Web 2.0 Threats Loom Large for IT
- By David Nagel
- January 29, 2008
With the seemingly exponential growth of Web 2.0 technologies, IT professionals
in education -- and all other sectors, for that matter -- face new challenges
as control over technology slips away and moves into the hands of users. The
very technologies that make Web 2.0 a reality (AJAX, in large part) seem to
be considerably vulnerable to security breaches that can lead to data loss,
theft and other malicious activities. And the growth of converged devices taking
advantage of these technologies adds further to the problems.
Last week, security firm Websense released a report that showed for the first time in history that Web sites compromised by "attackers" (phishers, etc.) now exceed those created specifically by attackers. In other words, more previously legitimate sites have been turned to malicious purposes than sites created for malicious purposes in the first place.
And the tool of choice in this new development? The Web 2.0 technologies used on those legitimate sites, which offer vulnerabilities attackers can take advantage of.
According to the Websense Security Labs report, which looked at security trends in the latter half of 2007, Web 2.0- and event-based attacks are on the rise, including spoofing search engine results to "drive traffic to infected sites."
Said Dan Hubbard, vice president of research for Websense, "We believe that attackers will continue to be creative and leverage Web 2.0 applications and user-generated content to create even bigger security concerns for organizations. With this in mind, organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain."
But Websense is only the most recent organization raising red flags on the
vulnerabilities of Web 2.0 technologies.
In higher ed, Georgia Tech's Information Security Center released a report
entitled "GTISC Emerging Cyber Threats Report for 2008" (PDF)
in which Web 2.0 was cited first as one of the threats to watch in 2008, topping
botnets, directed messaging attacks and RFID attacks. (It also cited related
mobile convergence threats -- devices built to take advantage of Web 2.0 technologies
-- in its top 5.)
Commenting on the report, GTISC Director Mustaque Ahamad said, "As newer and more powerful applications enabled by technologies like Web 2.0 continue to grow, and converged communications applications increasingly rely on IP-based platforms, new challenges will arise in safeguarding these applications and the services they rely on. The GTISC Emerging Cyber Threats Report for 2008 highlights those areas of greatest risk and concern, particularly as continued convergence of enterprise and consumer technologies is expected over the coming year."
In that report, Web 2.0 was cited for potential client-side attacks on social
networking technologies, aimed at "stealing private data, hijacking Web
transactions, executing phishing scams, and perpetrating corporate espionage."
Mobile convergence threats included "vishing," "smishing"
and voice spam, plus denial of service attacks targeting voice infrastructure,
according to the report.
Earlier this month, the KPMG, a UK-based consultancy, released a report entitled "Risk concerns stall uptake of Web 2.0 technology in the workplace." The report focused on the adoption of Web 2.0 technologies in the business sector, citing slow adoption owing to security concerns. Of 472 executives from around the world surveyed for the report, more than half said that security is a principal barrier to adoption.
Said Crispin O'Brien, chairman of technology for KPMG, "Web 2.0 is not
just about novel consumer technology, there are real business benefits to be
derived from enabling more effective knowledge sharing and collaboration among
employees. The challenge for the technology industry is to communicate these
benefits to customers effectively and address the concerns that remain around
security and relevance to different industries."
Furthermore, just last week, the SANS
Institute came out with its own
report -- "Top Ten Cyber Security Menaces for 2008" -- naming
Web application exploits, including Web 2.0, at No. 8.
Said the report:
Large percentages of Web sites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from Web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes "user supplied data." In 2008, Web 2.0 vulnerabilities will be added to more traditional programming flaws and Web application attacks will grow substantially.
And related technologies didn't get off the hook either. Exploits against converged devices, such as smart phones and iPhones, were named the No. 4 threat. And Web-based digital media technologies were actually listed as the No. 1 threat category for the ways in which they create vulnerabilities within Web browsers.
Dave Nagel is the executive editor for 1105 Media's educational technology online publications and electronic newsletters.