GEOG5870/1M: Web-based GIS A course on web-based mapping

General: Attacks on Humans

Social engineering can be suprisingly successful. As sociologist Stanley Milgram notoriously showed in the 60's, people will generally defer to those who look (or sound) like they are in authority or experts. Social engineering generally attempts to either get access to systems through passwords etc., or, more usually, gain direct access to hardware within a trusted internal network. This kind of intrusion is a common part of penetration testing by Ethical Hackers.

Even if social engineering isn't something you might come up against, human error is responsible for a great many of the holes in computer systems. People classically don't use a great many different passwords, and they tend to be common words, opening themselves up to brute force/dictionary attacks where attackers use standard lists of words against password protected systems. Programmers are just as bad. It is quite common to find passwords in plain text on some web systems, not least hardwired into JavaScript for anyone to see, and some client software will record passwords in plain text on a user's harddrive, relying on the PC protection rather than encrypting it. It's also fairly common to find web pages that dump arbitrary code to a server to run. This kind of thing is just a result of taking one's eye off the ball and thinking "this is a simple solution, I'll fix it later", and then not fixing it. The most egregious example of this is to hardwire in a username, password, or encryption key into some code (for example, code using a database, or a cloud facility for storage) and then forget to remove the username, password or key before posting it on a repository site. This is suprisingly easy to do, and suprisingly easy to regret.

It's also true that most coding loopholes are left by developers who aren't aware of specific issues. This isn't entirely suprising, as to stay on top of all the elements you need to make secure code is an extensive and skilled job. Nevertheless, it is one that ultimately you have to engage with if you're writing for the web. We'll come to some resources at the end that will get you started.

Finally, it is worth noting that webpages should avoid so-called "Dark Patterns" (introduction), that is, GUI and interaction designed to trick users into behaviour they wouldn't agree to. Indeed, many are now illegal.


[ Next: Attacks on Clients ]