajax attack through
MySpace as a means to release an invasive program deep inside a
corporation's internal network.
"This is just a natural extension of where things are headed," says
Grossman. "We know these kinds of attacks always get better and better."
Content-Type: text/plain; charset="us-ascii"
Visit the InfoSec News store!