Nick Sears, the EMEA Vice-President for FaceTime, says that the Internet ‘threat landscape’ is very different from and more complex than that of ten years ago in 1998.^[7]

Ninety per cent of Web traffic in 1998 came from e-mail, http and ftp. In 2008, Internet traffic is additionally made up of social networking, blogs, Voice over Internet Protocol (VoIP) traffic, videostreaming, webconferencing and Instant Messaging (IM). This means that both the outbound threats of data and information leakage and inbound security threats of malware, security vulnerabilities and phishing are different. Many of the collaborative tools also provide file-sharing capabilities, a vector through which confidential information could be exported or malware imported.

The nature of hacking attacks is increasingly moving from exploiting vulnerabilities to focusing on the application code itself^[8]. Websites which accept input from users provide openings for attacks such as SQL injections and cross-site scripting.

SQL injection attacks: A Structured Query Language (SQL) injection attack is a type of exploit whereby hackers are able to execute SQL statements via an Internet browser^[9]. Hackers are able to execute SQL statements via the input to a Web application. SQL is a programming language used for getting information from and updating data in a relational database. It is based on mathematical set theory.

An example of an SQL injection attack would be where, instead of entering personal details on a sales website, say, where a postcode or zip code should be, a hacker may enter SQL commands which then return information.

SQL injections can result in data being corrupted, or enable attackers to retrieve data such as credit card numbers. They can prove to be extremely costly for organisations. It therefore makes sense to prevent SQL injection attacks from occurring.

A well written application will not allow SQL commands to be accepted as user input. There is a need to develop Web applications^[10] which are more secure, and to keep them secure.

Cross–site scripting: (XSS^[11]) attacks involve the injection of code such as JavaScript or VBScript onto a web page which is returned from a server to a user’s browser. If this code is then executed by the user, they are exposed to a variety of threats, including cookie theft, keystroke logging, screen scraping and denial of service.

For example, it was an XSS attack that compromised the Cambridge University Press website^[12].

Cookie Theft: A cookie is a small data file^[13] that a website stores on a surfer’s computer and which contains information about the user (e.g. user preferences) that is relevant to the user’s experience of the website.

Cookie theft occurs when an attacker uses an injection of code to obtain data held in cookies without the user’s knowledge. For example, the attacker can add code to the browser to display a comment ‘Click here!’. When the user clicks on the link, their cookies are downloaded to the attacker’s server.

Keystroke logging: occurs when hackers record key depressions on a computer keyboard using special software14. This software can either be installed on the computer (in which case it could be detected by AntiSpyware software) or it can run inside a secret device attached to the computer, in which case AntiSpyware software will not detect it. Keystroke logging can lead to the theft of user identification and authentication data.

Screen scraping: As the name suggests, screen scraping is a technique in which a computer program extracts data from the display output of another program. Within the context of IT security screen scraping can reveal further authentication information selected by the user from dropdown lists, etc^[14].

Denial of service: A denial of service (DOS) attack is designed to put an organisation out of business, or to interrupt the activities of an individual or group of individuals, for a time by freezing its systems^[15]. This is usually done by flooding a web server (or other device) with e-mail messages or other data so that it is overwhelmed and unable to provide a normal service to authorised users.

Blended attacks can be designed to specifically target Web 2.0 technologies. These attacks include mass-mailing virus-delivery mechanisms which are used to insert Trojans into target systems. Hackers can use these Trojans to bypass firewalls and other defences. For example, in December 2006, the JS.Qspace worm was discovered by Symantec on MySpace^[16]. This worm injects code which directs the user to a phishing page. The phishing page attempts to steal MySpace credentials by asking users for e-mail addresses and passwords.

Another example of a blended attack is the Monster.com resume thefts of August 2007:^[17]

Hackers used malware (Infostealer.Monstres) to gain unauthorised access to the Monster.com resume database and to steal job seekers’ contact information. Compromised data included the name, address, telephone number, and e-mail address of people who registered with the job seeking service. Neither Social Security numbers nor credit card records are thought to have been exposed. However, the compromised data has been used to craft targeted phishing attacks that sought to trick users into downloading malicious software.

Typically, this sort of software is designed to intercept and pass on the details of financial transactions.