News

Web 2.0 Threats Loom Large for IT

• By David Nagel
• 01/29/2008

Last week, security firm Websense released a report that showed for the first time in history that Web sites compromised by "attackers" (phishers, etc.) now exceed those created specifically by attackers. In other words, more previously legitimate sites have been turned to malicious purposes than sites created for malicious purposes in the first place.

And the tool of choice in this new development? The Web 2.0 technologies used on those legitimate sites, which offer vulnerabilities attackers can take advantage of.

According to the Websense Security Labs report, which looked at security trends in the latter half of 2007, Web 2.0- and event-based attacks are on the rise, including spoofing search engine results to "drive traffic to infected sites."

Said Dan Hubbard, vice president of research for Websense, "We believe that attackers will continue to be creative and leverage Web 2.0 applications and user-generated content to create even bigger security concerns for organizations. With this in mind, organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain."

But Websense is only the most recent organization raising red flags on the vulnerabilities of Web 2.0 technologies.

In higher ed, Georgia Tech's Information Security Center released a report entitled "GTISC Emerging Cyber Threats Report for 2008" (PDF) in which Web 2.0 was cited first as one of the threats to watch in 2008, topping botnets, directed messaging attacks and RFID attacks. (It also cited related mobile convergence threats -- devices built to take advantage of Web 2.0 technologies -- in its top 5.)

Commenting on the report, GTISC Director Mustaque Ahamad said, "As newer and more powerful applications enabled by technologies like Web 2.0 continue to grow, and converged communications applications increasingly rely on IP-based platforms, new challenges will arise in safeguarding these applications and the services they rely on. The GTISC Emerging Cyber Threats Report for 2008 highlights those areas of greatest risk and concern, particularly as continued convergence of enterprise and consumer technologies is expected over the coming year."

In that report, Web 2.0 was cited for potential client-side attacks on social networking technologies, aimed at "stealing private data, hijacking Web transactions, executing phishing scams, and perpetrating corporate espionage." Mobile convergence threats included "vishing," "smishing" and voice spam, plus denial of service attacks targeting voice infrastructure, according to the report.

Earlier this month, the KPMG, a UK-based consultancy, released a report entitled "Risk concerns stall uptake of Web 2.0 technology in the workplace." The report focused on the adoption of Web 2.0 technologies in the business sector, citing slow adoption owing to security concerns. Of 472 executives from around the world surveyed for the report, more than half said that security is a principal barrier to adoption.

Said Crispin O'Brien, chairman of technology for KPMG, "Web 2.0 is not just about novel consumer technology, there are real business benefits to be derived from enabling more effective knowledge sharing and collaboration among employees. The challenge for the technology industry is to communicate these benefits to customers effectively and address the concerns that remain around security and relevance to different industries."

Furthermore, just last week, the SANS Institute came out with its own report -- "Top Ten Cyber Security Menaces for 2008" -- naming Web application exploits, including Web 2.0, at No. 8.

Said the report:

Large percentages of Web sites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from Web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes "user supplied data." In 2008, Web 2.0 vulnerabilities will be added to more traditional programming flaws and Web application attacks will grow substantially.

And related technologies didn't get off the hook either. Exploits against converged devices, such as smart phones and iPhones, were named the No. 4 threat. And Web-based digital media technologies were actually listed as the No. 1 threat category for the ways in which they create vulnerabilities within Web browsers.