Web plug-in apps let in criminals too, says HP

Web exploit toolkits have become the favoured weapons of cyber criminals

Web exploit toolkits have become the favoured weapons of cyber criminals intent on stealing sensitive data from enterprises and individuals, a report from Hewlett-Packard says.

These easy-to-use "packaged" attack frameworks are traded online, enabling attackers to access enterprise IT systems and steal sensitive data, the HP 2010 Top Cyber Security Risks Report said on Monday.

More than half of vulnerabilities involve web applications, according to the data generated by HP WebInspect, an HP Fortify product.

HP found third-party plug-ins to content management systems were a leading cause of web application vulnerabilities. Blog sites and online discussion forums such as Wordpress, Joomla and Drupal were among the most frequently attacked systems, it said.

HP said there were more attacks recorded in 2010 than in previous years, yet the number of discovered vulnerabilities remained relatively stable, but high. While most attacks were against known and patched security vulnerabilities, many high-profile attacks used new vulnerabilities before suppliers issued fixes.

HP said it had set up its Digital Vaccine Labs' (DVLabs) Zero Day Initiative to research and combat both types of attacks.

"We have discovered that rather than invest resources to uncover new exploits, attackers are focused on current, unpatched vulnerabilities in web applications, social networking sites and Web 2.0 interfaces," said Mike Dausin, manager of advanced security intelligence at HP DVLabs.

Read more on IT risk management