R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from Best Practice
ADVERTISEMENT

Technology: web security - caught in the web?

Alan Calder, Best Practice 18 Sep 2008

Think you and your clients understand web security issues? Think again

ADVERTISEMENT

The internet threat landscape has changed significantly in the past ten years. Over 90% of web traffic in 1998 came from email, http and ftp activity. In 2008, internet traffic is additionally made up of file sharing, social networking sites, blogs, voice over internet protocol (VoIP) traffic, videostreaming, webconferencing and instant messaging (IM). Software as a service has also developed, with web-based email and data hosting now ubiquitous.

This complex scenario, described as web 2.0 and highlighted in the February 2008 issue of Best Practice, is one in which the outbound threats of data and information leakage and the inbound ones from malware, security vulnerabilities and phishing are both different and more complex than ever before.

Outbound threats

Apart from their high bandwidth requirements, applications such as webmail, internet messaging and blogs make it far easier to share confidential information. The porous security perimeter, which originally described the corporate security vulnerabilities resulting from the proliferation of notebook computers, PDAs and mobile phones, has become even more porous. Any type of data and any form of content can pass out of an organisation through any one of today’s web 2.0 applications. It is possible, for instance, to download or export files using IM without leaving any trace or record of having done so. Such leakage of company data can have a very damaging effect on an organisation.

Inbound threats

Web 2.0 applications are no less susceptible to malware than earlier technologies. Blogs, social networks, wikis and mashups are all open to attack.

Web 2.0 tools, for instance, enable users to upload files and documents. This increases the risk of malware being spread. For example, there are now more than 25,000 applications available for users of popular social networking site Facebook to share. Many of these applications are written by users and are made freely available in an open source manner. It is not always possible to know whether files which are downloaded from friends within social networking sites, or from applications within these sites, are malware and spyware free and, unless access from corporate environments to social networking sites is blocked, they could find their way onto corporate networks.

There are also ‘blended attacks’ that specifically target web 2.0 technologies.

Blended attacks are those in which mass-mailing virus-delivery mechanisms are used to insert trojans into target systems, which hackers can then use to bypass firewalls and other defences. For example, in December 2006, the JS. Qspace worm was discovered by Symantec on MySpace. This worm injects code which directs the user to a phishing page. The phishing page attempts to steal MySpace credentials by asking users for email addresses and passwords. Another example of a blended attack is the Monster.com resume thefts of August 2007. Typically, this sort of software is designed to intercept and pass on the details of financial transactions.

Security vulnerabilities

Insecure web 2.0 applications can create security vulnerabilities in a user’s operating system or other application. When the original security weakness is patched, the derived vulnerabilities are not necessarily also fixed and web 2.0 companies do not necessarily communicate sufficiently with users who may have compromised systems.

For example, security vulnerabilities in Gmail have caused emails to be transferred and stolen, with consequent potential data disclosure. Although Google patched the vulnerability, users of Gmail were not necessarily made aware of the need to repair the derived vulnerability in their own systems. The fact that web 2.0 companies apparently prefer to downplay such issues might lead to them becoming a preferred attack target for hackers and malware.

Ajax security

In contrast to typical web 1.0 applications, Ajax applications (which are an increasingly widespread web 2.0 technology) send a greater number of smaller requests to the server. This increased number of requests to the server, sometimes called Ajax endpoints, provides a greater number of opportunities for that traffic to be attacked. Ajax bridges also create a security risk. These enable connections between Ajax and third-party websites. An attack can occur through malicious requests from one site to another through an Ajax bridge. In addition, the traffic from one site to another may not be checked because it is thought to be trusted.

Another security issue is that of cross-site scripting, which has been defined as ‘the injection of code (such as JavaScript or VBScript) into a page that is returned to the browser’. The code is then executed by the browser, exposing the user to threats such as cookie theft, session hijacking, information leakage, keystroke logging, screen scraping and denial of service.

Privacy and information security

The personal and sensitive information that is provided on social networking sites enables people to created targeted phishing attacks. The inclusion of such personal and sensitive data creates a level of plausibility, which means that the attacks are far more likely to be successful. This highly targeted attack is called ‘spear phishing’. In addition, fake profiles are used to create false friendships for misuse at a later stage.

Some phishers are emailing invitations to associates, creating login screens that falsely represent the social site registration page and using this opportunity to acquire genuine usernames and passwords.

Many people use just one password for all of their online activity and will repeat it on the false social networking site. Acquiring knowledge of this password can be incredibly valuable to an attacker.

Information and data contained within web 2.0 sites, particularly social networking sites, are likely to be subject to privacy legislation, but the whole area is extremely complex.

Privacy is a difficult concept to define. It is also a concept about which it is difficult to identify an international legal consensus. In the UK, there is no doubt that information held by social networking sites is personal data as defined by the Data Protection Act 1998.

However, as social networking sites have been created in many jurisdictions, and as users of those sites are drawn from anywhere in the world, it is not clear what privacy laws should apply in each case. What is clear is that few social networking sites are taking significant steps to deal with the issues and this is consequently an area of new legislation - initially for the protection of children.

The understanding of web 2.0 threats is still in its infancy, but organisations are going to have a significant challenge finding a balance between deriving the real benefits that can be gained from deployment of web 2.0 technologies and ensuring that all the related threats are identified and effectively dealt with.

Techie terminology

  • Ajax A set of technologies that enables greater processing to be carried out on the client computer, rather than on the server. In the traditional web application, the user clicked and then waited a while for the server to respond and refresh the page. In contrast, Ajax-enabled web pages are far more reactive, giving the user the impression that pages are updating instantly.
  • Ajax endpoints In contrast to typical web 1.0 applications, Ajax applications send a greater number of smaller requests to the server which create many more points of input. The inputs are also referred to as Ajax endpoints, which provide a greater number of opportunities for that traffic to be attacked.
  • Cookie A small data file that a website stores on a surfer’s computer and which contains information about the user.Cookie theft This occurs when an a ttacker uses an injection of code to obtain data held in cookies without the user’s knowledge.
  • FTP A method of transferring files over the internet.
  • Gmail Google Mail, or Gmail, is a free, search­based webmail service available from Google.
  • Instant messaging A communication method that is analogous to a private chat room, enabling you to communicate over the internet in real time.
  • Javascript Programming language used for web applications.
  • Keystroke logging Where hackers record keystrokes on a computer keyboard using special software.
  • Malware Software designed for a malicious purpose.
  • Mashup Multiple sources of information combined to create a single application.
  • Phishing Sending emails that falsely claim to come from a legitimate company in an attempt to scam users.
  • Screen scraping Where a computer program extracts data from the display output of another program.
  • Trojan Hostile code concealed within bona fide code. Designed to be executed stealthily and inadvertently.
  • VoIP/VOB A technology that enables voice communication across the internet.
  • Wiki Web pages that enable users to collectively add and edit content. Wikipedia describes a wiki as ‘software that allows registered users or anyone to collaboratively create, edit, link and organise the content of a website’.
  • XSS Cross-site scripting, which involves the injection of code such as JavaScript or VBScript onto a web page which is returned from a server to a user’s browser.

Croak and Dagger

Users of social networking sites appear to have a very weak understanding of their potential exposures. Sophos, an IT security and control company, conducted research in which it created a fake profile for ‘Freddi Staur’, a small green plastic frog who divulged minimal information about himself. Sophos then sent out 200 friend requests to observe how people would respond and how much personal information would be revealed.

The findings were as follows:

  • 87 of the 200 Facebook users contacted responded to Freddi, 82 (41% of those approached) provided personal information.
  • 72% of respondents divulged one or more email address.
  • 84% of respondents listed their full date of birth.
  • 87% of respondents gave details about their education or workplace.
  • 78% of respondents listed their current address or location.
  • 23% of respondents listed their current phone number.
  • 26% of respondents provided their Instant Messaging screen name.

Any of this information can be used as part of a targeted identity theft, or to carry out social engineering attacks on corporate IT networks and information assets.


Alan Calder is chief executive of IT Governance Limited and author of IT Governance Best Practice Report, Web 2.0: Trends, Benefits & Risks

www.itgovernance.co.uk

M A R K E T P L A C E
V-SOL Premium Tracking available to the CHANNEL!
V-SOL: Supply Premium Vehicle Tracking Systems to MOD, TRansport for LONDON and EDF-CHANNEL RELEASE!
Claim Your Free IT Spend Audit Now!
Expert Buyers is the UKs Leading No Savings No Fee IT Procurement Service. Claim your Free Audit Now
WAN based Vulnerability Assessment
WAN based, automated, daily vulnerability assessments. Click here to try and request our whitepapers.
Web-based Expenses Software
As recognised by the Accountancy Age Awards 2004, 2005 and 2006.
Online Time Clock (Web Based)
Online Time & Attendance Tracking 30 Day Free Trial ( $49 a year )
Have your product or service listed here >   
J O B S
Copy of Audit / Accounts Senior - Milton Keynes
Milton Keynes Buckinghamshire | Wavelength - Public Practice Recruitment
Practice Audit / Accounts Senior - Milton Keynes c£28K - £32K An opportunity to join a busy, progressive firm of accountants in the role of Audit Senior. A role offering variety and responsibility along with ... more >
Senior Internal Auditor
| Grainger West Ltd
The role, working within a team of nine, will be reporting to The Head of Internal Audit and will be a largely autonomous and visible role performing strategic and business wide audits. The team is ... more >
Business Analyst
| Goodman Masson Recruitment
Immediate assignment for a business analyst for a period of 6 months has arisen based in Canary Wharf. The candidate will be accountable for the production of Management Information that will need to be manipulated ... more >
Financial Accountant
| The Change Group
The Change group is an award winning, global, Foreign Currency Exchange Company. Covering three continents, with an annual turnover in excess of £250 million we employ 600+ employees in 120 branches situated in prime locations ... more >
More Jobs in Finance
Job zone
Job of the week
Related jobs
Search for a job
 
Try our Advanced search
Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Advertise . Accessibility
Business & Finance websites:
Accountancy Age Finance news, business, practice, public sector, tax, surveys
Best Practice Business advice, business commentary
Financial Director Business news, Interviews, Finance guides, audit fees survey
Management Consultancy management consulting news, management consultants league table
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . vnunet.com
Consumer Technology websites: Active Home . Computeractive . Gizmodo . PC Magazine . PCW . WebAct!ve . What PC?
© Incisive Media Ltd. 2009
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503