eBay IT exec warns of application layer attacks

TORONTO – The biggest security concern for your enterprise over the next year should be protecting against application layer attacks, according to a senior security director at eBay Inc.

During his keynote session at Thursday’s Infosecurity Canada 2008 conference in Toronto, Dave Tyson, the online auction giant’s senior director of information security operations and business continuity planning, said that companies which have strong interactions with customers over the Internet will be the most sought-after target for hackers.

“If you’re a product or services-based company and you want to interact with your customers with greater functionality, attacks at the application layer will be an emerging problem for you,” he said. “We’ve found that most companies are prepared at the network level, but they haven’t put the strategies and budget in place for these new threats.”

In an application layer attack, hackers could be looking to hijack user accounts to get passwords and other personal information, gain administrative privileges on client/server machines, gain root access to execute malicious commands, or install Trojans and Backdoors to wipe out or destroy applications.

“The thing that really keeps me up at night is the speed of sophistication of these attacks, where things we saw six months ago still haven’t been taken hold in the general community,” he said.

According to Tyson, application layer attacks can easily hinder the trust relationship your company has with its clients. He cited the example of last year’s Bayrob Trojan horse, which was capable of establishing a proxy server in a victim’s computer and using it to steal sensitive data.

“It was distributed by e-mail, so the user gets a link that looks like it’s coming from your company,” Tyson said. “The trouble is, when you click the link, it downloads Apache Web Server and puts up a copy of your Web site. So, the user thinks they’re conducting business with you, but they are actually working with the bad guys.”

The increasing sophistication of botnets, he said, is another major concern for application layer security.

“You might have 200,000 botnets looking for interactions between your customers,” Tyson said. “They’ll pick up your user IDs, then pound away to do logins with them. If you have a system that locks out users after a few tries, every customer you have could be locked out of your site. If you’re a bank, that’s a problem.”

To protect against the fast moving world of security attacks out there, he said security executives will need to bake security principles right into the infrastructure. Often times, Tyson said, enterprises fail to follow fundamental security principles, like enabling the encryption technology for their Cisco switches or properly coding their Web sites to limit security holes.