“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
Weekly Column - Web Application Attacks
Six Events That Changed the Face of e-Security
Vijay Mukhi
Let’s understand why the transition has taken place in the e-security world from the way it used to be.
1. Web-based applications become widely diffused
The first unique and evident change is the substantial growth of applications that are web-based. Programmers have stopped building monolithic applications and are not creating executable files anymore.
A computer professional, five years back, would give a blank look or be totally uninterested to a discussion on web applications as there was no widespread use of any Internet applications then. E-commerce sites made no money because there was great risk involved in any monetary transactions.
Today, times have changed. The entire technology world is focused extensively on writing trustworthy web enabled applications. It is a hard and fast rule to have a browser interface to every application. One would not be wrong in saying that writing executable code is now the prerogative of big companies like Microsoft and Oracle, whereas the rest of the world focuses on web applications only. One of the many factors that attributed to this evolution is scalability. With the death of the exe file, most of the security vulnerabilities that affected the executable files too have faded out, like buffer overflow.
2. Microsoft steps up as a standards bearer in the realm of application security
The second profound event that has transpired in due course of time is that companies like Microsoft have become the trendsetters in writing secure code. There was a time when Microsoft was heavily criticized and placed on the top of the list for producing the most vulnerable code in the software market. Today, the tide has turned, the shoe is on the other foot, and Microsoft is now setting standards in the e-security world. Though there are a series of patches released from Microsoft every month, the situation is not grave as it used to be. The attacker, these days, would rather choose applications written by programmers working for small and medium sized companies all over the world, than touch the applications written by the larger companies. Hackers are moving away from breaking into the Windows Operating System and attacking application code instead.
3. Financial gain replaces notoriety as the motivating force for hackers
The third event is that the hacker is now motivated by money and more money. Gone are the days where an attacker would break into a system for scoring bragging rights or for the pleasure of showing Bill Gates in a poor light or for a political cause. The days of mass viruses likes ‘I Love You’ which infected a million machines are gone for good. Cyber crime has become far more organized than ever before and is run by mafia gangs. The focus is now on attacking single companies and the only motivation behind the crime is money. The attacker today prefers to remain anonymous so that he can enjoy his ill gotten wealth.
4. The Internet becomes the dominant online transaction platform
The fourth revolution is the execution of online transactions on the net. Nobody had envisaged the Internet to be a channel for e-commerce trading. The Internet which started as a medium for sharing knowledge has suddenly become the vehicle for commerce all over the world. All transactions today including banking are performed online sitting in the comforts of our home or offices. Today, thanks to the progress and development in technology, one can avail of a bank loan without any physical interaction with any of the bank officers. Or for that matter, buy goods worth a million dollars from different countries. The world, no doubt, has become a global village.
A more disturbing corollary is that today the mobile phone is replacing the computer or laptop as an equipment of technology usage. As a result, a much larger technology illiterate population is using the insecure infrastructure that we call the Internet. It has been forecasted that in a year’s time, all code that runs on a computer will work seamlessly on a mobile phone also, and there will be utterly no difference between a mobile phone and a computer. In fact, in a couple of years, the mobile phone will showcase more features than a computer.
5. Programmers are not included in e-security strategy
The fifth trigger to the transition is that programmers have been left out of the e-security ecosystem. We rarely come across a program/lecture series anywhere in the world that actually trains a programmer to write code that can defend itself in cyberspace. There are very few companies all over the world who insist that their programmers are suitably trained in what constitutes bad security code. Our premise is that if a programmer does not understand the attack vector, he will never be able to write code that will defend itself.
If a programmer is not able to write secure code, there is no way cyberspace will ever be secure. The coder should be the first and last line of attack in the war against the bad guys. Unfortunately, the programmer is nowhere to seen in this war. They are simply forgotten and hence we are in such a sorry state. Companies have huge budgets for acquiring the best e-security hardware and software but allocate nothing towards educating manpower. We honestly believe that unless the programmer is made the General leading the battle in e-space, we can never win the war.
6. Information technology becomes widely diffused among the masses
The last trend is that users of technology gadgets have become more and more unsophisticated. Especially with the advent of the mobile phone, this trend has been accelerated. Today, every human citizen has been or will be a victim of identity theft. Therefore it is not too shocking to see phishing on top of Internet related crime-lists.
The user is gadget savvy but is technologically illiterate and spends all his time on the Internet. He is too naïve to understand that surfing the web can be a dangerous experience as he cannot differentiate the right from wrong. The attacker uses this limitation to his advantage and makes money from this unsuspecting user.
The technology world has brought about a massive change in lifestyle and it is revolutionizing everything at the speed of light leaving all of us breathless. It’s time to tie our boots and welcome this change and be part of this revolution.
In the next column we look at the existing rules of security which are slowly getting outdated and talk about the newer rules of e-security.
