http://www.zdnet.co.kr/etc/eyeon/internet/0,39036962,39151447,00.htm By Yoonjung Yoo September 25th, 2006 One by one internet sites and major portals continue to upgrade their sites with latest trend, web 2.0. But according to the experts, web 2.0 has many security vulnerabilities. On the 18th, Daum Communications (Korea's second largest Internet firm after NHN) introduced its AJAX based new homepage with improved UI (User Interface), personalized oriented services. Once the users are logged in, the newly designed start page enables checking e-mails, updates from blog and cafe a breeze, all without having to go to different pages. Yahoo! Korea also came out with its latest web 2.0/AJAX based homepage last August 1. The beta version of the homepage which started in earlier May now offers more personalized service to users. Also in recent, SK communications (3rd behind Daum) introduced new (web 2.0) search engine service through its Nate and Cyworld websites. As the trend indicates, web 2.0 is on the move toward user based service. However, most of these web 2.0 based websites should not forget about security vulnerabilities that exists in web 2.0, according to industry experts. Myspace.com & Yahoo incidents could be duplicated in Korea too With more and more websites writing user interactive new programming techniques (web 2.0) with Javascripts, something like AJAX (Asynchronous JavaScript and XML) also provides ways for hackers to hit a Web server and to exploit sites, attack on visitors and increases the possibility of malicious attacks through cross-site scripting flaws (XSS), experts said. Counterparts to domestically running Cyworld, worm attacks on US' myspace.com or Yamanner targeting Yahoo.com all reveal security vulnerabilities with the web 2.0. "Sites like myspace.com or Google heavily use JavaScripts to write their interactive driven web 2.0 service programs. But we know attacks on Yahoo and myspace.com surfaced through security flaws in JavaScripts"said AhnLab Coconut Inc. consultant Soomin Hong. "These incidents are indication of security flaws within the Web 2.0 that needs to be addressed. The domestic portals too are vulnerable and there is no guarantee that they will not get victimized like Yahoo or myspace.com." to address his concerns. To defend against these kinds of malicious attacks, the security experts are recommending usage of internet firewalls. Of course the firewall alone won't solve all of security issues but trying to rewrite web code (long hours with higher cost), especially with lack of its ability to defend using existing firewall. IDS, IPS is just ineffective. Portals agree need for Firewall but implementation is another matter The larger portals acknowledge the need to beef up web 2.0 security using firewalls but due to their enormous traffic are unable to come up with required equipments that can handle the job. The equipment that can digest chatting, cafe blogs and all other contents simply are not available. In addition, with all traffic generated from the web there is huge cost involved with setting up internet firewall infrastructure. To defend against hundreds of different domain will take huge expenses. "Portals realize the need for firewalls but are unable to embody it presently. And better managing parameters, prescreening for attacks, finding weaknesses in source code are all they can do for now. However, even with all these extra measures, in the end the whole process is handled by a person so the error of margin always exists." Knowing current market situation, recently SK's Infosec, an information security outsourcer and Piolink putout 4 gig web firewall equipment to attract those internet firms in need of better web security. Head of SK Inforsec's business division Sungik Hwang said, "Up to now, portals were reluctant to purchase the lower level security hardware and wanted something that can handle more than 4 giga level. To meet the need we plan to introduce 10 giga level web firewall equipment too." "We are centering our business on larger portals and e-shopping malls. In relatively short period, we should build up list of clients." head of Piolink's marketing division Jangno Lee pointed out. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Sep 25 2006 - 23:57:05 PDT