Web 2.0promises a banquet of tasty
features, rich experience and sizzling socialising. But will the
dash to gorge bring its own problems?
Given the hyperbole surrounding
rich
internet applications (RIA), Web 2.0 and social networking, you
would not be surprised to hear a Microsoft program manager, Joe
Stagner, say, "It is a perfect storm for RIAs right now. Companies
developing web applications cannot wait any longer to solidify
their RIA strategy."
The implication is clear: if your company delays building rich,
responsive, socially-networked web applications - with tools such
as
Ajax, Flex, Appcelerator and Silverlight - you could be left
behind by the competition. Your competitors are forging ahead, you
must rush to adopt.
Yet according to Ken Munro, managing director at penetration
testing specialist Secure
Test, rushing into Web 2.0 is the last thing you should be
doing, because the consequences of getting your security wrong are
severe.
"You can get a vulnerability in a web application that is
exploited one day and infects a million users the next. The
potential impact is so big, it is enough to take a brand down," he
says.
And his remarks are not fantasy. Two years ago the
Samy worm
exponentially infected over a million users of social networking
site Myspace, within 24 hours. Samy smashed a previous propagation
record, for an internet worm, set by Code Red, July 2001, which
managed only a paltry 350,000 victims after four days. Luckily for
Myspace, Samy also gained some "cool" status for its benign effect:
the payload amounted only to making the victim a "friend" of the
worm's writer.
Jonathan Armstrong, technology law partner at Eversheds, agrees
with Munro's pessimism, particularly with regard to social
networking sites. He says that reputation risk is much more
important to companies than risk from litigation or legislation.
"If you get it wrong, then you are dead. A lot of the business
models are just chasing visitor numbers, but if they compromise the
visitor, then they are worthless. The community ethos is the value
behind it, and if you destroy the ethos, then you destroy the
brand."
The desire for visitors causes experimentation with new
technologies, but the security issues these technologies bring are
not always immediately apparent. And because RIA necessarily
increases the amount of computer code downloaded to the browser, in
order to produce the desired richness, there is more for a hacker
to examine and exploit. Hackers read the source code, or perhaps
re-engineer it, and look for areas of weakness.
Ajax, a development scripting language based on
Java script, is singled
out by Munro as potentially dangerous because it operates
asynchronously, in the background, without the user's explicit
knowledge. "A lot of the processing is happening in the Ajax
engine. It is hiding some of the actual processing from you. Stuff
is going on in the background of your browser, being processed in
real time, that you are not directly controlling," he says.
Asynchronous code can help avoid the clunky reloading of web
pages. For example, instead of an entire page being refreshed when
the user completes typing into a search box, smaller incremental
data exchanges can occur, continually updating the page while the
user types.
This innovation improves a surfing experience, but it also
increases vulnerability and the amount a hacker can achieve if a
system is compromised.
Munro believes
Cross
Site Scripting (XSS) is the largest threat to Web 2.0.
Malicious XSS subverts a user's browser to run instructions from
somewhere other than the site visited, and although this attack has
been known of for many years, the introduction of RIA and
asynchronous techniques increase its potency. All a victim needs to
do is click one fraudulent link and code can be running in the
background, logging keystrokes, stealing cookies or sending
spam.
Andrew Kellet, security analyst at Butler Group, sees all this
as just a tired re-running of technological roll-outs without
proper thought. "The business IT industry is going through another
one of those head scratching exercises. When new approaches to
delivery and usage have come along, security has tended to lag
behind. There is no excuse for not putting security facilities into
products, and that goes right back to the build and
development."
To make matters worse, Kellet says many users of Web 2.0 tend to
be a self-selecting group of high-income, technology-rich
twenty-somethings. Ideal targets for fraudsters. "They are probably
employed in an industry that pays well, will have credit cards and
online account facilities," he says.
Rich pickings attract attention, but many companies are fighting
back and stipulating the security measures developers must build.
"It depends on the requirements for the particular project," says
Mike Jones, an independent RIA developer. "If you are dealing with
transactional information, especially of a commerce nature, then
you are going to use all of the tools and methods that are inbuilt
into the browser."
However, he says, "A client may say, 'we want it to be secure',
but that is just a buzzword they have heard because security is
very big at the moment. They may not have a concept of what they
are asking for."
It must not be forgotten that security issues are often deeply
technical and there can be a mismatch between business knowledge
and developer experience.
This is one reason why
Badoo, a social networking
and picture-sharing website boasting nearly 13 million users, tries
to employ only top development staff. It is a critical policy for
the company says program manager Mike Greer. "Our computer
engineers have at least ten years experience - each of them. We
hire only the people that have shown themselves to be pretty
amazing in their field," he says.
But Badoo does not rely on hope that its developers will write
secure code. Given the complex mixture of open source products
including MySQL, PHP, Nginx, plus a lot of our own in-house
developed C++ and C software, it was essential the company
established safe-site practices and policies. These included
filtering all user input for active HTML or script content,
forbidding users from adding off-site links and installing smart
captchas that brake overly active users who might turn out to be
bots.
"We have also introduced, and believe it should become an
industry standard, extended validation SSL certificates (EVSSL).
This will work with the user's browser to allow them to know when
they are on a validated site, by showing them a green URL bar,"
says Greer.
The EVSSL initiative has been driven by Verisign since a 2006
Harvard/UC Berkley study showed that 90% of consumers could not
tell the difference between a website and its fraudulent
counterpart.
Such knowledge is essential to prevent phishing, which remains a
constant threat. But Web 2.0 with asynchronous coding can make
phishing much harder to detect. "By just browsing to a website you
have got something running. We started shouting warnings about
phishing and cross site scripting being used together, and, lo and
behold, a bank was phished with an XSS attack," said Munro.
Munro is referring to January's
Banca Fideuram attack, which was the first XSS-phishing attack
to run on a bank's own website, using a genuine SSL certificate,
making it very difficult for the user to know the login screen was
fraudulent.
"Sadly, I think EVSSL is an irrelevance, and will probably just
accelerate the use of XSS in phishing attacks, as conventional
phishing attacks become less effective as a result of EVSSL," says
Munro.
This is no reason, of course, not to make it difficult for
standard, non-XSS, phishers. "Research indicates that EV is
definitely effective as a deterrent against phishing, and companies
have every reason to take advantage of EV to combat phishing," says
Tim Callan, vice-president of product marketing at Verisign.
"Companies can also take steps to protect their sites against
XSS, and they should go ahead and do that as well," says
Callan.
XSS cannot work without a vulnerability in the target site's
coding, which is why it is so important to consider security from
the outset of a website project, to ensure that security is part of
the build methodology, says Butler Group's Kellet.
And software developer, Jones, agrees saying, "Although it is
really cool to build an application and get it out there, when you
start having real people using your system you have to be very
conscious you are dealing with their data. Do not build a prototype
and then launch it. Build a prototype, do the test, learn from what
you have developed, and take that learning and build the actual
system."
Jones says he has been frustrated when he has seen clients not
taking security seriously, rushing into cool developments beguiled
by the technology, often due to time and budget constraints. "A lot
of them were start-ups rather than established businesses, but if
development's not done with due diligence, you can end up in a
pickle," he says.
Web 2.0 and rich internet vulnerabilities
Cross-site scripting (XSS): The user's browser is subverted to
run instructions from somewhere other than the site visited.
Sessions may be stolen, cookies read or keystrokes logged. Defence
includes input validation and input filtering.
Client side validation: To save network time users' input can be
checked by the browser. Hackers can inspect the validation and
either circumvent or change the checks. Validation should be
performed server-side, or checked on the server.
Thick client binary manipulation: Applications running partially
on the client can be reengineered back to source code, changed then
recompiled. Defence includes server-side programming and code
obfuscation.
Prototype theft: Object orientated programming allows code and
data to be overridden. Any XSS vulnerability may enable hackers to
"wrap" genuine code with a malicious program.
SQL injection: Database queries formulated from unchecked user
input can be vulnerable to the insertion of additional SQL syntax,
revealing data structure and security measures.