Web Security

The Problem

            Experts estimate that at any time, the potential of sites on the web being vulnerable to attacks is about two-third.  This includes many commercial as well as government sites.  But of course potential hackers will not be interested in most non-commercial or low-traffic sites.

            Generally there are two kinds of hackers, the ones who hack for money, such as to manipulate bank accounts or to obtain credit-card information; and those who hack for ego or for fun, they just wanted to prove their skills or get attention.  In most cases, the latter will attempt important sites, especially government ones.

            Since the internet was meant to be very open and flexible, its inter-connectivity meant that there is more than one way to do just about anything.  However, attacks may also come from within the organisation, such as disgruntled employees, thus making it even harder to trace.  

            Web security may be easier said than done, as there is simply no such thing as perfect security.  Unless the system is completely isolated and shut off, chances are there is a hole somewhere that lets in the bug.

            If we study the core components of a system: its design, tools, procedures, environment, operators and knowledge of users, these interact in many expected and unexpected ways, and all it takes is just one faulty interaction among them to breach the security of the system.

            To make things worse, expertise or experience in hacking is no longer a precursor since information and tools are easily available on the web.  A good example is 2600.com, an interest group which exchanges skills and tips on hacking, they even circulate newsletter for members!