Web apps, Office among top security headaches, says SANS

Web-based applications and security holes in Microsoft Office are among the biggest threats faced by Internet users today, according to the SANS Institute's annual security report.

Developers aren't using secure coding techniques to create Web applications, giving hackers an opportunity to tap the rich databases of information connected to them, according to SANS, a computer training and security organization.

The report, which will be discussed in depth in London on Wednesday, compiles information on security threats from governments, security companies, and academics.

Web applications exchange data between PCs and servers over the Internet, and hackers can take advantage of vulnerabilities on either side to collect information. In the case of online banking and e-commerce applications, they can try to collect log-ins and passwords or credit card data.

The report also found fault with Microsoft Office. Vulnerabilities in the applications suite jumped almost 300 percent between 2006 and 2007, notably because of new flaws in Excel. The flaws allow hackers to construct documents that, when opened, can infect a computer with malicious software.

The hackers attach those malicious documents to e-mail and use social engineering techniques, such as attaching a file with an enticing name, to trick recipients into believing the document is important or comes from someone they know.

Anti-spam and security software can block e-mail with attachments, but Microsoft's programs and file formats are so widely used that it rarely makes sense to do so.

Gullible users are also to blame, SANS said, since they are often easily tricked, or they install software that they should not put on their machines.

Also on the rise this year was spyware, or programs that surreptitiously collect data on a user's computer. Webroot, one of the security companies that contributed to the SANS report, said the number of Web sites rigged with spyware increased 187 percent this year.

SANS said it takes as little as five minutes to attack an unprotected computer connected to the Internet. Hackers use automated scanners that hunt for unpatched PCs to exploit.

SANS advised developers to use Web applications scanners that can find vulnerabilities in programs. They should also use secure coding testing tools, try out a penetration testing service, and codify security policies for application development.

IT administrators should use Web application firewalls as well as maintaining an aggressive patching schedule, SANS said.