Web 2.0: An issue of trust
Amid warnings of hackers using sites such as Facebook to harvest personal details, how can we make Web 2.0 safer?
Facebook, MySpace and other so-called Web 2.0 sites have rarely been out of the headlines in the past year or so. The media loves the term "Web 2.0" because it suggests something futuristic and is far easier than writing "social networking sites, blogs, web-based communities and the like".
However, for the information security professional, it does not matter what definition is used. What is important is that there is an ever growing range of ways for users to endanger a network.
But many of Web 2.0's threats are as old as the computer security profession. CSOs looking for a new range of dazzlingly clever and nefarious ways in which criminals are trying to attack their systems will encounter the usual mix of viruses, Trojans, social engineering and users seemingly willing to put a system at risk in the pursuit of whimsy.
"Although Web 2.0 sites include exciting content, that material can also be malicious and misleading," says Yuval Ben-Itzhak, chief technology officer at web-security appliances vendor Finjan. "We should worry about Web 2.0 sites in the same way we should worry about the entire web - as it includes financially motivated malicious content we do not want in our networks, servers or PCs."
If, as many predict, Web 2.0 is the beginning of a move away from relying on an operating system to a browser-based interface, getting on top of the possible pitfalls now is a good way of future-proofing a system. People are interacting with a deafening cacophony of other users, websites and widgets. Managing usage while making the most of the rapidly changing web could be the information security professional's biggest challenge.
"You must manage this information and protect the identity of the individual and company where it can cause most damage - and this can mean lots of different things to different people," says Garry Sidaway, principal consultant at authentication specialist TriCipher. "It could be a monetary loss, reputation damage or even loss of information that can affect friends or family."
The problem is that Web 2.0 is trusted. It is the reason marketers and PR people like to use it as a means to promote their wares. Because users assume the content they are getting from these sites is genuine, and it is often recommended by peers, they are more likely to leave themselves open to attack or infection.
"Web 2.0 sites enable anyone, including criminals, to host any type of content, including malicious code, on trusted web servers," says Ben-Itzhak. "Attackers already realise that they can use these sites as a hosting platform for their criminal activity."
More importantly, criminals are well aware that simple URL filtering alone will not recognise these websites as malicious. "Technically, it is very different from five to ten years ago, when security issues predominantly concerned spam or virus attacks," says Mark Murtagh, technical director at Websense. "Systems are more open, with browsers configured to run rich-media applications, leaving gaps in a company's IT infrastructure."
The most obvious, and widely propagated, example of this is the MySpace Samy worm. A combination of cross-site scripting, gaping holes within MySpace and browsers allowing the problem to persist, meant it spread its "but most of all Samy is my hero" message efficiently across user profiles. In the end, its creator garnered more than a million MySpace contacts and the site had to be shut down to prevent further attacks.
The same applies to the amount of information about individuals stored online. In fact, with the proliferation of Web 2.0 it is growing exponentially. Sidaway points to sites such as Bebo, Facebook and MySpace, which hold the personal information of millions of people. "Any information can be - and is - being used against you," he warns. "Where appropriate, strong authentication and identification should be used to confirm identity. Too often, it is protected by information that can easily be obtained through the public domain."
He refers to the sort of detail that can be used to access online banking sites or similar, which can often be found with a simple hunt through social networking sites. Facebook, for example, offers a privacy option that hides some personal information from anyone who is not a "friend". Staff should be encouraged to switch to this setting as a default.
The threat is not just personal, either. Web 2.0 has increased the threat of company-sensitive information being linked to disreputable organisations. "Sites such as LinkedIn are designed to be used as professional networks," explains Nazario. "But they can be used to build an attack map for a hacker to find the weakest social links into a site. When mapped across multiple social networking sites, detailed information about users can be gathered, facilitating social engineering attacks."
Of course, some institutions have taken the bold step of blocking use of Facebook altogether. Many publishing companies with sales operations or advertising firms with similar setups have blocked access purely for productivity reasons. Not only that, sites such as YouTube can haemorrhage bandwidth. Two of the easiest ways to stop people using these sites are to block by DNS and by netblock.
But it is not only sales teams that are banned from Facebook. Some top financial institutions, notably JP Morgan Chase, have banned elements of Web 2.0 from their organisations. "It is because of the risks of data loss, whether intentional or otherwise," says Nick Lowe, regional director for Northern Europe at Check Point. "Banning is one option, although there are granular approaches."
Murtagh at Websense argues the technology should be embraced rather than banned, especially with the increase in flexible working, where using social networking facilities can be an enabler.
Finjan's Ben-Itzhak agrees: "Businesses looking to attract the young generation of employees will find themselves blocking key applications if they ban Web 2.0," he points out. "This is exactly the same issue businesses faced when the internet was first introduced. Experience indicates that if a security executive blocks new technology completely, this is usually an indication of a lack of knowledge on how to mitigate risk."
So management is key. It is the very issue information security professionals have been struggling with since the birth of their profession: how do you make sure the business is enabled with the tools to help it grow and compete while keeping it safe from the hordes of scammers waiting to attack?
There are products to help with this problem, although whether any of them offer the complete security answer will depend on the company. It is advisable to upgrade to technologies that can inspect Web 2.0 content in real time. For this new surface of attack, simple anti-virus and URL filtering probably will not suffice.
Web 2.0 is here to stay. Many would argue it is the beginning of a sea change in the way we operate networks as a whole, with much more work occurring on the browser. With broadband moving at lightening speed and even the most computer-illiterate employees getting the handle on Bebo and Facebook, Web 2.0 will put increasing pressure on the information security professional. But the general consensus is you cannot fight it. It would be like fighting the internet, and we all know where that got us ...
WHAT IS WEB 2.0 ANYWAY?
Web 2.0 is no longer a beta version. Walk into the classroom, bedroom or library of your offspring or younger siblings and you can see it in action. In fact, fire up your own browser and check out your bookmarks - there is a good chance at least a dozen of them are straight out of the rapidly evolving world that is Web 2.0.
Facebook, blogs, Wikipedia, Britney Spears acting drunk on YouTube - it all falls inside the sexy new cauldron of second generation, web-based interactive communities and hosted services that your PR and marketing departments think are the best thing since direct mail, and your HR departments think drain productivity and should be banned from the office, if not the world.
Mike Schema, a security research engineer at Qualys, describes Web 2.0 as a "schizophrenic relationship between technology, marketing and business models". For many, Web 2.0 is a bit of a nonsense term. It was coined during a conference in 2004 by publishing company O'Reilly Media. Even the internet's creator, Tim Berners-Lee, has questioned whether the clumping together of a lot of things people have been doing for years actually constitutes anything new. In fact, using the definition "Web 2.0" is unhelpful as it implies some sort of new-fangled internet that will replace the old one.
But it is a term information security professionals are inevitably getting used to as every employee in their organisation with access to a computer is getting on the second-generation bandwagon. So understanding what constitutes Web 2.0 is important.
"An important characteristic of Web 2.0 applications is an Ajax-based interface that performs more like a desktop application than a collection of pages that need to be continuously refreshed by mouse clicks," explains Schema. "Yet the technology behind Ajax predates the emergence of the Web 2.0 buzz and its mere use doesn't place a site into the Web 2.0 pantheon."
So, technologically, definition can be tricky. But Web 2.0 has been an enabler for thousands of businesses. "For the individual user, Web 2.0 is something that has allowed people to create and share content and collaborate online on a much wider and more intimate scale than before," says Mark Murtagh, technical director at Websense. "At a business level, it means staff have an opportunity to be creative, share, collaborate and plug information from other users within the company, as well as externally. Businesses could also tap into the opportunities offered by online communities for activities such as team or department communications, idea sharing and brainstorming."
What this will develop into is anyone's guess, although Schema has some ideas: "The post-Web 2.0 era may simply be a natural growth towards consolidating the way we create, manage, and share information into a device-agnostic, network-centric platform - the web browser." And that could mean even more security issues ...
THE WIDGET PHENOMENON
In the 1990s, gloomy stand-up comedian Jack Dee told television viewers that a "widget" was the thing that gave John Smith' Bitter its edge. The term was used as a marketing tool because "widget" literally means a device no one knows the actual name of, and it helped make the alcoholic beverage appear appealingly mysterious.
Now the term is used to describe something equally mysterious: the phenomenon of platforms on top of platforms, designed to run on websites such as social networking leviathan Facebook. The problem is, this widget is causing an information security nightmare.
"Just like on the web, widgets take possibly untrusted input and execute it locally," says Jose Nazario, senior security researcher at Arbor Networks. "However, unlike the web browser, the security model for widgets isn't well defined. Microsoft has already had to address security issues in Vista widgets, and we should expect more problems in the future."
The answer is to refrain from using non-trusted third-party widgets. That may prompt glum faces among your company's workforce, widgets are usually not business-critical and unlikely to increase productivity. So a gateway-blocking of widget file types would make sense.
"The problem is that plug-ins add more attack surface to the web browser," says Mike Schema, a security research engineer at Qualys. "When a buffer overflow or similar vulnerability is discovered in a plug-in, attackers have a new avenue to distribute Trojans, viruses etc. Combine a bug in Flash with the popularity of a site such as YouTube and you have the potential for a huge number of browsers to be compromised."
If you don't want to ban widgets, education is important. Your staff may be well-versed in the issues surrounding 419 scams, or downloading content from P2P networks. But they will idly throw caution to the wind when using YouTube or Facebook. As Schema puts it: "The sites carry an assumption of trust. Trust is an area where browser security starts to weaken."
And, he warns, browser security will not necessarily protect you. "A fundamental control in browsers prevents scripts from manipulating the content of a page loaded from one domain by scripts from another domain. Yet not all attacks are inhibited by this cross-domain restriction," he says. "Vulnerabilities such as cross-site scripting can inject malicious code into a page that steals passwords or credit-card information.
"These infected pages are served by the website and work within the expected security parameters of the browser. In other words, complex web applications are bringing us back to the point where untrusted code is executed. The only difference is that the point of execution has moved from the desktop into the browser."
It means security teams at Microsoft, Mozilla and co will have to work overtime to make sure they are coping with emerging threats. And information security professionals will have to make sure their staff are not bypassing security systems by having some fun in their lunch break.