Web 2.0 security? What a mash
* Ryan Naraine is away on vacation.
Guest editorial by Guillaume Lovet
Indeed, this savory cocktail raises some rather preoccupying security issues. What if a chunk of malicious user-provided content gets propagated along the social network at the dazzling speed of a so-called YouTube viral video, crossing application borders via mashed-up pages faster than it takes Miss Teen South-Carolina to spell South Africa?
The very recent malware incident involving a mix of Facebook, Google Reader, Google Picasa, YouTube and fake video codecs, illustrate some aspects of security issues implied by Web 2.0, with a bold leitmotiv: trust abuse. Trust that the victim has in major sites, and trust that major sites themselves have in each-other.
[ SEE: Web worms squirm through Facebook, MySpace ]
Walked in the victim's shoes, the scenario is pretty straighforward:
- My Facebook friend Tom sent me a video link, cool. Oh wait, he says this is a video of me, he sounds alarmed and he's sent it to all our common friends as well. Oh no, what could that be?!
- Wait, couldn't it be one of those traps to compromise my computer? Nah, it can't be: the video is hosted on Google.com.
- Now it appears to send me to YouTube but the video doesn't play. Argh, again a codec issue... I have to see it! Whew, my system found the codecs, ok, let's install them.
Clearly, the social engineering strategy employed here to lure the user into installing a Trojan Horse, although refined, relies on a simple principle: Get the victim to do what he/she is used to doing, using the tools that he/she trusts. Using Google, YouTube, viewing videos, installing codecs... Dredge it with a very well adapted fear-factor (having an embarrassing video revealed to one's social network) and you get a pretty lethal recipe.
While this is probably one of the reasons that pushed cyber criminals to have their targets hopping via Google services before meeting their dreadful fake codecs, it is certainly not the only one. Indeed, this "trusted-first-click" strategy renders the attack more stealth, more resilient, harder to cope with. For a simple reason: Facebook is not going to blacklist Google.
[ SEE: Facebook worm finds a friend in Google Reader ]
Just about everything here has to deal with reputation: the targeted user fears to have his reputation harmed, follows a link to a reputed site, which is not filtered out precisely because it's a reputed site.
Of course, message filtering could get up one level of granularity and blacklist specific user accounts on a given site, rather than the whole site. But then the culprits just have to create another account on the same site to keep emitting filter-proof, malicious messages.
In the end, for the attackers, it really boils down to the following question: Is it easier to create accounts on a reputed Web 2.0 service than registering new domain names and setting up new hosts? At the very least, it's cheaper, since it's free -- unlike domain name registration -- and faster. Can it be automated? CAPTCHA tests required for user account creation should prevent it to be, but haven't those been broken? And even if they haven't, isn't it cheaper to have someone solving it for you rather than registering a domain name?
At this point, it has to be noted that in an era where a lot of filters, including spam filters, function by sender reputation, cyber criminals might have an advantage if they continue to leverage reputed services, which also makes the case for combining multiple security services to address Web 2.0 threats. For attackers, the Web 2.0 user-content enabled, mashed-up model certainly provides numerous rounds of ammunition.
* Guillaume Lovet is a senior manger of security research for Fortinet, a network security appliance vendor. More of his research can be found in the company’s FortiGuard Center.