NTA monitor warns companies of new security threats.Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. tests, conducted by NTA NTA National Tour Association NTA Nitrilotriacetic Acid NTA National Treatment Agency (for Substance Misuse; UK) NTA Net Tangible Asset NTA National Tutoring Association NTA National Transportation Agency Monitor during 2005, showed that many web servers and web-based applications See Web application. were vulnerable to cross site scripting attacks. Now a concerning new cross site scripting method is beginning to appear that could allow attackers to monitor visitors' searches, usernames and passwords without their knowledge. Cross site scripting enables an attacker to execute malicious code on a user's machine via the browser. The flaw arises when information submitted by users is not properly stripped of HTML tags A code used in HTML to define a format change or hypertext link. HTML tags are surrounded by the angle brackets < and >.  ,
enabling an attacker to embed malicious code on a website. When
accessed, it will execute code in a user's browser. A user may be
redirected to a fake website or have their login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. or user information
compromised. In the worst cases, users' computers can be
compromised.
Roy Hills, Technical Director at NTA Monitor, explains the emerging trend: "Attackers are creating websites in which they embed malicious code to track a visitor's searches, usernames and passwords. The code can affect a visitor's PC without their knowledge and can quickly spread to other visitors' machines. Interactive social websites, blogs and forums could be affected, as visitors may not necessarily be aware of the legitimacy of the companies or individuals that own the websites that they visit. If the code is embedded Inserted into. See embedded system. in a homepage, it would mean that every visitor landing on the homepage would be affected." With the popularity of social networking sites A Web site that provides a virtual community for people interested in a particular subject or just to "hang out" together. Members create their own online "profile" with biographical data, pictures, likes, dislikes and any other information they choose to post. such as MySpace and You Tube soaring, consumers and organisations are being warned by NTA of this emerging threat. It is possible that employees could put corporate network security at risk by visiting these types of websites whilst at work. It can be difficult to identify the malicious code, as browsers do not currently identify malware and the best way to safeguard against it is to undertake regular security testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, . However, there are some precautions that can be taken in order to minimise the threat to organisations and individuals: * Ensure that employees install, run and update anti-spyware and malware programs such as AdAware * Undertake regularly penetration testing * Publish an IT policy--employees should not visit non work related websites during the working day * Restrict users' access to social networking sites in line with IT policies www.nta-monitor.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion