Web plug-in apps let in criminals too, says HP


Web plug-in apps let in criminals too, says HP

Ian Grant

Web exploit toolkits have become the favoured weapons of cyber criminals intent on stealing sensitive data from enterprises and individuals, a report from Hewlett-Packard says.

These easy-to-use "packaged" attack frameworks are traded online, enabling attackers to access enterprise IT systems and steal sensitive data, the HP 2010 Top Cyber Security Risks Report said on Monday.

More than half of vulnerabilities involve web applications, according to the data generated by HP WebInspect, an HP Fortify product.

HP found third-party plug-ins to content management systems were a leading cause of web application vulnerabilities. Blog sites and online discussion forums such as Wordpress, Joomla and Drupal were among the most frequently attacked systems, it said.

HP said there were more attacks recorded in 2010 than in previous years, yet the number of discovered vulnerabilities remained relatively stable, but high. While most attacks were against known and patched security vulnerabilities, many high-profile attacks used new vulnerabilities before suppliers issued fixes.

HP said it had set up its Digital Vaccine Labs' (DVLabs) Zero Day Initiative to research and combat both types of attacks.

"We have discovered that rather than invest resources to uncover new exploits, attackers are focused on current, unpatched vulnerabilities in web applications, social networking sites and Web 2.0 interfaces," said Mike Dausin, manager of advanced security intelligence at HP DVLabs.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy