Are Web Applications a Security Concern?

Over the Fourth of July holiday weekend, a wave of cyber-assaults, or “denial of service” attacks, believed to have originated in North Korea, targeted a number of U.S. and South Korean government agencies and commercial Web sites, causing some to suffer temporary outages. While there were no reported leaks of classified information or serious damage to networks, the organized assault underscored the conclusions of a recent White House cybersecurity review; namely, that the country's digital infrastructure and domestic networks are not secure.

Attacks on the Rise

Indeed, the past six months have been a period of heightened concern about cybersecurity. The U.S. Department of Defense reported that a group of foreign hackers broke into two U.S. Army servers and exploited certain security vulnerabilities. The department also announced the formation of a new military cybercommand. Moreover, President Barack Obama confirmed that hackers had accessed confidential files during his presidential campaign.

In the wake of the growing concern over cybercrime, the government is currently debating its cyberdefense strategy and how it should retaliate to cyber-assaults.

In addition, several high-profile computer hackers have recently been indicted or face prison time as a result of their unlawful activities. For example, a hacker named “Max Vision,” who stole almost two million credit card numbers from financial institutions, merchants and other hackers, recently pleaded guilty to federal wire fraud charges and is awaiting sentencing. In another matter, a 19-year-old blind hacker was sentenced to 135 months in prison for unauthorized access to telecommunication company information, among other crimes. See, Poulsen, “Superhacker Max Butler Pleads Guilty,” Wired (June 29, 2009); Wilonsky, “The 19-Year-Old Blind 'Little Hacker' Gets 135 Months in Federal Prison For 'Swatting',” Dallas Observer Crime and Punishment Blog (June 29, 2009).

Also, in ongoing proceedings, an accused British hacker, who allegedly
accessed data on NASA computers, is seeking judicial review of a prior order
permitting his extradition to the United States, arguing he should not be held criminally responsible because he is a sufferer of Asperger's syndrome. See, Gibb, “Gary McKinnon, Hacker With Asperger Syndrome, Fights Extradition to U.S.,” The Times (June 10, 2009).

Facing similar concerns to operators of government networks, private companies with external Web sites can be susceptible to attackers looking to commit defacement or infiltrate computer networks to steal sensitive information. The increased corporate reliance on complex applications and technologies contribute to the potential for security vulnerabilities and an increased need for computer security.

A growing concern is that legitimate Web sites continue to be targeted by hackers, with a reported 30,000 pages affected every day by malware attacks. (See, Shiels, “Legit Web Sites Face Malware Hits,” BBC News (June 17, 2009).) Successful attacks can compromise confidential resources or consumer data and harm an organization's image. Further, an improperly configured Web server can be attacked directly to obtain unauthorized access to an organization's internal resources.

This article discusses Web application security concerns, common Web application attacks and some of the enforcement actions taken by the Federal Trade Commission against companies that have suffered security breaches allegedly due to inadequate security practices.

Security Concerns

Business Web sites have become an indispensable means to communicate with prospective customers and conduct transactions. Sites have become more dynamic, giving users new capabilities to run applications, query databases and access personal and financial content.

Highly interactive sites boast multiple ways to reach out to users, namely through login and informational fields, electronic shopping carts and data uploading systems that collect, process and electronically transmit potentially sensitive consumer information.

Such interactions are performed by Web applications, which are programs that act as the intermediary between a site's servers and its database servers such that data submitted or requested by users can be transmitted from a company's database to users' browsers.

For example, a database might maintain information related to login credentials, financial information, statistics, pricing or inventory information, or other sensitive data that, when accessed legitimately, gives a site its functionality for users and customers.

When a user's submission requires additions to, or retrieval from, a company's database, whether a simple search, account information request or e-commerce transaction, the application accesses the database servers to run the particular request, with the information displayed on users' screens.

However, as hackers and identity thieves have become more adept at exploiting programming vulnerabilities to gain access to a company's Web and database servers, the use of Web applications raises cybersecurity concerns. The intruders seek unauthorized access for several reasons, such as: to deface a site (i.e., changing information on the server or redirect traffic to embarrass a company or make a political statement); steal sensitive data for illicit gains; plant malicious code to further a phishing scheme or other online scam; or create a distribution point for attack tools, spam, pornography or pirated software. See generally, “Guidelines on Securing Public Web Servers,” U.S. Dep't of Commerce, Nat'l Inst. of Standards and Technology (Sept. 2007).

In addition, sensitive information transmitted unencrypted between the server and a user's browser may be intercepted or malicious entities may attempt to gain unauthorized access to resources elsewhere in the organization's network via a
successful attack on the server.

Such attacks are consistent with a trend in malicious user behavior that focuses on attacking applications accessible via the Internet, as opposed to attacking the operating system of the host platform. (See, e.g., Ackerman, “Dangers Grow on Web From Attacks,” Mercury News (July 6, 2009).) Indeed, the growth of attacks has been fueled by the easy availability of automated programs, or “rootkits,” that can perform a sweep across the Web to detect which sites have known vulnerabilities. Thus, if a site's applications are not secure, then sensitive consumer information could be at risk from one of many common exploits.

Common Attacks

In recent years, as the security of networks and server installations have improved, poorly written software applications and scripts that inadvertently allow attackers to compromise the security of a Web server or collect data from backend databases are the routine targets of attacks.

Common attacks include “structured query language” injection, where a hacker is able to input commands to a database, and “cross-site scripting” (“XSS“), where an attacker manipulates the application to store malicious scripting language commands that are activated when a subsequent user opens the Web page. See, “Guidelines on Securing Public Web Servers,” supra. n.4.

Generally speaking, XSS refers to the act of injecting a malicious code into a Web page, which is then executed in the user's browser, in order to perform some sort of manipulation. XSS exploits the browser's (as well as the user's) trust that the page they are viewing is safe for downloading information and/or clicking on links presented.

XSS often takes advantage of Web servers that return dynamically generated pages. A successful attack potentially allows the hacker to redirect the page to a malicious location, hijack a user's browser, engage in computer network reconnaissance or plant backdoor programs, all while being completely transparent to the end users. (See generally, “CIRCTech08-003: Understanding Cross-Site Scripting (XSS),” U.S. Dep't of Energy Cyber Incident Response Capability (June 3, 2008).) As a result, a hacker can typically gain access to a company's database servers, deface Web pages, spread worms or execute malicious computer script. (See, “Recommended Practice Case Study: Cross-Site Scripting,” U.S. Dep't of Homeland Security, Control Systems Security Program (Feb. 2007).)

Another common attack, SQL injection, allows commands to be executed directly against the database, thereby permitting disclosure and modification of the data within.

SQL is a computer language for querying and modifying data and the management of databases. The most common pathway for an SQL injection attack occurs when a hacker is permitted to enter SQL commands into a certain Web feature (e.g., login form, search query boxes, feedback forms) or directly into the browser address bar and query the database without authorization.

SQL injection usually involves a combination of inappropriate security permissions, unfiltered user input, and software code errors or omissions. Since SQL injection is possible even when no traditional software vulnerabilities exist, mitigation is often more complicated than simply applying a security patch. (See generally, “SQL Injection,” U.S. Computer Emergency Response Team (US-CERT) (2009).)

With more and more Web servers comprising a front end for a database server, there is an ongoing risk that an intruder can compromise the database unless adequate security precautions are taken.

Practical, Legal Protections

Many resources are available for managers, developers and system administrators to guide, write and deploy secure Web applications. Beyond solid programming practices and installation of server software updates and patches, there are a number of major security forums (e.g., the SANS Institute and the Open Web Application Security Project) that publish reports describing the most critical Internet security threats and detailed methods for remediation. (See, “Web Server Security Technical Implementation Guide Version 6, Release 1,” U.S. Dep't of Defense, Defense Information Systems Agency (Dec. 11, 2006).)

Beyond that, site owners can do things like separate the Web and SQL servers, add application firewalls and use security tools called Web vulnerability scanners for auditing an application for potential threats and application server vulnerabilities. (See, “CIRCTech06-001: Protecting Against SQL Injection Attacks,” U.S. Dep't of Energy Cyber Incident Response Capability (Sept. 6, 2006).)

Besides technological and security solutions, database owners may also have certain legal remedies against hackers that compromise a proprietary system and misappropriate sensitive data, including claims under the Computer Fraud and Abuse Act, which punishes any person who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” 18 U.S.C. '1030(a)(5)(A)(i).

For example, in one criminal matter, a departing employee hacked into his employer's computer system and planted a malicious “time bomb” program set to trigger on a particular date that subsequently corrupted the database. An appeals court affirmed the jury's verdict, finding “overwhelming” evidence to support the defendant's conviction, namely, his high-level access to the breached database, his unique ability to program in the computer system, his antagonistic relationship with his employer and the timing of certain edits to the “time bomb” program that corresponded to meetings regarding his termination. See , United States v. Shea , 493 F.3d 1110 (9th Cir. 2007).

FTC Enforcement Actions

Citing authority under '5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices, the FTC has been fairly active in bringing enforcement actions against private entities that have allegedly failed to take reasonable security measures to protect sensitive consumer data from common Web application vulnerabilities, often in contravention to promises made in Web site privacy policies. (Under the Act, deceptive practices include acts that “cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition.” 15 U.S.C. '45(n) (2007). Courts have also stated that the FTC has broad authority to declare trade practices unfair. See , E. I. Du Pont de Nemours & Co. v. FTC , 729 F.2d 128, 136 (2d Cir. 1984). See generally, Joel B. Hanson, “Liability for Consumer Information Security Breaches: Deconstructing FTC Complaints and Settlements,” 4 Shidler J. L. Com. & Tech. 11 (May 23, 2008).)

The practices challenged have included, but are not limited to, storing sensitive information on networks in a vulnerable format, failing to adequately assess the vulnerability of an application and computer network to commonly known or reasonably foreseeable attacks, failing to implement simple, low-cost and readily available defenses to such attacks, and failing to use readily available security measures to limit access between computers on a network and computers and the Internet. See, e.g., In re Guidance Software, Inc., FTC File No. 062 3057 (Complaint issued Mar. 30, 2007).

In one recent enforcement action, an online computer and electronics retailer operated a network that consumers used, in conjunction with their retail Web site and application, to obtain information and to buy products. In re Genica Corp., FTC File No. 082 3113 (Decision and Order Mar. 16, 2009).

According to the FTC complaint, the retailer made certain published promises in its Web site privacy policy, but the FTC alleged that the retailer failed to adequately protect stored consumer personal information such that hackers repeatedly exploited certain security vulnerabilities by using SQL injection attacks on the Web site and application.

As a result of the attacks, the hackers stole the information of hundreds of customers, including sensitive financial information. As part of the settlement, the retailer was prohibited from misrepresenting the extent to which it protects confidential consumer information and was required to establish a comprehensive information security program.

Online Marketer Case

In another enforcement action, the FTC claimed an online marketer, among other privacy related charges, published online privacy policies claiming it encrypted customer information, but either failed to do so or used an insecure form of encryption, with some sites vulnerable to common SQL injection attacks. See , United States v. ValueClick, Inc., No. 08-01711 (C.D. Cal. stipulated final judgment approved Mar. 17, 2008).

As part of the settlement, the marketer agreed to institute a comprehensive security program, and to avoid making deceptive representations concerning: 1) the use of encryption to protect personal information collected from or about consumers; 2) the features and efficacy of any hardware, software or data security solution; and 3) the manner or extent to which the privacy, confidentiality or security of any personal information collected from or about consumers is maintained or protected.

Similarly, two data brokers charged by the FTC for failing to provide appropriate security for sensitive consumer information agreed to enter into consent orders that required the companies to implement comprehensive information security programs and obtain biennial audits by independent third-party security professionals for the next 20 years. In re Reed Elsevier Inc. and Seisint, Inc., FTC File No. 052-3094 (Decision and Order July 29, 2008).

The data brokers were in the business of collecting, maintaining and selling information about consumers to clients who used the information to authenticate identities and verify credentials. According to the FTC's complaint against the data brokers, the FTC alleged that the brokers' security failures allowed customers to use easy-to-guess passwords to access databases containing sensitive consumer information, resulting in instances of identity theft.

The complaint further alleged the data brokers did not properly assess the vulnerability of certain Web applications and computer networks to commonly known cross-site scripting attacks or put into place remedial actions to prevent unauthorized access to sensitive consumer information.

Looking Ahead

Given the FTC's track record over the past decade, it is likely the FTC will continue to be active in seeking to protect the online privacy of sensitive consumer information and investigate companies with misleading Web site privacy policies or deficient site data security protections. (A list of the FTC's privacy-related actions taken over the past decade is available at www.ftc.gov/privacy/privacyinitiatives/promises_enf.html (last visited July 1, 2009).) Moreover, the so-called Red Flag Rules, 16 C.F.R. Part 681.1, that require financial institutions and specifically defined creditors that extend or maintain covered accounts to develop and implement written identity theft prevention programs were slated to go into effect August 1, conceivably adding additional authority for federal agencies to bring enforcement actions against qualifying businesses without proper data security programs.

Given the FTC's apparent authority under '5 of the FTC Act, the new Red Flag Rules requirements, as well as similar state consumer protection and informational privacy laws, it would be prudent for companies with interactive sites and dynamic Web pages to review their comprehensive information security programs to ensure their networks are in compliance with new regulations and protect against the latest exploits used by sophisticated hackers.

Richard Raysman, a partner at Holland & Knight, and Peter Brown, a partner at Baker & Hostetler and a member of this newsletter's Board of Editors, are co-authors of 'Computer Law: Drafting and Negotiating Forms and Agreements' (Law Journal Press).