Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Ironic hack comes as no surprise

Fortify : 11 May, 2009  (Technical Article)
Fortify comments on the recent "ironic" hack of movie licensing site with link to illegal file sharing site
Fortify Software says that the cross-site scripting (XSS) security flaw reported on the Web sites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) comes as no surprise.

'The fact that a cracker known as Vektor - a member of the Team Elite group of Web exploit publicists - was able to insert details of the well-known file-sharing site, The Pirate Bay, into the MPAA's recommended list of sites is ironic, given the MPAA's stance on illegal file-sharing,' said Richard Kirk, Fortify's director.

'But the issue that such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks,' he added.

According to Kirk, the list of XSS-attacked sites is now quite long and includes eBay, Intel, Eset, Kaspersky, McAfee, Symantec to mention but a few.

The sad reality of the world of poorly code audited and programmed site hosting, he says, is that this list is going to get longer.

As companies are pressured by the economic recession, IT security safeguards such as program code auditing and soak testing are either curtailed or axed from the development process. The result is that program code - like the hosting software seen on the above sites - goes live without being fully tested, he explained.

'Until such time as organisations get wise to the fact that they simply cannot afford to remove back-room security such as code auditing and soak testing from their portfolio of IT security defences, these types of attacks will continue,' he said.

'The MPAA is lucky that Vektor's attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organisations whose sites are vulnerable to XSS-driven attacks, may not be so lucky,' he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo