SUMMARY

As business continues to expand its presence into the online world, web hacking will no doubt become an increasingly more visible and relevant threat to global commerce. Nevertheless, despite its cutting-edge allure, web hacking is based on many of the same techniques for penetrating the confidentiality, integrity, and availability of similar technologies that have gone before, and thus mitigating this risk can be achieved by adhering to some simple principles. As we saw in this chapter, one critical step is to ensure that your web platform (that is, the server) is secure by keeping up with patches and bestpractice configurations. We also saw the importance of validating all user input and outputassume it is evil from the start, and you will be miles ahead when a real attacker shows up at your door. Finally, we can't overemphasize the necessity to regularly audit your own web apps. The evolving nature of the field of web hacking demands ongoing diligence against the latest tools and techniques. There is no vendor service pack for custom code!

Chapter 13: Hacking the Internet User

OVERVIEW

Way back in 2000, which, based on Intel co-founder Gordon Moore's postulations, is multiple generations of computer technology ago, we made a decision to include at the end of our second edition of Hacking Exposed an unobtrusive little chapter dedicated to the then unsensational but growing phenomenon of Internet client software exploitation by malicious hackers. At the time, we considered this somewhat of a risk for a book primarily focused on corporate IT securityhow would readers react to this detour into the land of the allegedly hapless and uninspiring end user? But based on the potential long- term impact of the issue, we stuck with the theme through two subsequent editions, hoping that someone, somewhere, would recognize the severity of the problems we documented and take steps to head off what was sure to be worldwide calamity.

Unfortunately, it appears no one did.

Today, "hacking the Internet user" has evolved into a veritable industry of its own. Worldwide malware writers (oftentimes in cahoots with certified criminal elements), spammers, and numerous "adware" peddlers of varying degrees of legitimacy have combined the time- tested technique of human trickery with an edgy technological sophistication to perpetrate wave after wave of scams against vast communities of newly minted Netizens, many of whom are barely cognizant that their innocuous -looking web browser, e-mail inbox, or favorite peer-to-peer communications software is in actuality an effective portal through which unsavory entities can enter directly into their homes and offices. Consequently, the public and private sectors have finally stood up and taken notice, with everyone, including traditional antivirus software firms, the U.S. government, nonprofit antifraud task forces, and even Microsoft, admitting the time has come to act.

That's why we've totally rewritten this chapter to bring you the most up-to date information from the frontlines of the battle against Internet end-user hacking. We started by updating our coverage of key Internet client software vulnerabilities, and we have added totally new sections on hot topics such as phishing, spyware, and Windows rootkits. We've also adapted our style and language to be even more direct and plainspoken than in other chapters, to reach the largest range of technical skill levels. So, whether you're an IT pro trying to shield your infrastructure from pillaging by a worm downloaded by an unsuspecting user, or a tech-savvy soccer mom who likes to swap pictures of her kids with friends and family online, we hope the material in this chapter informs a safer, more productive online experience.