HTML 5 new target for cybercriminals By Jane Wakefield

Technology reporter Published duration 8 March 2012

image caption The UK government plans "unprecedented co-operation" with businesses to improve cybersecurity

An increasingly popular web language will be the next big target for cybercriminals, according to a security firm.

HTML 5 is being developed to improve the look of websites, remove the need for plug-ins such as Java and Flash, and bring the storage capacity of the cloud to the browser.

It is still in development but some applications already support it.

Because it is new, it is attractive to cybercriminals, said Sophos.

Super cookies

"This is potentially going to be quite painful," said James Lyne, director of technology strategy at the security firm.

"It is more than a web language. Much more data can be stored in the browser which means that criminals can now attack the browser to steal data."

Traditionally browsers have stored relatively small amounts of "sticky" data, limited mainly to cookies which track the websites that people have visited.

The fact that HTML 5 allows more data to be stored in the browser means firms and cybercriminals could create super-cookies to track people's web behaviour.

Some malware techniques have faded out of fashion because patches have been found for them.

HTML 5 makes some ripe for renewed exploitation, thinks Mr Lyne.

Chief among them is clickjacking, a relatively simple malware technique used to persuades users to click on a link often via a pop-up box.

With previous web standards, developers could create code which questioned where click instructions came from in order to prevent clickjacking.

Tracking people

HTML 5 hides a lot of this detail from software writers making it harder to distinguish between good and bad sites.

"By building this wall it is hampering developers' ability to write secure code," said Mr Lyne.

The other major security flaw for HTML 5, identified by Sophos, is the fact that it is built to integrate with mobile features such as GPS.

It means that a mobile phone browser will be able to identify a person's location, as long as it is given permission, straight out of the box.

But, said Mr Lyne, the permissions for who had access to this were currently "poorly defined".

"Some sites, such as Google Maps, you might be happy to know where you are while others you wouldn't want to know your location."

Adobe Flash

HTML 5 is already being widely adopted, particularly in the mobile world.

Software developer Adobe Systems recently announced it was ending development of its Flash Player plug-in for mobile devices.

Flash has traditionally been used to run movies, games and other applications but Adobe said it now believes that HTML 5 technology offered the "best solution" because it was "universally supported".

Google is also a fan, and uses it in its Gmail service to allow users to drag and drop files into messages. This functionality is currently only supported by the latest Chrome and Firefox browsers.

While the web standard brings new security issues, it will also solve others, thinks Mr Lyne.

"It eliminates the need for Flash and other external products that have been littered with vulnerabilities," he said.

Efforts must now be made to finish the design as soon as possible, he added.

"It is critical to get a full spec for HTML 5 and there needs to be a serious focus on making sure the browser is secure."

HTML 5 is being developed by the World Wide Web Consortium (W3).

QR pornography

Sophos said other targets for cybercriminals in 2012 would include the use of near-field communication (NFC), which allowed users to wave a mobile phone at a NFC-enabled reader in order to make small purchases.

"The mobile phone becomes a digital credit card which makes it really worth hacking," said Mr Lyne.

Some of the threats for the coming year are lower-tech - such as malware stickers placed over the QR codes used by firms to allow smartphone owners access to content.

QR codes typically appear on posters. Once scanned with a mobile phone and opened with a QR reader, app users can get access to a range of content.

Train stations, for example, use QR codes to allow passengers to download timetables.

But cybercriminals are exploiting their popularity by placing their own stickers on top of the QR codes to take people to more nefarious sites.

"I used one on a train station and it took me to a Russian porn site," said Mr Lyne.

Crime packs

2011 has been a bumper year for malware. Sophos said it received an average of 150,000 pieces of malicious code each day - a 60% increase on this time last year according to the firm.

Global cybersecurity spending is on track to exceed $60bn (£38bn) according to a study by consultancy firm PricewaterhouseCoopers.

The greater use of mobile devices and cloud computing were fuelling the growth, it said.

Increasingly security companies are working with the police to crack some of the most notorious cybergangs.

Sophos, for example, feeds bundles of malware generated by the same criminal gangs to the security services.

It has, according to Mr Lyne, never been easier for cybercriminals to set up in business, with crime packs offering a library of malware, readily available online.

"I found 27 such packs within an hour of searching on the public internet," he said.

Such crime packs also offer tips on how to avoid anti-virus software, as well as a dashboard to allow cyber criminals to see how well their malware is performing.