Red alert on Web 2.0 security

Security experts in Korea warn that local portals that upgrade their sites are at risk of facing the same Web 2.0 security issues as and Yahoo.

Even as Internet sites and major portals continue to upgrade their sites in line with the Web 2.0 revolution, experts warn of security vulnerabilities associated with the phenomenon.

In September, Daum Communications--Korea's second largest Internet services provider after NHN--introduced its AJAX (Asynchronous JavaScript and XML) based new homepage with an improved user interface, personalized oriented services. Once the users are logged in, the newly designed start page enables checking e-mail and Web log (blog) updates without having to go to different pages.

Yahoo! Korea also came out with its latest Web 2.0/AJAX based homepage last August. The beta version of the homepage which started in earlier May now offers more personalized services to users.

Also recently, SK communications, another major player after Daum, introduced a new search engine service through its Nate and Cyworld Web sites.

According to industry experts however, these sites should not forget about security vulnerabilities that exist in Web 2.0. and Yahoo incidents could be duplicated in Korea too
The use of new interactive programming techniques such AJAX opens up opportunities for hackers to hit a Web server, exploit sites and attack visitors. It also increases the possibility of malicious attacks through cross-site scripting flaws (XSS), experts said.

Worm attacks on or Yamanner targeting all reveal security vulnerabilities with Web 2.0.

"Sites like or Google heavily use JavaScripts to write their interactive driven Web 2.0 service programs," said AhnLab Coconut Inc. consultant Soomin Hong. "But we know attacks on Yahoo and surfaced through security flaws in JavaScripts.

"These incidents are indication of security flaws within Web 2.0 that need to be addressed. The domestic portals too are vulnerable and there is no guarantee that they will not get victimized like Yahoo or," he added.

To defend against these kinds of malicious attacks, the security experts recommend usage of Internet firewalls. Firewalls alone won’t solve all security issues but trying to rewrite Web code (long hours with higher cost), especially when it lacks the ability to defend using existing firewall, intrusion detection or prevention systems, is just as ineffective.

Implementation is another matter
The larger portals acknowledge the need to beef up Web 2.0 security using firewalls but due to their enormous traffic are unable to come up with required equipments that can handle the job. The equipment that can digest chatting, cafe blogs and all other contents are not available.

In addition, with all traffic generated from the web there is huge cost involved with setting up Internet firewall infrastructure. To defend against hundreds of different domains, huge expenses will be incurred.

"Portals realize the need for firewalls but are presently unable to implement them. Better management of parameters, prescreening for attacks, and searching for weaknesses in source code are all they can do for now. However, even with all these extra measures, the whole process is ultimately handled by a person so the error of margin always exists," noted AnhLab's Hong.

In response to current market circumstances, SK’s Infosec, an information security outsourcer and Piolink recently launched a 4GB Web firewall equipment to attract ISPs in need of better Web security.

"Up to now, portals were reluctant to purchase the lower level security hardware and wanted something that can handle more than 4 giga-levels," head of SK Inforsec’s business division Sungik Hwang said. "To meet the need we plan to introduce 10 giga-level Web firewall equipment too."

Added the head of Piolink’s marketing division Jangno Lee: "We are centering our business on larger portals and e-shopping malls. In a relatively short period, we should be able to build up a list of clients."

Yoonjung Yoo of ZDNet Korea reported from Seoul.