InfoSecurity -- A comprehensive magazine on IT Security (a Security magazine)

InfoSecurity November 2008

Back to Contents

Cover Story

Web 2.0: Security Has Become an Afterthought

—By: Vince Hwang, Global Director of Product Management, BitDefender.

Emergence of Web 2.0 has opened up unparallel opportunities for IT industry and professionals but at the same time security issues and vulnerabilities of Web 2.0 is yet to receive attention as it should get. Let’s see the current momentum Web 2.0 security and world wide activities for the same.

With the proliferation of high-speed Internet access in the last decade the communication media have embraced various forms, such as e-mail, instant and mobile messaging, online Web conferences, etc, that became a standard of day to day business interaction in the 2000s. The advent of Web 2.0 sites based on new technologies and their rapid development during the past 5 years opened the way to a new type of connection between individuals while also creating another bridge from companies to their customers.
But in addition to narrowing and bringing together in a virtual environment people from different continents with common interests and activities, the online communities nested around various platforms also need to face the dangers and risks revolving around the same open principles that Web 2.0 advocates.

The stakes of open and collaborative design patterns and business models

The major difference between the old Web 1.0 (or Web 1.5, if we consider the .com blast in early 2000) and its successor is, in effect, a shift of paradigm.

More than just a simple hollow marketing buzzword, Web 2.0 draws its origin from the scrutiny of apparently loose principles that govern the Internet and our daily e-behavior. Rethinking the architecture and concepts behind World Wide Web lead in the second half of our decennium to the emergence of a new series of solutions, services and options based on significantly different design patterns and models than those previously employed.

Whether we refer to adding the appropriate missing citation in an Wikipedia™ article about WWI, creating a video channel on YouTube™ for broadcasting the latest webinar, a group on LinkedIn® to easily share knowledge with subject matter experts in a particular area, or a personal Blogger™ page, all these Web endeavors ultimately revolve around the three most important keywords related to Web 2.0: participation, openness and reuse.
Or, as the father of this term, Tim O’Reilly, summarized it two years ago, “Web 2.0 is the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better the more people use them.”

This joint effort of building a Web space (rather than an isolated desktop) where continuously updated data and databases are the most precious commodity (by their user-added value) of the on-line community that permanently supports the sharing and dissemination of its knowledge and assets also places its bet on honesty, good faith and trust.

The security factor—more than just vulnerabilities and risks

Individual users and companies are not the only beneficiaries of the Web 2.0 revolution. Attackers, hackers, harvesters, phishers and spammers get their share too—true, by violating the previously mentioned principles: their participation is mimicked, the network profit is steered toward one way turnover and, eventually, there is no good faith or honesty implied.
For instance, the five-step action plan for embedding Web 2.0 business models that Amy Shuen advocates in her latest book, Web 2.0: A Strategy Guide, is as feasible as it gets, not only for the honest and legitimate entrepreneurs, but also for any cybercrime business seeking to take advantage of the new technologies:

Build on Collective User Value
Activate Network Effects
Work Through Social Networks
Dynamically Syndicate Competence
Recombine Innovations

Building on Collective User Value

One of the main components of many Web 2.0 projects is their ability to collect information from users and then share it in a form that people are willing to pay for. The implications are to some extent larger than the simple user added value of knowledge to the system.
For instance, some third-party applications can harvest details about a user’s blog or channel, such as the other bloggers or channel owners that visited his or her page, the information they accessed from the entire published content etc. Some other applications can provide details about the specific information an individual or a business posts on-line, such as the affiliations to specific groups or on-line communities, social networks, but also any other type of content available on the Internet, such as résumés, photos or videos. All these services, pretty similar to those of an e-private investigator usually require in exchange some log in credentials, such as user names and passwords to at least some of the Web 2.0 resources the user employs (of course, in addition to a subscription and sometimes money).

In his whitepaper, What is Web 2.0, Tim O’Reilly already stressed some of the consequences that derived from manipulating data that could potentially be considered private to some extent. This is, actually one of the major controversies spun around Web 2.0.
On one hand, once a user (a company or person) decides to go on-line, chances are that he or she will eventually end up disclosing at least some information, in order to interrelate with other users. On the other hand, there are various ways to control the degree of information that a user chooses to disclose online.

However, problems occur when the previously mentioned third-party services and tools are involved. These add-ons or services could collect some data that under normal circumstances a user would never reveal or make public—this was the case of several widgets deployed in a social networking Web site—Facebook—that tracked, matched and advertised the connections a user had with details about his or her on-line purchases.

Reading the Terms and Conditions, Privacy Policy, as well as constantly checking the “Privacy Settings” available on most Web sites could prevent revealing facts the user wants to keep uncovered (i.e. data that is not collective or public knowledge, but private or confidential).Yet, these measures do not cover the hazardous situations when the user’s page is hacked and data are stolen.

A user might also reveal his credentials and his entire list of friends or connections could become public knowledge or even get employed in spam or phishing-related activities.
This could also apply to other types of content: let’s say the draft of an article that was never posted on the company’s blog because the user wanted to review the use of commercial trade marks in order to avoid legal implications or some pictures from the summer vacation he or she uploaded in his or her on-line gallery, but decided not to make them public because they displayed him or her in a swimsuit.

Activating Network Effects

As every coin has two sides, the creation/joining and maintenance of a network, as a direct articulation of the key concepts “Web is the platform” (rather than the isolated desktop) and “Hyperlinking is the foundation of the Web”, has its own drawbacks in terms of security.
Most of them derive from the building pattern or algorithm. Although, apparently, there are several hundred billions of pages, channels or profiles, they can be reduced, in effect, to a single template that is multiplied and (in some way, slightly) customized. For instance, behind every blog from a blogging platform there is actually the same unique architecture (and its security flaws). Remember the lesson taught by the (in)famous Samy worm exactly 3 years ago to the users of MySpace™. Rather than a network effect that was more like a domino effect.

The script behind Samy worm infected millions of subscribers by copying itself into the users’ browser and then linking them to its author. Same malicious code could very easily be improved into the secret stealth weapon of tomorrow, which silently steals user names and passwords each time it recognizes the names of log in Web pages pertaining to the Top 500 Fortune companies.

Working Through Social Networks

Many social networking Web sites could provide an ideal platform for the distribution of viruses, worms and bots, Trojans, rootkits, spyware, adware, grayware, rogue security software as well as other malware varieties.

For instance, the unauthorized access to a professional on-line community offers to an attacker the opportunity to steal thousands of perfectly valid and active e-mail addresses. He or she can later employ them to distribute infected files via e-mail attachments.
As part of a phishing campaign, the unsolicited messages might trick the users into revealing their log in credentials; when following typosquatted links, the fake Web sites behind send user names and passwords through PHP scripts, as illustrated in Screenshot 1.

Dynamically Syndicate Competence

“Online content syndication is a viral engine for the blogosphere. RSS feeds, hyperlinks, and ubiquitous news aggregators—such as MyYahoo! and Google—enable web syndication to accelerate the transfer of previously inaccessible personal and tacit knowledge and competences into publicly shared, extensively archived, and searchable web documents, images, podcasts, and video.” asserts Amy Shuen in her book.

Whether it comes to individual or business users, the data that goes on-line is, in effect, the result of a person’s work. Concepts like “Non-Disclosure Agreement”, “Classified Information”, “Sarbanes-Oxley” or “Governance, Risk and Compliance” might not apply to the channel one uses to broadcast his summer vacation movies or the blog where another comments the latest book he or she has read. But firms should be aware of the implications that arise from the data their employees post on Web sites—either on their own or company’s behalf. Although “Data is the Next Intel Inside”, the absence of a strong policy that clearly sets the border between personal and corporate content and how much of it (or of both content types) can be revealed, legal implications are likely to occur.

Also, blog posts and comments, as well as video responses can be turned into unwanted adware or spyware, as displayed in Screenshot 2.

Without constant efforts to preserve the integrity of the displayed content and in the absence of reinforced security measures, blogs, channels, groups and profiles might be spoofed or hijacked. Or, a career opportunity community that hosts members’ résumés and details their past and current working experience, as well as job duties can be an ideal tool for blackmail and extortion, if the information normally available only to a small group of known people gets in the wrong hands. Usually, since the employers can easily check their candidates’ background on this type of Web sites, the professional reputation of the ideal employee could be easily overlooked just because an attacker distorted the facts and figures.

Recombine Innovations

Making the big on-line step was a challenge for e-criminals as well. And they adapted and innovated too. A quick look at the BitDefender’s latest E-Threat Chart reveals that in September the first 10 positions are occupied by Trojans, rogue, adware and spyware meant to tackle the new on-line platforms. It seems that web-based e-threats are the new mass mailers, in terms of prevalence and infection strategies used.

For instance, a spam campaign advertising nude photos of Swedish athlete, Sara Boberg, did not lead to the Free Celebrity Movie Archive depicted in an arousing flashy banner, but to a malicious Web site that attempted to install a combination of malicious payloads.

Screenshot 3

While preparing the download of an alleged movie – which was, in effect, the disguised executable file name.avi.exe—the Trojan.FakeAlert.AAH sneaked into the system two more files, corrupting the current wallpaper and displaying a window that informed the user about a viral detection, as depicted in Screenshot 4.

To eliminate the (fake) threats, the user was advised to install the “Best Antivirus for Windows XP or Vista”. This rogue software claimed to scan and detect malware or other problems on the computer, while in effect attempted to dupe the users into purchasing a program that does not keep the threats away, but opens the door for other malware.

The rogue this e-mail spam wave introduced via malicious or compromised Web sites has been already used in other previous spamming campaigns, relying on different ‘hooks’, like Angelina Jolie’s nude movies, Barack Obama’s presidential campaign or U.S. troops’ attacks in Iran. As the latest BitDefender’s E-Threats Chart demonstrate it, it is most likely for this Trojan and its variants to stay and continue spreading.

Innovations are also recombined when it comes to using automated tools in creating fake channels or profiles on social networking Web sites for advertising goods or services or for stealing credentials. For instance, the Screenshot 5 is one of the many landing pages behind a link displayed in an unsolicited message from a larger spam campaign promoting the “legal removal of your credit card and other unsecured debts” in the current context of economic world crisis.

Screenshot 5

Web 3.0: The chance for a better World Wide Web?

Web 2.0 is, ultimately, just another step in the evolution of the World Wide Web. To put it differently, the way Web 2.0 looks and feels today is, in effect, the sum of current Web sites and their services we employ in our daily routine, with their lacks and flaws, different from their predecessors up to some extent, in terms of security, safety, and confidentiality.

When the need to reengineer and redraw some of the existing architecture and principles in order to provide better services and options (including security) will occur, chances are that we also move to the so-called Web 3.0.

However, what we should keep in mind by now for the times to come are the ethical values at the foundation of Web 2.0, such as honesty, good faith and trust.

Since the future equation of Web 3.0 necessarily holds the human factor and the way he understand to articulates these values, chances are for the security breaches and system vulnerabilities to stay, probably in even darker and more perverse shades.

Probably, for the moment, the only suitable response for the near future must rely again on the silent and cost-efficient security solution that automatically detects and annihilates threats before they compromise “the long tail” of systems.