[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Wednesday, 18 May, 2005, 08:48 GMT 09:48 UK
Online stores come under attack
By Mark Ward
Technology Correspondent, BBC News website

Hands on computer keyboard
The right combination of words can unlock web databases
Cyber criminals are turning their attention to the programs that run many online shops, say experts.

The move to target the databases and programs that power online shops is a significant change in tactics.

In one case, an attacker got hold of a PC maker's entire customer list and sent everyone on it a nasty note.

"It's kind of like an arms race. It's the next logical step to go after the application itself," said Rob Straight from software firm Compuware.

"There are a lot of people that spend their time and energy to think of ways to break into applications maybe for fun and maybe for profit," he said.

Crime spree

Businesses connected to the net, and especially those that run online shops, are used to defeating all kinds of attacks. On a daily basis they have to cope with attempts to exploit known vulnerabilities as well as viruses and worms that try to slip through security software.

Evidence for just how new this is can be seen in the latest list of the Top 20 most vulnerable programs released in early May by the Sans Institute.

It can be very difficult to defend against these attacks
Donal Casey, Diagonal Security
For the first time this list included such things as media players, anti-virus programs, web browsers and databases.

Vulnerabilities in browsers and media players are proving popular with the malicious hackers, said Gerhard Eschelbeck, chief technology officer at security firm Qualys and a Sans contributor.

"They typically require some interaction by the victim to get exploited, such as browsing a malicious website, or opening a malicious e-mail or media file," he said.

But, he says, attempts to subvert website shopping systems rather than the basic operating systems on PCs and servers are something new.

Many of the programs or applications that net businesses write to power their online shops include fields in which customers can enter text such as a quantity, wrapping instructions or address.

Basket case

Web shops and online banks were seeing far more attempts to inject working computer code into the databases and applications behind the scenes of many websites, said Donal Casey, spokesman for Diagonal Security.

Online banking webpage, BBC
Online banks are regularly attacked by computer criminals
"It can be very difficult to defend against these attacks," he said.

What can make it worse is that once attackers find a vulnerability in one web application, they are likely to try it again and again in all the other places that particular program is used.

Organisations such as the Jericho Forum and the Open Web Application Security Project have sprung up to do a better job of scrutinising these backroom programs and ensuring they are secure.

"You can get unexpected input by users and the application might not be set up to deal with that," said Mr Straight from Compuware. "You could get unpredictable results and or even the failure of the application."

Some attackers try to enter database commands into such fields just to see what happens. In such cases "unpredictable results" could see those commands executed and a database seriously compromised, said Mr Straight.

Attackers could end up with a store's entire customer list, including credit card numbers and bank account details.

Increasingly, said Mr Straight, developers writing web applications were turning to automated tools that check the programs are proof against the most common attacks.

"We can simulate what a hacker would do by bombarding an application with erroneous text strings," said Mr Straight.

"There are real consequences to all this," he said.

Biggest security holes revealed
05 May 05 |  Technology
Web shops face tighter security
18 Apr 05 |  Technology
Virtual cars rack up race miles
07 May 05 |  Technology
Net fingerprints combat attacks
29 Mar 05 |  Technology
Hacker hit parade goes live
05 Aug 03 |  Technology
Rings of steel combat net attacks
13 Jan 05 |  Technology

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific