Yahoo Chief Scientist Describes Web Attacks

eLABorations: Even when patches are applied and systems are locked down, security is not complete.

Last week, Udi Manber, Yahoos chief scientist, described the kinds of attacks that any Web site offering Web services or other kinds of dynamic content can expect to face.

Manber presented his talk, "Exploits of Large-Scale Web Services and Counter-measures," at the 2002 IEEE Symposium on Security and Privacy, in Oakland (go to www.ieee-security.org/TC/SP02/sp02prelimprogram.html for more information).

The kinds of attacks that caused Yahoo the most problems werent traditional OS or Web server attacks, but service abuses, according to a report on the Dr. Dobbs Journal Web site (at www.ddj.com/news/fullstory.cgi?id=5887).

Yahoos top Web service security problem is abuse of services by automated software agents. HTML screen-scrapers were a big problem in Yahoos financial section, as some were screen-scraping HTML pages to retrieve real-time stock quotes and then reselling the information.

Denial-of-service attacks are also a problem. One particularly sneaky attack, which has also been a problem for eBay, took advantage of security features to block legitimate use.

Attackers would deliberately submit bad log-on requests using the user IDs of people they were bidding against in an online auction near the end of the auction period. Yahoo would disallow further log-in attempts for a certain period because of the attack and thus shut the real owner of the user ID from competing at the end of the auction.

The company is looking for ways to verify that log-ins supposedly performed by humans actually are done by humans, not software. This is the problem that Alan Turings famous Turing Test aims to solve, as does Carnegie Mellon Universitys CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) project, at www.captcha.net/.

In the B2B space, most of the time, Web services will be called by other computers, not by humans. However, a similar problem exists: how to detect that any particular request is processed once and only once. One solution is to require service users to tag incoming requests with unique message IDs.

Dynamic Web sites have always been vulnerable to abuse, and Web services will be just as open to attack. The issues Yahoo is facing show that security is far from complete even when all patches are applied and all systems are locked down.

West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com.