Breach Security to Present ‘Latest Hacks and Attacks’ from the Web Application Security Consortium (WASC)’s Distributed Open Proxy Honeypot Project

In October alone, the Honeypot Project logged over two million web attacks

CARLSBAD, Calif., November 7, 2007 – Breach Security, Inc., the leader in web application security, will be presenting ‘Latest Hacks and Attacks’ from the Web Application Security Consortium’s (WASC) Distributed Open Proxy Honeypot Project at next week’s Open Web Application Security Project (OWASP) & WASC AppSec 2007 Conference, in San Jose, CA.

The Distributed Open Proxy Honeypot Project initially began in January 2007 and is led by WASC officer Ryan C. Barnett, director of Application Security Training for Breach Security, Inc. Utilizing globally located open proxy servers and sensors, the Honeypot Project captures live attack data to provide specific examples of targeted web application attacks. Barnett will discuss the new findings on Wednesday, November 14th during the first day of the AppSec conference.

The open proxy honeypots are specially configured vmware hosts used as a medium for gathering attack data. Much of the traffic passing through the open proxies is from hackers or spammers looking to cover their tracks. When the project initially began in January, analysts collected data from seven open proxy servers in countries around the world including Germany, Greece, Russia and the United States.

The project has broadened over the past year, with the number of participating sensors doubling in number to 14. New open proxy servers are now located in Romania, Argentina, and Belgium. By deploying multiple open proxy server honeypots, WASC is able to take a granular look at the types of malicious traffic that are utilizing these systems.

“The evidence from this project demonstrates that web application attacks are increasing at an alarming rate. There are two main contributors to this trend; first, attackers have increased anonymity by looping through numerous open proxies or compromised hosts and are therefore more brazen in their attacks, and second is the increased usage of automation,” said Barnett. “Organizations need to ensure that they have adequate anti-automation mitigations in place to protect their web applications from these forms of attacks. Unfortunately, most web applications are not able to correlate data between transactions to identify when “non-human” interactions are taking place, and thus, it is only a matter of time before an attacker can gain unauthorized access to data.”

Project Scope:

• In October alone, the Honeypot Project logged close to nine million web requests, compared to nearly one million web requests during phase one.
• Over two million of all processed web requests in October exhibited known malicious attacks or anomalous behavior, as identified by the custom ModSecurity rule set.

Top Attacks by Volume:

• The largest amount of traffic was attributed to banner ad/click-through fraud with approximately 2.6 million requests, compared to less than 158,000 in phase one.
• Spammers represent the second highest number of users of the open proxy servers with approximately nearly two million requests, compared to slightly more than 109,600 requests in phase one.
• Continuing to follow the trend from phase one, the majority of web attacks continue to use automated programs, which increase the need for anti-automation defenses.

Top Attacks by Severity:

• Numerous websites are including malicious Javascript code which attempts to exploit unpatched browser flaws and install malware onto client machines.
• Spammers are utilizing an extensive distributed reverse brute force authentication scan against a popular email provider’s accounts. They are considered “stealthy” scans as they are distributing their scan across hundreds of unique email authentication hosts and are using specific “common” passwords and then cycling through different usernames, thus decreasing the likelihood of locking out accounts. Spammers can enumerate information to identify valid email accounts, or worse, to identify valid login credentials and actually hijack user accounts.
• Information leakage continues to be a significant problem as many websites are configured to provide overly detailed error messages which can reveal vulnerabilities to a hacker.

“This research project differs from conventional web attack statistics as we have wide visibility of attack traffic, whereas most organizations only see data destined for their specific sites,” said Barnett. “We present this project to the security and business community to build awareness by offering fresh insight into the multiple forms of web application attacks that are occurring.”

The global net of honeypots run Breach Security’s open source ModSecurity core rules to identify and block attacks and provide research data. The ModSecurity open source web application firewall is the most widely deployed with 10,000 users worldwide. This highly flexible web application firewall can be used for a wide range of functions including web application monitoring, web intrusion detection and prevention, as well as “just in time” virtual patching of known vulnerabilities. The Honeypot Project is also using Breach Security’s commercial ModSecurity Management Appliance (MMA), a network-based tool designed to collect logs and alerts from remote ModSecurity sensors in real-time. The MMA provides security analysts with a single interface for monitoring the security of their web applications.

For more information on the Breach Security, the OWASP & WASC AppSec 2007 Conference, and statistics related to the WASC Distributed Open Proxy Honeypot Project, please visit http://www.breach.com or call +760 444 6150.

WASC maintains a number of projects to generate web application security awareness, classify threats against web applications, and provide evaluation criteria for web application security solutions. Additional information about the WASC Distributed Open Proxy Honeypot Project can be found at http://www.webappsec.org/projects/honeypots/.

WebDefend is available from Breach Security and its resellers. For more information, please visit our website at www.breach.com or contact us at +1 866 393 0907 or +1 760 448 2051.

About Breach Security, Inc.
Breach Security, Inc. is the leading provider of next-generation web application security that protects sensitive web-based information. Breach Security protects web applications from Internet hacking attacks and provides an effective solution for emerging security challenges such as identity theft, information leakage, and insecurely coded applications. Breach Security’s solutions also support regulatory compliance requirements for security. The company’s WebDefend web application firewall is ICSA Labs certified. Founded in 2004, Breach Security is headquartered in Carlsbad, Calif. For more information, please visit: www.breach.com.

About WASC
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best- practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. Membership and participation in WASC related activities is free and open to all. For more information visit: http://www.webappsec.org.

Breach Security, WebDefend, BreachMarks, and ModSecurity are trademarks of Breach Security, Inc. All other companies’ names and product names are trademarks of their respective organizations