DDJ Full Story
"The kind of attacks that we're seeing are not a traditional security attack," he warned. The threat to web services is not about something like root access; it's more about repeated violations and exploitations of the service — small cheats and hacks that are individually insignificant, but a huge problem in the aggregate.

Spam is an example of this kind of hack. A web-based e-mail service does not suffer if one of its accounts is used for mass-mailing. When tens of thousands of accounts are abused in this way, the service can be brought to its knees. Manber calls this the "penny jar" effect, likening it to a thief who comes to a cash register and empties the penny dish every five minutes. The pennies are meant to be given away, and each instance of the loss is trivial; but if the theft continues unchecked, the service will be destroyed.

And money is far from the only target of attack. Buyer and seller ratings in auction sites are often forged, and so are rankings on game sites. "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way," Manber reported.

The more services are offered, the more vulnerable the provider becomes. "Someone can steal some money over here, go to Shopping and buy something, then go to Auction and sell it," said Manber. "This really happened."

Internationalization is a further weakness, because patches must be distributed over multiple systems around the world. Even one overlooked server leaves the provider vulnerable; but in a world of web services, the integrity of the network isn't nearly as valuable as the time and effort that skilled employees spend combating abuse. "I'm not even worried sometimes about the machines I buy," Manber clarified. "I'm worried about the time...There are more of them [attackers] than there are of me. They have a lot more time."

Interactivity poses a new set of risks. "Whenever we get content from users, it's a problem," said Manber. Advertisers will attempt to sneak their content into forums like the Personals, or go to the trouble of creating an informative site, only to change the content to advertising after the site is accepted into Yahoo's directory. Or they may add Yahoo redirects to their own sites in order to gain an appearance of legitimacy.

Services can also be stolen and resold. Yahoo found that the finance sites were plagued by screen scrapers running every few seconds to grab real-time stock quotes. Manber says that traffic on the finance sites dropped by 80% after the screen-scrapers were blocked. "You provide a premium service, people will sign up for it maybe once, put a proxy server up, steal the information, and bang! Now they provide the service."
http://www.ddj.com/news/fullstory.cgi?id=5887