Filed under Security

Hacking, cracking, and codejacking have exploited application vulnerabilities from the time the earliest programmers wrote their first “Hello World”.  In the past, only application developers were vulnerable to such attacks. The dynamic web brings these attacks into the domain of the common website, as more contemporary sites use a database to drive their content.

In the early 2000s, common websites were composed of several static HTML pages, and only programmers (and wealthy corporations) could enjoy the luxury of a database-driven content management system (CMS). When I wanted a database-driven site, I had to build one myself using PHP and MySQL. Sure, there were bulletin board systems (now referred to as forums), wikis, and web site building applications, but their use was nowhere near as popular as today.

With affordable website hosting came the deluge of database-driven websites. Blogs, forums, wikis, and open-source and commercial CMSs now drive most websites. Every one of these sites can accept user-generated content (UGC), and every one of these sites can be exploited. The web-based forms that interface with the database can open the door for SQL injection or cross-site scripting (XSS) attacks that can do anything from redirecting traffic from your site to an online pharmaceutical company to turning your server into a drone machine that attacks other servers.

At the time of this writing, Google returns over 16,000 results for ’sql injection’ and 30,000 for ‘cross-site scripting’ OR ‘xss’ from articles indexed within the past 24 hours. Click the links to compare that number with the current articles at the time you read this. There shouldn’t be much difference. If anything, code exploits should become more frequent. After all, it is a numbers game, the number of database-driven sites increases exponentially.

We can’t lay blame on Microsoft vs. *nix based servers, open-source vs. commercial software, or even specific companies, as all machines connected to a network are at risk. My fellow bloggers have had their Wordpress sites hacked through their comments forms. When I explored Moodle on my server a couple of years ago, the landing was replaced by a “YOU’VE BEEN HACKED” page even though I hadn’t publicized the link to anyone. It was only set up for a week.

While some users are malicious, some are just experimental. I recall a story of one user who hacked MySpace to exploit a hole that bypassed both the captcha and confirmation usually required to add “Friends”, and successfully befriended over a million users in the span of eight hours. Maybe I’m exaggerating, but over two days that script effectively shut down MySpace. The point is that regardless of how secure your site is today, you need to monitor your security, constantly.

Fred Salchli, Duo’s Chief Technical Officer, told me a story of how SQL injected into an unmanaged web application once corrupted a series of websites hosted on the same server. Duo was called in to rescue the data by running a script on each of the websites to determine which fields were affected with this code. Then they proceeded to update the applications to block the holes and prevent any future attacks.

He also gave some tips to reduce the possibility of your site being attacked. Initially, insulate your database from raw information submitted through web forms by cleaning the input through validation and encoding and escaping strings. Within your code, enforce strong typing of variables that work with data input. Additionally, incorporate a database abstraction layer to provide a buffer between submitted data and your database.

Once your code is secure, keep it secure by keeping abreast of security issues and applying patches and updates as required. And if your database still gets attacked, be sure that you have a current backup to restore your data.

Most attacks use JavaScript in combination with SQL. Some involve more complex code execution from image header information. However, a new threat has made recent news, that uses neither of these methods. The first report I read about ‘clickjacking’ was so vague it was unclear whether even the author knew the exact nature of the problem.

However, other coders developed sample code exploits based on speculation of how these attacks could happen, and the results were downright scary. One turns your MySpace profile from private to public, and another sends an email to cyberspace using your gmail account. (Note: if you are not already logged into these systems, these examples won’t work. You can bet the more malicious clickjacking scripts monitor your system, waiting for you to shop or bank online, and then send your keystrokes to remote locations.)

More recently, a quick scan of my server logs found an unusually high number of requests for aedating4CMS.php, as that script contains some apparent vulnerability. I would have been a lot more worried if I actually used that application. Nonetheless, because I treat invalid page requests as directives to search my Wordpress database, allowing that request would tie up server resources and poses a security risk. Rather than letting this sort of behavior go through, I hacked my server script to redirect all requests containing ‘aedating’ back to the originator. Problem solved.

Most users don’t have the interest, the understanding, or the time to manage their server and database security to this extent. In these cases a web services company is your best friend, as their staff will test and troubleshoot your applications, apply upgrade patches, and even maintain backups in the event something happens. Hiring others to manage your hosting services frees you up to work on and build the core of your business.

Apparently Google is not content with merely taking over the world. From their early beginnings as the ubiquitous little search engine that could, they’ve made a name for themselves through adding innovation on top of their acquisitions and partnerships. Until recently, web browsers were immune to this innovation—Google applications required Firefox, IE, Safari, Opera, and any other modern web browser to run.

But as of September 2, 2008, Google stepped onto even their toes, releasing the Google Chrome browser that is fast, standards-compliant, and above all, looks ready to do business as a shell for Google’s web-based word processor, spreadsheet, e-mail, calendar, and other applications. The fact you can also browse the world wide web through the program is a bonus.

Bigger Better Browser

Life hasn’t been the same since browser technology advanced to where developers could create interactive experiences within a web browser that looked and felt like desktop applications. These rich internet applications (RIA) paved the way for what we refer to as cloud computing: software and data that exists anywhere on the Internet are funneled through an application on a user’s desktop, who doesn’t need to know how they work or where they’re stored. So long as the applications behave as expected, and reassure the user that their data is safe, they are happy with not knowing.

Google Chrome seeks to build on everything for which we’ve used a web browser to date, and move us all into territory we have yet to explore. The very nature of the product lends itself to more creative uses, many of which don’t even exist, or may be twirling cartwheels inside developers’ heads.

In most companies the browser is the central application on a user’s desktop. In my previous life as a logistics data analyst, we used our web browser to connect to a software suite to manage our workload, cut purchase orders, pay invoices, write contracts, follow up on back orders, process returns, communicate with our co-workers, track our time… standard business stuff. Looking back, this was a rather limited use for our browser in terms of an application enabler.

In other parts of the Internet world, the web browser has been used to run more complicated web applications like wikis and blogs, content management systems, document control systems, and of course, true desktop-like applications. The developers behind Google Chrome saw this brave new world and designed the product to be invisible. After all, the important part of your day includes everything but the technology.

If Looks Could Kill Other Browsers

The first thing I noticed about Chrome is how it looks. The interface is basic, but sleek. There is no application menu, and no toolbars that take up a lot of space. Everything that could happen happens in the browser, or at least in a browser tab. The tabs appear at the very top of the window, creating the look of a physical filing cabinet. Other browsers’ tabs also point upwards, but still underneath a lot of menus and toolbars that drove me to buy a bigger monitor.

Google Chrome: A Browser Without Menus

What this means for me is that I can write this article in Google Docs (or Zoho Docs, for the non-partisan) with as much writing room as possible, before posting it into our blog CMS. This is a major plus for me. I use Google Docs to keep track of stuff between my day gig and my home life. I use Docs to record notes, and Spreadsheets to track my cash expenses. All this information is available to me from any computer connected to the Internet. Some may argue that using the free versions make my information less secure “in the cloud”, but as my information isn’t CIA-level top secret I feel pretty safe.

Of course, I do copy my data from Google’s servers into other formats, and store some of the information on my own hard disks. Adam Pash wrote an article about backing up your data from Google’s servers on Lifehacker.com, the core focus of the article isn’t that Google is evil, but that redundancy is always the best option. I’ve heard it said that digital data doesn’t really exist unless it exists in at least two places.

No More Hurry Up and Wait

Google Chrome takes the browsing experience to new heights, in both web-standards–compliance and rendering speed. Based on a recommendation from the Android team the developers chose Webkit, the same w3c-fascistic rendering engine used by Apple’s Safari browser. I say, “fascistic”, because I’m still hurting from the experience of Safari breaking one of my web projects. Eventually I’ll come to grips with the understanding that this will teach me to write more standards-compliant code.

I see a noticeable speed improvement when viewing pages through this browser. The speed also improves my experience using browser-based applications. I read that Google uses techniques like DNS-pre-fetching and caching, and separate virtual machines (V8) that operate separately within each tab, but all this means to me is that web pages load more quickly and applications operate invisibly. Period.

For people on the go, on the road, and rarely sitting still, the idea of always-on access to Internet applications and data is a big plus. When the browser steps out of the way, it makes even remote collaboraton easier.

The End of the Hourglass

Have you ever been surfing the web with a handful of tabs or a couple of windows open, when suddenly one page hung on the hourglass and your system froze in the process? Then, when you killed the offending tab or window, the entire application shut down, and you were forced to start your browsing experience afresh. Most web browsers run as a single application even when multiple tabs and windows are open. Hang one, you hang ‘em all.

Google Chrome ends the hourglass behavior by keeping applications in separate tabs and windows separate from each other. This way, when an application in one tab hangs, closing that tab shuts down only that application. All the other tabs are left intact. Plus, applications cannot read information between tabs, so your information is more secure than in other web browsers.

The best part of the hype surrounding the browser’s launch was the 38-page comic book by Scott McCloud (aptly chosen, considering the benefits of Google Chrome to cloud computing technology). Page 14 explains in a more technical manner why V8 technology runs JavaScript faster than other browsers.

Google Chrome V8 Technology Processes JavaScript Intelligently

Looking Forward

I don’t think an application exists that doesn’t have faults. Google Chrome is no exception, though its faults are miniscule in comparison to other *cough* commercial applications.

First, Chrome is in perpetual beta. This frees the developers to continue to make tweaks and improvements with no timed release schedule. This also helps Google answer any complaints with, “This is only a beta, so some features are still being worked out.”

Second, at the time of this writing, Chrome can’t access any trusted sites that require a password. I downloaded the browser for the first time at work, and tried to test how well it let me edit the wiki on our corporate Intranet. The program couldn’t save my credentials, and our network locked my account after the fifth failed login attempt.

Finally, Chrome is open source, which really isn’t a fault at all. By licensing the source code for external developers to work with, Google opens the door for improvements and feature adds from the developer community outside Google. I’m sure this will prove to be a big win in the long run.

Links to Google Chrome Stuff

• Direct download to the Google Chrome installer (inactive—Google forces you to download from their Chrome home page).
• Google Chrome home page
• Detailed information about Google Chrome