RealTime IT News

Web 2.0 in Enterprise Needs a Lock

SAN FRANCISCO -- The culture of participation fostered by Web 2.0 applications like blogs, wikis and widgets has turned end-users into content creators and developers. But when consumers come to the office, they need to leave their open mindset at the door.

A peer-to-peer discussion led by Charles Renert, senior director of advanced content research at Websense, showed how easily collaboration tools can insert malicious code into trusted sites.

Collaboration and social networking tools have already made strong inroads into the enterprise, both through sanctioned channels and through unauthorized downloads. Earlier this week, IBM introduced the IBM Mashup Center, a bundle of tools for non-technical users and developers. And Gartner predicts that the market for enterprise social software will more than double in the next three years, reaching $707.7 million by 2011.

Businesses realize that to attract younger customers, they need to provide the kind of open online environment they're used to from MySpace and Facebook. But how do you explain to the guy who posted shots of his naked self guzzling a margarita on a consumer photo-sharing site that putting his account data into a comment on your financial services company's blog is a no-no?

"Any technology that allows the end user to write script is dangerous. If I can get you to come to my wiki or blog, and I have JavaScript there, I can do all kinds of nefarious things," an IT administrator for a financial institution pointed out.

Sans security controls, company-hosted blogs and wikis make it all too easy to post malware. Then, the trusting, sharing culture of Web 2.0 encourages others to click on the link. Even reading blog comments could activate malicious JavaScript. [cob:Special_Report]

The "Samy Is My Hero" MySpace Worm was an early example of how this could work, Renert said. In October 2005, Samy Kamkar wrote a script that not only added anyone who came to his page as a friend, but propagated itself so that anyone who came in contact with them also got automatically added. The perpetrator ended up with a million friends -- and three years' probation.

This isn't a new threat, of course. But in the pre-blog days, most Internet traffic went to a few trusted sites. Now, search or a blog post can send users directly to obscure blogs with unknown provenance.

"In the old days, you'd distribute malware via e-mail," Renert said. "Now, a lot of the traffic on the largest sites is user-contributed information. The concept of trust in the content is kind of lost. Anyone can insert anything into extraordinarily high-traffic sites."

Phishing has also become easier thanks to social media. "Bad guys can install links or other things anywhere in the content stream," Renert said. "A comment might say, 'I read about this great travel deal, go to my page on eBay.' Instead, it will take you to a complete hacker site."

Data leakage has found a new channel, as well. In addition to hackers breaking into databases, employees may naively transfer sensitive corporate information into collaboration tools. The information may then be copied and shared outside the company.

IT departments will continue to try to keep the reins on applications used in the enterprise, but most Web 2.0 applications reside on the Internet, accessed through a browser. Websense's solution to these problems is a service that scans every piece of content received by or sent from corporate computers and servers. Even comments on a blog post made from a work computer can be inspected for words, numbers or strings indicating the information might be proprietary.