Windows, Linux or Mac — does operating system or platform matter to hackers? Not necessarily, according to research from Fortify Software, an application security provider.
In a new report, the firm said hackers aren’t necessarily targeting operating systems but rather applications themselves, a scenario that Fortify describes as bot “storms” in which applications are targeted.
Over a six-month period, Fortify analyzed nearly three million requests for sites that use its Application Defense product. Fortify’s analysis identified two key tools used by hackers: bots and Google hacks. They represented the majority of attacks they recorded.
Fortify found that, on average 50 to 70 percent of attacks came from bots. Bots and Botnets are large groupings of compromised computers that attack targets at the command of the botnets leader. The bots were apparently searching for known vulnerabilities.
Vulnerabilities were also found by hackers via search engines such as Google. Google Hacking is a term used to describe hackers using sophisticated search queries to locate vulnerable sites and applications. According to Fortify, 20 to 30 percent of the attacks it recorded as part of its six-month study came as a result of some form of search engine hacking.
Fortify’s study did not find that any particular operating system was more targeted than any other.
“With respect to platforms, it’s not necessarily an operating system game,” Brian Chess, chief scientist at Fortify Software, told internetnews.com. “We most frequently saw attempts to attack known PHP vulnerabilities. We certainly also observed our fair share of attempts to stuff dll’s onto Web servers with the anticipation that they were Windows machines, but the ‘application layer’ was more of the target.”
Chess noted that Fortify found many buffer overflow, SQL injection and command injection techniques used by hackers; the study didn’t focus on the vulnerability so much as the attack techniques.
“That said, the techniques implied that the most common way attackers think they can exploit an application is by probing it for known vulnerabilities or getting the application to reveal additional information so a more sophisticated attack can be launched,” Chess said. “This kind of vulnerability could be classified as ‘information disclosure.'”
Of course, Fortify sells tools to protect against the very threats it is warning about in its own research results. But even those tools can only serve a purpose so far.
“Clearly, we can’t stop social engineering exploits,” Chess admitted.”However, often the social engineering technique is used to gain access to a system, which is then exploited with an attack that leverages a software vulnerability. In other words, they are used in combination.”