It was a yesterday’s news that anonymous
and other cracker’s crews attacked and defaced large number of corporate
websites.

November 5
it is a very symbolic data in the anonymous underworld and a massive defacement
attack was carry on, at least, against PayPal,
Symantec and Telecom Italia

Anonymous and other crews activities tell us an old story: the Internet is
fragile and your web applications can be attacked anytime, anywhere and most of
them are breakable.

The same old refrain

It was 10pm when I had dinner last night. My wife and my son were sleeping and
I checked https://twitter.com/thesp0nge.

Some friends were talking about a massive defacement activities carried on by
anonymous hactivists and other cracker’s crews not connected to the former.

It wasn’t the first time both PayPal and
Symantec were attacked. The latter suffered from a
source code leakage
some months ago.

The news that impressed me much was the attack against Telecom Italia.
In the news it’s reported that attackers found more than 3.000 Cross site
scripting vulnerabilities.

Even Owasp WebGoat web application has less XSS.

Of course, this is not the only hole they exploit. The report talks about
poorly written .htaccess file and weak passwords that they lead to a
successful attack.

The power of now

In a post about web agencies
and about marketing driven choices
I talked about the dangers of publishing a web application without a security program.

Marketing departments want to deploy new websites, new features, new dynamic
content to promote goods and to increase business. This is completely fair but
it can’t be done without security awareness. The problem is that they don’t
have any clue about their websites can be attacked and sometimes they didn’t
trust their security departments trying to make them aware.

If your web manager says the website has to be online now or even worse
we must add this brand new feature ASAP, you must take care about the new
content can’t be exploited on the wild and you have to make all the necessary
security tests before the content has to go online.

Off by one

Yesterday’s anonymous attack makes me think about how hard is our work.
Sometime people says that only banks deserve to be protected. But attacking
broadcasting companies
or
telcos
can amplify your activism claims tons of times.

Don’t trust Web Application Firewalls. They will help but clever attackers may
override their rules.
Force developers to write secure code instead.

Enjoy it!

*** This is a Security Bloggers Network syndicated blog from armoredcode.com - the application security blog that gets the job done authored by Paolo Perego. Read the original post at: http://armoredcode.com/blog/the-fragile-internet/