An exclusive gaming industry community targeted
to, and designed for Professionals, Businesses
and Students in the sectors and industries
of Gaming, New Media and the Web, all closely
related with it's Business and Industry.
A Rich content driven service including articles,
contributed discussion, news, reviews, networking, downloads,
and debate.
We strive to cater for cultural influencers,
technology decision makers, early adopters and business leaders in the gaming industry.
A medium to share your or contribute your ideas,
experiences, questions and point of view or network
with other colleagues here at iVirtua Community.
Cybercrooks add Ajax coding to bag of hacking tricks
Updated 8/4/2006 3:33 AM ET E-mail | Save | Print | Reprints & Permissions | Subscribe to stories like this
By Byron Acohido and Jon Swartz, USA TODAY
LAS VEGAS  The hot new technology behind slick Web pages has suddenly become the hot new tool for cybercriminals.
The technology, Ajax coding and Web tools, enables popular websites such as Google Maps (GOOG) and MySpace.com (NWS) to come alive. It is also the technology behind Windows Live, the slate of cutting edge online services Microsoft has begun testing.
But hackers and cybercrooks have discovered that Ajax can be tweaked in myriad ways. By corrupting one of the dozens of data exchanges Ajax handles while loading a Web page, a hacker can take over control of the PC.
At the giant Black Hat cybersecurity conference here, talks on what kind of Ajax attacks to expect and how to defend against them drew large audiences.
"Ajax has introduced a huge attack surface," says Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "Ajax works under the covers to make websites really responsive, but criminals can just as easily use it under the covers to do some bad stuff."
Recent high-profile attacks include June's Yamanner computer worm, designed to harvest e-mail addresses from Yahoo mail users and send them to spammers in Europe; and Spaceflash, which installed adware (advertisements and tracking programs implanted surreptitiously) on the hard drives of more than a million MySpace users.
Those for-profit intrusions were foreshadowed by last October's milestone Samy worm. Created by a youthful hacker, Samy used an Ajax attack to infect a million MySpace users for the express purpose of adding them to the hacker's friends list  to make him seem popular. MySpace had to shut down for a day to clean up Samy.
"We've gone from kids screwing around to criminals looking for ways to make money in less than eight months," says Hoffman.
Dave Cole, director of Symantec Security Response (SYMC), says social networking sites suggest a false sense of security: "You don't expect to be attacked when you go to Joe Bob's page."
Hemanshu Nigam, MySpace's chief security officer, said in a statement that the company uses strong security measures and works with law enforcement in the event of a breach. Since Ajax is well on its way to becoming a standard for the way interactive Web pages operate, security experts expect attacks to escalate.
"Imagine when the same flaws are used to steal money from financial institutions," says Alex Stamos, principal partner at security researcher iSEC Partners.
Security researchers are trying to help corporations stay a step ahead. At Black Hat, SPI Dynamics' Hoffman showed how Ajax attacks could be designed to break into and manipulate online stock trading accounts.
Jeremiah Grossman, CTO of WhiteHat Security, gave a well-attended demonstration showing how hackers could spread an Ajax attack through MySpace as a means to release an invasive program deep inside a corporation's internal network.
"This is just a natural extension of where things are headed," says Grossman. "We know these kinds of attacks always get better and better."
There are already so many possible threats for a pc, I don't really care if there's another one , also I don't have anything worth stealing on my pc...
Those for-profit intrusions were foreshadowed by last October's milestone Samy worm. Created by a youthful hacker, Samy used an Ajax attack to infect a million MySpace users for the express purpose of adding them to the hacker's friends list  to make him seem popular. MySpace had to shut down for a day to clean up Samy.
I think AJAX bypasses the server with use of javascript, maybe bypassing security or firewalls... back to the old days of javascript!