Meet Web 2.0's evil twin

Web 2.0-enabled social networking sites present another attack vector for the bad guys, as well

The move towards Web 2.0 technologies may well be another race between functionality and security, and for now at least, security seems to be at the tail end.

Security professionals are raising the red flag on the increasing pervasiveness of Web 2.0 technologies in the enterprise, saying that while it offers the benefit of rich applications, the risks associated with Web 2.0 can no longer be overlooked.

In the enterprise, for instance, a Web 2.0-enabled architecture involves applications built as Web services that provide cross-platform access and functionalities for users. "Like submitting a record to a database or changing a piece of data (for example)," says Oliver Lavery, a consultant with Toronto-based IT security firm Security Compass.

"The problem is that what's being exposed there are very detailed, technical procedure calls -- Web service calls -- using all these new technologies that haven't really been tested and [the industry doesn't] have a lot of experience securing them," Lavery says of the inherent risks with the use of Web 2.0 technologies.

The increasing use of these new tools, without proper understanding of the security issues that may arise as a result, is giving attackers new avenues to explore, says Lavery.

Web 2.0-enabled social networking sites present another attack vector for the bad guys, as well. Web sites such as MySpace and Facebook have allowed people to actively interact and connect in real-time in ways they have never been able to before.

About 80 percent of the top 20 most-visited Web sites are Web 2.0-enabled, according to Dan Hubbard, vice-president of security research for Internet security provider Websense.

On the surface, the Web 2.0 craze may seem like a consumer phenomenon. But many security experts agree that its pervasiveness is going beyond people's homes and into the workplace, as employees access these sites from their office computer.

"The most dangerous part of any computer system are the people who run it," says University of Calgary professor Tom Keenan.

The use of mobile devices, like laptops that typically travel back and forth between the home and office, is not helping the situation either, added Keenan, who is also the IT security spokesperson for the Canadian Information Processing Society.

"Users who connect and go to Web sites (at work) that are potentially Web 2.0-enabled could get infected...and compromise your internal network," Hubbard says. A case in point was the Sammy worm that infected more than a million users of social networking site MySpace in 2005. The perpetrator, who was a MySpace user, took advantage of a cross-site scripting (XSS) vulnerability in the MySpace domain and installed a self-propagating worm that infected every system it came across. "[The Sammy worm] was a fairly benign worm that could have been a huge risk in an enterprise where you have confidential information on your users' computers," says Security Compass' Lavery.

The MySpace worm also highlighted vulnerabilities associated with the use of Ajax (Asynchronous JavaScript and XML), says Lavery. Ajax is a popular programming language for developing Web 2.0 applications. Ajax uses an engine called Jason (JavaScript Object Notation) that sends data back and forth in JavaScript, between client and server, as a simple alternative to XML. However, JavaScript is not designed to be a medium for transmitting data back and forth, says Rohit Sethi, manager at Security Compass.

"[JavaScript is] supposed to help the client experience and help make decisions on the client side, but people are using it in a manner where they are actually transmitting data via JavaScript, and it doesn't have the same controls as you have in place for your Web browser," Sethi says.

CIPS' Keenan says the use of Ajax as Web 2.0 development tool in the enterprise requires a deep understanding of all aspects of the technology, not just the rich functionality it offers but its inherent flaws as well.

"Don't pick up a power tool unless you really know how to use it and Ajax is very much a power tool," he says. By understanding the inherent flaws that exist within Ajax and other Web services tools, developers can build Web 2.0 applications that have better security built around them, notes Lavery.

The Web 2.0 sprawl is, for the most part, a largely consumer phenomenon today. But it's inevitable that the direction the technology is taking points to the enterprise, says Lavery.

"Enterprises should ask themselves, 'Is that kind of user experience necessary in our environment or can we wait a while for this technology to mature and for some of the security risks to be better understood before we start rolling out these new features?'" he said. Whatever the timeline may be, experts agree that Web 2.0 is here to stay and that it would be wise for enterprises to start getting acquainted with this beast's bad side.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mari-Len De Guzman

ComputerWorld Canada
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?