Web 2.0: A doorway to crime

Empowering users to contribute content will make Web realm an ideal breeding ground for malicious attacks, says Trend Micro security expert.

The notion of Web 2.0, where users share information and contribute content in a vibrant fashion, makes it "a natural for cybercrime", according to a security expert.

David Perry, global director of education at Trend Micro, told ZDNet Asia in an interview that in a Web 2.0 environment, users can contribute text, Web links, MP3 files and other media files, but what the world has learnt about these "files" in the last 10 years is that "they're all 'infectable'".

"Here we are, we're going to change the Web--we're going to make it welcome for everybody everywhere to post [infectious] code to [a] Web site and the whole world can see it immediately," he pointed out.

"Web 2.0 is a natural for cybercrime," Perry added. "[It] is one of the big reasons we're seeing such a rapid spread in Web-based threats today."

Joseph Telafici, vice president of McAfee's Avert Research, noted in a separate interview that there have been "attacks against a lot of Web 2.0 properties to date".

"In all cases you're looking at some kind of centralized database of info that users are allowed to modify arbitrarily on which there is essentially little to no security checks," said Telafici. "It's a fairly common story in IT security that we usually think about security after we've designed the [system] and shipped it.

"Because that data is usually centrally controlled, there are options that are not available in other sorts of attacks. For example, if someone finds a vulnerability in IIS (Internet Information Services) or Apache, then somebody's got to hack individual Web servers one by one in order to get [to] more than one server, but if you can exploit a database entry on some Web 2.0 site then everyone who uses it sees it regardless of where they are coming from," he added.

According to Trend Micro's Perry, organizations that embrace Web 2.0 applications can take certain precautions to mitigate the risks. For example, those that use the Web 2.0 applications internally should "restrict access and privileges to a group of users". Trend Micro, he added, is currently building a wiki for internal education purposes, where only Trend employees can view it and only Trend Labs members can post on it.

It is also "vital" to install Web server protection software that constantly scan for malicious threats and restrict certain ports such as file sharing ones, said Perry. Organizations should also follow generally accepted best practices and security procedures.

Organizations that run Web 2.0 applications for external audiences should avoid hosting the applications on their own networks, noted Perry. His advice: "Send off to a hosted network that belongs to somebody else…don't have it inside your firewall."

McAfee's Telafici added that new or existing Web 2.0 developers should "run over the content" before inserting it into the database would serve as a good "sanity-check".

Beware zero-day Web app threats
With the rise in attacks on Web applications, zero-day threats on Web applications are also increasing, said Rohit Dhamankar, senior manager of security research at TippingPoint, during a teleconference Wednesday with analysts and media.

Dhamankar, who is also the editor of SANS Top 20, an annual tracker of the 20 most serious security threats, noted that on some weeks, hackers post as many as hundreds of flaws in Web applications on public security mailing lists. "In many cases, there are no patches available at the time of posting…many of these flaws are very easy to exploit," he added.

More needs to be done to raise the level of awareness of zero-day flaws in Web applications. People are aware of zero-day flaws in, for example, Microsoft Office applications, but they tend to forget that there are cybercriminals who try to exploit vulnerabilities in even content management systems, Dhamankar pointed out.

"These zero-days do not get publicity like Microsoft's [software] because the deployment base for a particular Web application may not be as great as a Microsoft Office application," said Dhamankar. "But we have through our intrusion prevention system monitors frequently seen that within days of a hacker's posting to the security mailing list, these attacks get added to the 'Web hacking toolkits' and hackers start attacking these Web applications."