ITP.net’s Cyber Kung Fu Master Class: Website attacks, with Sophos
Chester Wisniewski of Sophos trains us to be aware of our surroundings whether we are site visitors or administrators
Hopefully Cyber Kung Fu (gong!) is beginning to settle into your limbs and skin. You should be more wary about what kind of battleground you are on and your feline reflexes should be coming along nicely.
So far, in the inner sanctum of ITP.net's digital dojo, we have studied DDoS, DNS cache-poisoning and phishing, but this month, rather than get specific about our attacks, we thought our guest master could school students in the art of Internet awareness, as the website can be both a target of, and a staging ground for, cyber-attacks.
So get ready once again to learn the noble art of Cyber Kung Fu (gong!).
Meet this month's Cyber Kung Fu Master: Chester Wisniewski, senior security consultant at Sophos
Chester "Chet" Wisniewski is a senior security advisor at Sophos with more than 15 years' experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, the media and IT professionals.
Chester frequently writes articles for the award-winning Naked Security blog, produces the weekly podcast "Sophos Security Chet Chat" and is a frequent speaker at conferences and in the press.
The attack: Website attacks
A website can be a treacherous place for both visitors and administrators. The site forms the digital presence of private and public sector organisations, and brands can be tarnished when that Web-based billboard is vandalised.
"Someone attacking the website is usually using stolen credentials from someone with permission to publish the website or uses a flaw in the code of the website, most commonly SQL injection, to insert malicious code into the victim site," says Master Wisniewski.
We shall deal with SQL Injection in a later Cyber Kung Fu class, but for now it is enough to know that the technique gives attackers access to private databases. In the case of a website, content-management systems (CMS) are usually fed by a database. Manipulation of that database can allow defacement of pages.
But a more commonly recognised website attack is one where the administrators are the cyber-villains and visitors to the site become their unwitting victims. Cyber criminals have become more and more sophisticated in their execution of the con, which can lead visitors to believe they are dealing with a trusted source they engage with every day, such as a bank, or even their own employer.
Continues on next page>>