Want to make sure your computers are safe from attack? Don't go on the Web.
OK, I know that's virtually impossible in today's world. I know I certainly couldn't make it through my work day without it. But a new report from Imperva found that the most vulnerable areas of websites are a serious security hole.
Imperva's Hacker Intelligence Initiative report looked at how local and remote file inclusion (RFI/LFI) attacks enable hackers to execute malicious code and steal data by manipulating a Web server. According to the report:
RFI/LFI has not been taken seriously by the security community. In real-world hacking attacks, RFI/LFI attacks made up 21 percent of all observed application attacks.
For hackers, RFI/LFI attacks are very attractive since they target PHP applications. With more than 77 percent of today's websites running PHP, RFI should be on every security practitioner's radar but isn't.
RFI/LFI attacks are a hacker's playground. These attacks take advantage of the PHP applications by using a URL reference to remotely host arbitrary code. PHP is used in a lot of sites, including some of the most popular sites out there, like Facebook, Wikipedia and Wordpress. The application is an easy door for hackers to enter, and the vulnerability has been used by hacking groups like LulzSec.
Or, as Tal Be'ery, Imperva's senior Web researcher, explained in a release:
LFI and RFI are popular attack vectors for hackers because it is less known and extremely powerful when successful. We observed that hacktivists and for-profit hackers utilized these techniques extensively in 2011, and we believe it is time for the security community to devote more attention to the issue.
The report provides an approach for protecting yourself against RFI attacks, as well as examples of real-world attacks and what they looked like. Imperva just provided a suggestion on how to slam shut one of those entries of easy access.
After every hack, security experts tell me that the vulnerability exploited could have easily been closed, and that groups like Anonymous and LulzSec are looking for those easy little mistakes to exploit. That's why it is important for security personnel to be ahead of the game and lock shut those easily opened security holes.