Researchers show how corporate intranets are ripe for emerging attacks

According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites.

Based on advancements in security research that will allow hackers to use Web browsers and the flaws the programs carry to infiltrate and attack intranets with greater ease, including the use of newer hacking techniques such as CSRF (cross-site request forgery), businesses should begin actively reviewing and re-architecting the internal URLs to prevent major issues down the line, said researchers Jeremiah Grossman and Robert "RSnake" Hansen.

"This is a problem that is essentially as widespread as anything out there. Over the next eighteen months I believe that we'll see black hats catching up with the research community and beginning to adopt these tactics," said Grossman, who is the founder and CTO of vulnerability testing firm WhiteHat Security. "Basically with these types of attacks it's as if firewalls don't even exist."

Companies typically don't consider the fact that hackers could find a way to get into their intranets, the Web application testing expert said, but savvy attackers can find links to the sites by carrying out emerging attacks such as CRSF threats, which allow them to break into seemingly secure Internet sessions to secretly lift password and browser history data.