14. September 2009 · Comments Off on Two more high profile Web 2.0 exploits – NY Times, RBS Worldpay · Categories: Breaches, IT Security 2.0, Malware, Secure Browsing · Tags: , , , , , , , , ,

Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.

I discussed this issue, Web 2.0 requires IT Security 2.0, at some length recently.

The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."

The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:

"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT.  Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."

On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.

I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.

What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.