Owners made the decision to filter content because they wanted to take extra steps to ensure their employees were not wasting time surfing the internet while at work. But for Jerry Maze, well versed in the security implications of the modern web, the decision to filter content is about protecting the network.

“These [user-driven] sites are constantly evolving,” says Maze, the CIO at the 200-employee company that supplies fruits and vegetables to such restaurants as Red Lobster. “You almost need some kind of gatekeeper. At least when you put a lock on the door, it keeps the honest people honest. But when you leave your front door open and a crook is driving down the street, he’s more apt to come in.”

Welcome to Web 2.0, where never before has the internet been so full of life — and never before has it been so deceptively dangerous. While no standard definition exists, Web 2.0 describes the new wave of interactive, user-as-publisher sites dotting the landscape, such sites as MySpace, YouTube, Wikipedia and Blogger, in addition to so-called mash-up sites employing programs like Google Maps. Web 2.0 contains a dynamic, responsive element traditionally reserved for desktop applications.

But with this richer client experience and newfound end-user influence come a slew of ways to abuse the web, such as AJAX-enabled (Asynchronous JavaScript and XML) cross-site scripting attacks that anti-virus software, intrusion prevention systems and firewalls likely will not protect against. Webmasters often lose control of their content in a tradeoff to create a more attractive web destination.

Attackers also can exploit these vectors’ massive user bases to quickly spread malware. “We’re at the forefront of this [Web 2.0],” says Hemanshu “Hemu” Nigam, the Los Angeles-based MySpace’s newly charged CSO and a former Microsoft executive. “When you’re at the forefront of something grand, unique and amazingly popular, the bad guys pay attention. As a bad guy you now have an attack vector that has increased from not just the company, but to the people who are coming to use the services of that company. When you empower users to do things, you’re going to have users who will inadvertently or on purpose do things to abuse the site.”

In December, the popular social networking site hosted a patch for Apple after MySpace was hit by a cross-site scripting worm, which took advantage of JavaScript functionality in the QuickTime player used by many users to run videos on their profile pages. The goal of the attack was to steal login credentials and lure users to a pornographic site hosting spyware.

Developers, meanwhile, in a rush to push out the trendiest Web 2.0 application, often overlook security and fail to properly code pages and validate input. If anything highlights the growing need to build security in, Web 2.0 might be it.

“From a security perspective, this sounds like déjà vu all over again,” Gartner analyst John Pescatore says in a November report that compares current internet practices to the early days of the web. “If enterprises don’t demand basic security capabilities in Web 2.0 applications and don’t adapt existing security processes and controls to the new concepts, waves of security incidents and business interruption will wipe out any increase in productivity or customer value.”

Web 2.0 and cross-site scripting
The web nowadays is all about the user. If this so-called revolution did not need more validation, Time magazine named “You” its 2006 Person of the Year. The current internet taps into the collective intelligence of crowds — think Digg.com, where a community of users post tech news — to draw the most pertinent information to the top, say experts.

“A lot of the really successful websites have been able to tap into mass customer decision-making or behavior,” says author Gerry McGovern, whose latest book, Killer Web Content, teaches readers how to create web content that will get people to act. “[The internet] is customer empowered in a way it wasn’t before. The success of the web is built around networking, and these sites have become places where people hang out.”

Many of the security concerns plaguing Web 2.0 are no different than issues that have affected the internet since its inception. “JavaScript was a security disaster when it was invented, and it’s been a security disaster ever since,” says Brian Chess, chief scientist at Palo Alto, Calif.-based Fortify Software.

What makes these security concerns more pronounced now is that Web 2.0 promotes user involvement more than ever before so, theoretically, today’s profit-driven cybercriminal can exploit certain sites to unleash malware. Most common are cross-site scripting (XSS) attacks, which involve malware writers exploiting poorly designed code to run script in a victim’s web browser that could allow them to steal cookies or launch a phishing attack.

XSS attacks can be activated either by a user unwittingly clicking on a fraudulent link or by simply visiting a webpage embedded with malicious code. Nowadays, many websites that permit users to manipulate code are inherently flawed. “Just about every website in the world is vulnerable to cross-site scripting,” says Jeremiah Grossman, founder and CTO of Santa Clara, Calif.-based WhiteHat Security.

Researchers say websites that employ AJAX applications are even more susceptible to silent attacks because the technology reduces the time between the client’s HTTP request and the server’s answer. The result is a more responsive application that does not require a page reload (Gmail is an example). But the lightweight technique adds complexity, making it harder to test, thus opening the door for holes and resulting behind-the-scenes XSS and SQL injection attacks, says Dan Cornell, principal of the Denim Group, a software development and security consulting firm based in San Antonio.

“What AJAX has done is taken logic in server-side language and moved it to the client side in HTML and JavaScript,” says Cornell, whose company has donated Sprajax, an AJAX vulnerability scanner, to the Open Web Application Security Project. “Attackers can run JavaScript on another user’s screen and make requests as that user. Developers are still trying to understand how this AJAX stuff works.”

Some security experts predict doom for Web 2.0, unless designers get their act together. “They’re all highly customizable, letting you include an incredible amount of your own content,” says Allysa Myers, a virus research engineer at McAfee Avert Labs. “On the one hand, this is a brilliant idea and has made the internet a much more compelling place. On the other hand, no one has given much thought to security as these places were being built up. Without this change of direction, it could be that within a couple of years, these sites may become functionally unusable — they’ll be crushed by the very thing that made them revolutionary.”

MySpace, the fifth most trafficked website in the world, according to Alexa, a web information company, and the most popular U.S. site, according to Hitwise, an online competitive intelligence service, is certain to never forget Oct. 4, 2005. That was the day it was forced offline to clean up from one of the first (and worst) worms to exploit an XSS condition.

The Samy worm, named after its creator, produced JavaScript code embedded in HTML that was able to circumvent MySpace’s filters and be executed in web browsers. The infection spread like wildfire, adding one million “friends” to Samy’s profile in fewer than 24 hours. While the scheme was the brainchild of a 19-year-old software developer wishing to be funny while exposing MySpace’s flaws, many experts predicted a financially motivated XSS attack on the site would not be far off.

At the time, MySpace had a little more than 30 million members. Now the site boasts more than 130 million profiles, with 80 million unique visitors, says CSO Nigam, who joined MySpace on May 1 and also heads security at Fox Interactive Media’s approximately dozen other properties. (Rupert Murdoch’s News Corp. purchased MySpace for $580 million in July 2005, and it is now reportedly worth as much as $6 billion.)

Nigam, 42, is MySpace’s first-ever CSO. His hiring was largely heralded as a move to increase the online safety of millions of MySpace underage members from the perils of child exploitation. And for good reason — Nigam’s résumé includes stints as a federal prosecutor, a Los Angeles district attorney and, most recently, director of consumer security outreach and child-safe computing at Microsoft.

But Nigam, who also spent some time investigating computer crimes while at the Department of Justice, says his goal is to keep MySpace members safe and secure. He currently is overseeing an initiative to hire more code writers. “At the end of the day, our job is to protect our member base,” he says. “They don’t come to our site because they want to be approached by a predator, or phished.”

Information security incidents plaguing MySpace are becoming more frequent as attackers realize the sheer size of the social networking site’s user set. Aside from the QuickTime issue, MySpace also has suffered from a Flash vulnerability that redirected users to a blog discussing Sept. 11, 2001 conspiracy theories, and flawed banner advertisements — hosting the months-old Windows metafile bug — that permitted drive-by downloads.

In both cases, though, Nigam places some of the blame and responsibility on third-party contributors and end-users. In order to fix the Flash problem, MySpace asked users to upgrade to the latest player. And the banner advertisement incident forced MySpace to reassert that its partners run their own security checks. It also exemplified the importance of a responsible end-user. “If you don’t install the patch and there’s a new vulnerability going out, it’s easy to blame the website, but the reality is if you were patched, it wouldn’t have happened,” Nigam says.

MySpace has also shut down phishing websites attempting to mimic MySpace, including the crafty rnyspace.com and myspaceplus.com. One user even customized the URL of his real MySpace profile to appear like the legitimate MySpace login page.

MySpace has not stood silent, Nigam says. The company, with the help of the FBI and the Secret Service, is actively pursuing offenders through lawsuits and criminal charges.

But MySpace is not passing off all the blame. Aside from forming an incident response team, MySpace is in the process of creating a dedicated in-house team of engineers whose goal is to write secure code, Nigam says. He would not say how big the team will be, other than that he is actively hiring — currently about 350 to 400 people are employed by MySpace.

“We’re ramping up [the engineering team] to create a stronger groundwork,” Nigam says. “We know web application security is going to be critical. That’s where hackers are going to focus their attention. When engineers create something, I say, ‘Tell me the cool thing you’re creating, and then tell me how the bad guys are going to misuse it.'”

Corporations and developers
For the enterprise, the double-edged sword that is Web 2.0 becomes especially problematic. Network administrators have an easy decision when it comes to blocking access to pornographic and casino websites — popular carriers of viruses, spyware and other malicious content — but limiting access to well-regarded Web 2.0 sites is not such an easy sell. Wikipedia, after all, can have real informational value for an employee.

But organizations must be aware that social engineering tactics through Web 2.0 should only increase, say experts. This is not to mention the additional risk organizations face over employees posting sensitive company information to blogs. Gartner estimates the peak number of bloggers will reach around 100 million at some point in the first half of this year.

In 2006, industry observers saw a trend among attackers to target Web 2.0 for profit. The days of annoying, but innocuous Web 2.0 worms appear over. “Ultimately there’s an end game here to install adware and spyware on the user’s computer,” says Tim Erlin, vulnerability and exposure manager at nCircle, based in San Francisco.

Chess of Fortify says the key to securing Web 2.0 is for application developers to perform comprehensive input validation, particularly on the server side.

Organizations, meanwhile, must ensure their browsers have received the latest security updates and are formatted to restrict the running of certain scripts. Options also include deploying software that scans for malicious web content, analyzes website code and restricts access to certain domains, say experts.

Companies should enact policies governing access to their LAN, too, says Tom Newton, product manager at SmoothWall, a U.K.-based open-source firewall provider. “If they get infected with something from Web 2.0, you’ll have infections everywhere instead of just in one place,” he says.

Web security vendor ScanSafe has reported that one in 600 social networking pages hosts malware. Maze, the Royal Food’s CIO and a ScanSafe customer, says employees have difficulty avoiding trouble on the new web.

Still, educating the end-user will also be crucial in the fight to secure Web 2.0. MySpace’s Nigam says he understands the enormous reach of his website and is dedicated to using that power to secure the new age of digital communication. MySpace plans to increase the amount of cybersecurity awareness resources posted to its site.

“We want to be the global leaders in this area,” Nigam says. “We have an opportunity to create greater awareness around an area that is important to how you operate anywhere around the internet.”

 

FIGHTING BACK:
MySpace attracts hackers

The mass user base of MySpace provides the malicious community with an unprecedented vector to spread spam and other malware.

Since Hemanshu “Hemu” Nigam took over as the site’s CSO last spring, MySpace has instituted a slew of new controls and measures to keep the malicious community at bay.

  • The site has limited the number of emails one member can send per day.
  • Only member’s “friends” can receive group requests.
  • Every video uploaded to the site is re-coded, and the site reviews 13 million images each day that get uploaded.
  • An “automated alert system” was introduced that signals to engineers when a user’s account is being used for unnatural purposes.

A CA/National Cyber Security Alliance survey revealed that 57 percent of people who use social networking sites admit to worrying about becoming a victim of cybercrime.

“Those sites aren’t really websites,” says Tom Newton, product manager at U.K.-based SmoothWall. “They aren’t anything without their participants, without the public. The problem with a lot of things with Web 2.0 is you have public contributors. Every time you visit a site like MySpace or Wikipedia, you’re trusting the hundreds of thousands of third-party contributors.”

Nigam wants users to feel secure. “We’re a responsible company,” he says, “and people with bad intentions are just not welcome here.”
— Dan Kaplan

 

WEB 2.0:
Tips to securing

Gartner analyst John Pescatore offers the following advice to Web 2.0 application developers in a research report:

  • Designers should create a threat model at the start of the development process.
  • All Web 2.0 code should be tested for vulnerabilities prior to production.
  • All Web 2.0 interactions, particularly query strings, should undergo filtering and validation to prevent attack insertion.
  • The product should be tested against known threats and coding best practices.

— Dan Kaplan

 

ANOTHER WEB 2.0 RISK:
RSS feeds, caching servers

Rich Site Summary (RSS) has become a staple of the dynamic Web 2.0 phenomenon, yet subscribers should be wary of malicious JavaScript being embedded in the feeds or vulnerable feeders, security experts say.
RSS is a useful XML-based method to syndicate content, such as news stories or blog posts. But attackers can embed malicious code in the feeds and vulnerable feed readers — applications that were not designed with security in mind — could allow the JavaScript to run.
In addition, users who are now accepting feeds into their mailboxes are not applying proper security controls, says Dan Nadir, vice president of product strategy at San Mateo, Calif.-based ScanSafe.
“Users are putting readers in their Outlook and downloading web content that ends up in their mailbox,” he says.
Microsoft has chimed in on the issue. In its Windows RSS Platform and Internet Explorer 7, the software giant has implemented a “sanitation” feature that removes script from the HTML fields of a feed.
 — Dan Kaplan