The Security Time Bomb



In late 2005, MySpace went offline thanks to the Samy cross-site scripting (XSS)
virus. Samy, created by teenage hacker Samy Kamkar, consisted of malicious Ajax
code placed in the hackers MySpace profile. Anyone viewing Samys profile would
unknowingly execute the code, automatically adding the user to Samys friend
list and vice versa, bypassing the need for the users approval. The virus
resulted in over one million infections in less than a day, one of the fastest
spreading pieces of malware. Whats deadlier is the fact that aspiring criminals
can duplicate his attack and apply it elsewhere, and for that they need only
examine Samys code, which is posted on the Web.

MySpace, Orkut and Facebook apart, there is a plethora of ever growing social
networking sites (with even local counterparts like www.bigadda.com coming
up), wikis, and blogs, trying to bestow on the users the never before freedom of
what they can post, access and do.

The Webs second-generation promises to tread newer and un-chartered
territories. And, the quest to discover the unexplored characteristics of the
Web has brought to light a whole new era of collaboration, sharing,
interactivity, usergenerated content, and enhanced user control on the world
wide web. However, in the rush to add features, security has become an
afterthought in Web 2.0. According to Iqbal Gandham, chief business strategist,
Nivio, Web 2.0 has allowed two men startups to develop an application
overnight and these kind of process will never include security. Web 2.0 apps
are about speed to market, and security checks just slow you down. Bhaskar
Bakthavatsalu, country manager, India & SAARC, Check Point Software
Technologies, says, We definitely are putting security last while adopting Web
2.0 technologies.

Now, as Web 2.0 increasingly straddles across the enterprise domain and grows
beyond being a consumer phenomenon, the impact is veneering in more dimensions
than initially comprehended. And, security will need to become a forehought and
architected within the network as well as the applications.

More Vulnerable
Unlike Web 1.0 malware, Web 2.0 threats like Samy and Yamanner no longer
require victims to deviate from security best practices by opening unknown
attachments, emailing financial details to strangers, among others. Web 2.0 also
offers novel opportunities for traditional viruses to proliferate. For example,
the Storm Trojan that infected many users earlier this year spread itself
through bulletin board messages, Google links, instant messages (IMs), and the
blog comments of infected users. Storm successfully leveraged the multiple
vectors offered by Web 2.0 to better proliferate itself.

Web 2.0 is inherently more prone to security breaches and hazards as compared
to the first generation of Web. As Tarun Gulati, general manager, developer and
platform evangelism at Microsoft India points out, Though security is a
horizontal that needs to be thought out irrespective of the kind of application
being built, in a Web 2.0 scenario it becomes even more important due to its
viral, social nature. According to Mahesh Gupta, manager, Business Development,
Cisco India & SAARC, the difference between Web 2.0 and HTML is that Web 2.0
applications are going to be more interactive. These Web applications and
portals, based on the new programming techniques, provide a larger scope for
attacks as there is greater interactions with the browser that enables
JavaScript to run on a client PC, whereas old-fashioned websites accept
information only through forms, adds Bakthavatsalu.

The manifestations of Web 2.0 technologies like blogs, wikis and social
networks run against the traditional IT security practice. These Web 2.0
applications facilitate collaboration and sharing between users, hence, the
popularity of these applications has driven hackers to target users and
busineses, says Pranay Jhaveri, sales director, F5 Networks, India. If your
website content is dependant on users adding content, and hence, allowing users
a closer interaction with your software, then, inherently, you are allowing
for more holes. Having said this, security is and always will be a problem in an
open system. Since Web 2.0 platforms enable anyone to upload content, these
sites are easily susceptible to hackers wishing to upload malicious content.
Once the malicious content has been uploaded, visitors to these sites can also
be infected, and the site owners could be potentially responsible for damages
incurred, says Niraj Kaushik, country manager, SAARC, Trend Micro.

Web 2.0, or the social application of Web 2.0, has convinced us that its
okay to upload personal data to various websites. This is where the problem is,
says Gandham. He concurs that the security issue is there, but the problem in
todays era is the sheer volume of personal user data stored online.

The Aspect
Another aspect to the security risks in Web 2.0 is the fact that the Web 2.0
technologies have security vulnerabilities. From a technical standpoint also,
Web 2.0 sites are more prone to attack since they have more interactions with
the browser and require running complex Javascript code on user machines. As
Munish Gupta, AVP, Business Development, GlobalLogic India, points out, A
website based on the new programming techniques has a greater attack surface
because it has many more interactions with the browser and may run JavaScript on
the client PC. In fact, there is little awareness on the fact that the
information placed by users on websites such as MySpace and Bebo could be
traceable to them in the future and could be permanently linked to them.
According to Vishak Raman of Fortinet, the need for collaboration brings in the
use of technologies like AJAX and XML, which in effect bring in the
vulnerabilities.

However, Jhaveri provides yet another perspective to it as he maintains that
Web services and Ajax applications have not given rise to new classes of
security vulnerabilities, but rather new ways to attack applications and a
larger attack surface, creating challenges for both developers and testers. What
makes matters worse is that a number of these sites are considered trusted by
URL filtering and categorization products. Most enterprises do not normally
block users from visiting Web 2.0 sites, which could become an IT security risk.

Data
Leakage over Social Networking
As the
technology helps extend the social circle and business contacts, it also
invites unwanted parties. On many social networking sites, people sign up
and then put in all their personal information simply because theres a
field there for it. These profiles are public by default, rather than
private, and theyre open to search engines as well. So, people think their
information is private and later discover it isnt. In many cases, whats
good for the site owners isnt necessarily good for the users. Other
problems with the plethora of new Web 2.0 social networking sites are that
they often dont understand what privacy and user consent mean.

Because of the ease of information access and
the lack of control, hackers can have a field day on social networking
sites. All one needs to do is to access the publicly available personal
information that people are posting on these sites. False, untraceable
identities can be created easily and start getting connected with new social
circles. Once in, studies have shown that, many people do accept invitations
without properly ascertaining the invitees background or intention.

Haunting Ajax Milieu
Understanding the challenges inbuilt in Web 2.0 technologies like
Asynchronous JavaScript and XML or simply Ajax, can avoid security pitfalls that
may crop up along the way. Ajax comprises a set of Web technologies that are
combined to enable Web browsers to refresh content (like stock quotes) in real
time without requiring pages to reload or refresh. As these requests for content
are hidden from the users view, Ajax provides for a delay-free user experience
and enables rich Web services.

In the security context, researchers have discovered that Ajax can query
back-end Web services automatically or, in other words, query the hidden Web.
This provides an opening for hackers to create invisible attacks using Ajax
queries, since the code is never revealed on the site and more specifically be
encrypted in transit using SSL. URL filtering solution will most likely be
unaware that a given site is malicious, because it does not know which parameter
will activate the malicious Ajax script.

Jhaveri says that Ajax-based applications are particularly susceptible to a
number of traditional and new Web-based attacks such as man-in-the-middle as
well as unauthorized access to the scripts and processes that handle Ajax
requests. This is not because it makes this type of attack any easier to
perpetrate, but is due to the technologys reliance on JavaScript and its
under-the-covers nature. Many toolkits do not provide a mechanism for passing
credentials, so data must be somehow embedded in requests or ACLs placed on each
script that take advantage of the HTTP basic authentication mechanisms
automatically.

Web applications based on new
programming techniques provide a larger scope for attacks
Mahesh Gupta, manager, Business Development, Cisco
The manifestations of Web 2.0
technologies run against the traditional IT security practice
Pranay Jhaveri, sales director, F5 Networks, India
The battleground for security
is no longer just the device or infrastructure
Vishal Dhupar, MD, Symantec India

Ajax increases the possibility of the so-called cross-site scripting flaws,
which occur when the site developer does not properly code pages. An attacker
can exploit this vulnerability to hijack user accounts, launch
information-stealing phishing scams, or even download malicious code onto users
computers, experts say. Web companies such as Microsoft, eBay, Yahoo, and Google
have all experienced cross-site scripting flaws on their websites. Ajax
applications are also vulnerable to JavaScript highjack, a form of cross-site
request forgery (CSRF).

The transfer of Web 2.0 ideas to B2B applications, known as Enterprise 2.0 or
Enterprise Web 2.0, is currently taking place with rich Web applications (RWA)
and browser-based rich Internet applications, many of which use Ajax. According
to Gupta of GlobalLogic, Security is a weak area in Ajax and there needs to be
a concerted effort to improve awareness and understanding of the vulnerabilities
and how to deal with them, if Enterprise Web 2.0 is to succeed. But, the
cross-site scripting issue is only one of the risks. Other potential problems in
Ajax code include race conditions, code correctness issues, object model
violations, insecure randomness, and poor error handling.

Security Nirvana
Vishal Dhupar, MD, Symantec India terms Security 2.0 as the enhanced version of
security needed to protect the Web 2.0 era. The battleground for security is no
longer just the device or infrastructure, as it used to be in Security 1.0,
rather its shifted to the information and interactions, he adds. Protecting
this information and securing these interactions takes more than bolted-on
security. It takes integrated products and services that provide a holistic view
into an organizations security posture. It also takes solutions that identify
risks early, so that steps can be taken to mitigate them and prevent an attack.
And, it entails enabling customers to manage their security events, no matter
what products they may have already installed.

Web application firewalls have evolved and now include the ability to secure
and prevent attacks against Ajax and other XML-based attacks. A Web application
firewall or XML firewall prevents existing and emerging attacks from reaching
the application server, thus eliminating the majority of Ajax and XML-borne
attacks from adversely affecting internal application infrastructure. These
solutions are certainly not all inclusive, nor are they meant to replace
existing secure development practices, but they can augment the existing
security policies by putting in place a first line of defense that will prevent
a majority of malicious traffic from reaching the application.

Considering the fundamental difference between Web 2.0 and HTML that the Web
2.0 applications are going to be more interactive with users, there is an
increased requirement to have strong architectural approach from planning to
design to development and implementation keeping security in mind at each stage.
According to Gupta of Cisco, Web 2.0 is not a single software or a device;
rather its a growing platform. As mentioned earlier, security can be
compromised at multiple levels of the platform, ie, application, database,
network and end device. For secure communication and data sharing, an
integrated, adaptive, and collaborative security approach is essential.

Shipra Malhotra
shipram@cybermedia.co.in

Leave a Reply

Your email address will not be published. Required fields are marked *