Advertisment

The Security Time Bomb

author-image
DQI Bureau
New Update

In late 2005, MySpace went offline thanks to the Samy cross-site scripting (XSS)

virus. Samy, created by teenage hacker Samy Kamkar, consisted of malicious Ajax

code placed in the hackers MySpace profile. Anyone viewing Samys profile would

unknowingly execute the code, automatically adding the user to Samys friend

list and vice versa, bypassing the need for the users approval. The virus

resulted in over one million infections in less than a day, one of the fastest

spreading pieces of malware. Whats deadlier is the fact that aspiring criminals

can duplicate his attack and apply it elsewhere, and for that they need only

examine Samys code, which is posted on the Web.

Advertisment

MySpace, Orkut and Facebook apart, there is a plethora of ever growing social

networking sites (with even local counterparts like www.bigadda.com coming

up), wikis, and blogs, trying to bestow on the users the never before freedom of

what they can post, access and do.

The Webs second-generation promises to tread newer and un-chartered

territories. And, the quest to discover the unexplored characteristics of the

Web has brought to light a whole new era of collaboration, sharing,

interactivity, usergenerated content, and enhanced user control on the world

wide web. However, in the rush to add features, security has become an

afterthought in Web 2.0. According to Iqbal Gandham, chief business strategist,

Nivio, Web 2.0 has allowed two men startups to develop an application

overnight and these kind of process will never include security. Web 2.0 apps

are about speed to market, and security checks just slow you down. Bhaskar

Bakthavatsalu, country manager, India & SAARC, Check Point Software

Technologies, says, We definitely are putting security last while adopting Web

2.0 technologies.

Now, as Web 2.0 increasingly straddles across the enterprise domain and grows

beyond being a consumer phenomenon, the impact is veneering in more dimensions

than initially comprehended. And, security will need to become a forehought and

architected within the network as well as the applications.

Advertisment

More Vulnerable



Unlike Web 1.0 malware, Web 2.0 threats like Samy and Yamanner no longer

require victims to deviate from security best practices by opening unknown

attachments, emailing financial details to strangers, among others. Web 2.0 also

offers novel opportunities for traditional viruses to proliferate. For example,

the Storm Trojan that infected many users earlier this year spread itself

through bulletin board messages, Google links, instant messages (IMs), and the

blog comments of infected users. Storm successfully leveraged the multiple

vectors offered by Web 2.0 to better proliferate itself.

Web 2.0 is inherently more prone to security breaches and hazards as compared

to the first generation of Web. As Tarun Gulati, general manager, developer and

platform evangelism at Microsoft India points out, Though security is a

horizontal that needs to be thought out irrespective of the kind of application

being built, in a Web 2.0 scenario it becomes even more important due to its

viral, social nature. According to Mahesh Gupta, manager, Business Development,

Cisco India & SAARC, the difference between Web 2.0 and HTML is that Web 2.0

applications are going to be more interactive. These Web applications and

portals, based on the new programming techniques, provide a larger scope for

attacks as there is greater interactions with the browser that enables

JavaScript to run on a client PC, whereas old-fashioned websites accept

information only through forms, adds Bakthavatsalu.

Advertisment

The manifestations of Web 2.0 technologies like blogs, wikis and social

networks run against the traditional IT security practice. These Web 2.0

applications facilitate collaboration and sharing between users, hence, the

popularity of these applications has driven hackers to target users and

busineses, says Pranay Jhaveri, sales director, F5 Networks, India. If your

website content is dependant on users adding content, and hence, allowing users

a closer interaction with your software, then, inherently, you are allowing

for more holes. Having said this, security is and always will be a problem in an

open system. Since Web 2.0 platforms enable anyone to upload content, these

sites are easily susceptible to hackers wishing to upload malicious content.

Once the malicious content has been uploaded, visitors to these sites can also

be infected, and the site owners could be potentially responsible for damages

incurred, says Niraj Kaushik, country manager, SAARC, Trend Micro.

Web 2.0, or the social application of Web 2.0, has convinced us that its

okay to upload personal data to various websites. This is where the problem is,

says Gandham. He concurs that the security issue is there, but the problem in

todays era is the sheer volume of personal user data stored online.

The Aspect



Another aspect to the security risks in Web 2.0 is the fact that the Web 2.0

technologies have security vulnerabilities. From a technical standpoint also,

Web 2.0 sites are more prone to attack since they have more interactions with

the browser and require running complex Javascript code on user machines. As

Munish Gupta, AVP, Business Development, GlobalLogic India, points out, A

website based on the new programming techniques has a greater attack surface

because it has many more interactions with the browser and may run JavaScript on

the client PC. In fact, there is little awareness on the fact that the

information placed by users on websites such as MySpace and Bebo could be

traceable to them in the future and could be permanently linked to them.

According to Vishak Raman of Fortinet, the need for collaboration brings in the

use of technologies like AJAX and XML, which in effect bring in the

vulnerabilities.

Advertisment

However, Jhaveri provides yet another perspective to it as he maintains that

Web services and Ajax applications have not given rise to new classes of

security vulnerabilities, but rather new ways to attack applications and a

larger attack surface, creating challenges for both developers and testers. What

makes matters worse is that a number of these sites are considered trusted by

URL filtering and categorization products. Most enterprises do not normally

block users from visiting Web 2.0 sites, which could become an IT security risk.

Data

Leakage over Social Networking
As the

technology helps extend the social circle and business contacts, it also

invites unwanted parties. On many social networking sites, people sign up

and then put in all their personal information simply because theres a

field there for it. These profiles are public by default, rather than

private, and theyre open to search engines as well. So, people think their

information is private and later discover it isnt. In many cases, whats

good for the site owners isnt necessarily good for the users. Other

problems with the plethora of new Web 2.0 social networking sites are that

they often dont understand what privacy and user consent mean.

Because of the ease of information access and

the lack of control, hackers can have a field day on social networking

sites. All one needs to do is to access the publicly available personal

information that people are posting on these sites. False, untraceable

identities can be created easily and start getting connected with new social

circles. Once in, studies have shown that, many people do accept invitations

without properly ascertaining the invitees background or intention.

Haunting Ajax Milieu



Understanding the challenges inbuilt in Web 2.0 technologies like

Asynchronous JavaScript and XML or simply Ajax, can avoid security pitfalls that

may crop up along the way. Ajax comprises a set of Web technologies that are

combined to enable Web browsers to refresh content (like stock quotes) in real

time without requiring pages to reload or refresh. As these requests for content

are hidden from the users view, Ajax provides for a delay-free user experience

and enables rich Web services.

Advertisment

In the security context, researchers have discovered that Ajax can query

back-end Web services automatically or, in other words, query the hidden Web.

This provides an opening for hackers to create invisible attacks using Ajax

queries, since the code is never revealed on the site and more specifically be

encrypted in transit using SSL. URL filtering solution will most likely be

unaware that a given site is malicious, because it does not know which parameter

will activate the malicious Ajax script.

Jhaveri says that Ajax-based applications are particularly susceptible to a

number of traditional and new Web-based attacks such as man-in-the-middle as

well as unauthorized access to the scripts and processes that handle Ajax

requests. This is not because it makes this type of attack any easier to

perpetrate, but is due to the technologys reliance on JavaScript and its

under-the-covers nature. Many toolkits do not provide a mechanism for passing

credentials, so data must be somehow embedded in requests or ACLs placed on each

script that take advantage of the HTTP basic authentication mechanisms

automatically.

Web applications based on new

programming techniques provide a larger scope for attacks



Mahesh Gupta, manager, Business Development, Cisco
The manifestations of Web 2.0

technologies run against the traditional IT security practice



Pranay Jhaveri, sales director, F5 Networks, India
The battleground for security

is no longer just the device or infrastructure



Vishal Dhupar, MD, Symantec India
Advertisment

Ajax increases the possibility of the so-called cross-site scripting flaws,

which occur when the site developer does not properly code pages. An attacker

can exploit this vulnerability to hijack user accounts, launch

information-stealing phishing scams, or even download malicious code onto users

computers, experts say. Web companies such as Microsoft, eBay, Yahoo, and Google

have all experienced cross-site scripting flaws on their websites. Ajax

applications are also vulnerable to JavaScript highjack, a form of cross-site

request forgery (CSRF).

The transfer of Web 2.0 ideas to B2B applications, known as Enterprise 2.0 or

Enterprise Web 2.0, is currently taking place with rich Web applications (RWA)

and browser-based rich Internet applications, many of which use Ajax. According

to Gupta of GlobalLogic, Security is a weak area in Ajax and there needs to be

a concerted effort to improve awareness and understanding of the vulnerabilities

and how to deal with them, if Enterprise Web 2.0 is to succeed. But, the

cross-site scripting issue is only one of the risks. Other potential problems in

Ajax code include race conditions, code correctness issues, object model

violations, insecure randomness, and poor error handling.

Security Nirvana



Vishal Dhupar, MD, Symantec India terms Security 2.0 as the enhanced version of
security needed to protect the Web 2.0 era. The battleground for security is no

longer just the device or infrastructure, as it used to be in Security 1.0,

rather its shifted to the information and interactions, he adds. Protecting

this information and securing these interactions takes more than bolted-on

security. It takes integrated products and services that provide a holistic view

into an organizations security posture. It also takes solutions that identify

risks early, so that steps can be taken to mitigate them and prevent an attack.

And, it entails enabling customers to manage their security events, no matter

what products they may have already installed.

Advertisment

Web application firewalls have evolved and now include the ability to secure

and prevent attacks against Ajax and other XML-based attacks. A Web application

firewall or XML firewall prevents existing and emerging attacks from reaching

the application server, thus eliminating the majority of Ajax and XML-borne

attacks from adversely affecting internal application infrastructure. These

solutions are certainly not all inclusive, nor are they meant to replace

existing secure development practices, but they can augment the existing

security policies by putting in place a first line of defense that will prevent

a majority of malicious traffic from reaching the application.

Considering the fundamental difference between Web 2.0 and HTML that the Web

2.0 applications are going to be more interactive with users, there is an

increased requirement to have strong architectural approach from planning to

design to development and implementation keeping security in mind at each stage.

According to Gupta of Cisco, Web 2.0 is not a single software or a device;

rather its a growing platform. As mentioned earlier, security can be

compromised at multiple levels of the platform, ie, application, database,

network and end device. For secure communication and data sharing, an

integrated, adaptive, and collaborative security approach is essential.

Shipra Malhotra



shipram@cybermedia.co.in

Advertisment