[ISN] Red alert on Web 2.0 Security

From: InfoSec News (alerts@private)
Date: Mon Oct 16 2006 - 23:26:25 PDT


http://www.zdnetasia.com/news/security/0,39044215,61960166,00.htm

By Yoonjung Yoo
Special to ZDNet Asia
October 17 2006 

Even as Internet sites and major portals continue to upgrade their sites 
in line with the Web 2.0 revolution, experts warn of security 
vulnerabilities associated with the phenomenon.

In September, Daum Communications--Korea's second largest Internet 
services provider after NHN--introduced its AJAX (Asynchronous 
JavaScript and XML) based new homepage with an improved user interface, 
personalized oriented services. Once the users are logged in, the newly 
designed start page enables checking e-mail and Web log (blog) updates 
without having to go to different pages.

Yahoo! Korea also came out with its latest Web 2.0/AJAX based homepage 
last August. The beta version of the homepage which started in earlier 
May now offers more personalized services to users.

Also recently, SK communications, another major player after Daum, 
introduced a new search engine service through its Nate and Cyworld Web 
sites.

According to industry experts however, these sites should not forget 
about security vulnerabilities that exist in Web 2.0.

Myspace.com and Yahoo incidents could be duplicated in Korea too The use 
of new interactive programming techniques such AJAX opens up 
opportunities for hackers to hit a Web server, exploit sites and attack 
visitors. It also increases the possibility of malicious attacks through 
cross-site scripting flaws (XSS), experts said.

Worm attacks on Myspace.com or Yamanner targeting Yahoo.com all reveal 
security vulnerabilities with Web 2.0.

"Sites like Myspace.com or Google heavily use JavaScripts to write their 
interactive driven Web 2.0 service programs," said AhnLab Coconut Inc. 
consultant Soomin Hong. "But we know attacks on Yahoo and Myspace.com 
surfaced through security flaws in JavaScripts.

"These incidents are indication of security flaws within Web 2.0 that 
need to be addressed. The domestic portals too are vulnerable and there 
is no guarantee that they will not get victimized like Yahoo or 
Myspace.com," he added.

To defend against these kinds of malicious attacks, the security experts 
recommend usage of Internet firewalls. Firewalls alone wont solve all 
security issues but trying to rewrite Web code (long hours with higher 
cost), especially when it lacks the ability to defend using existing 
firewall, intrusion detection or prevention systems, is just as 
ineffective.


Implementation is another matter

The larger portals acknowledge the need to beef up Web 2.0 security 
using firewalls but due to their enormous traffic are unable to come up 
with required equipments that can handle the job. The equipment that can 
digest chatting, cafe blogs and all other contents are not available.

In addition, with all traffic generated from the web there is huge cost 
involved with setting up Internet firewall infrastructure. To defend 
against hundreds of different domains, huge expenses will be incurred.

"Portals realize the need for firewalls but are presently unable to 
implement them. Better management of parameters, prescreening for 
attacks, and searching for weaknesses in source code are all they can do 
for now. However, even with all these extra measures, the whole process 
is ultimately handled by a person so the error of margin always exists," 
noted AnhLab's Hong.

In response to current market circumstances, SKs Infosec, an information 
security outsourcer and Piolink recently launched a 4GB Web firewall 
equipment to attract ISPs in need of better Web security.

"Up to now, portals were reluctant to purchase the lower level security 
hardware and wanted something that can handle more than 4 giga-levels," 
head of SK Inforsecs business division Sungik Hwang said. "To meet the 
need we plan to introduce 10 giga-level Web firewall equipment too."

Added the head of Piolinks marketing division Jangno Lee: "We are 
centering our business on larger portals and e-shopping malls. In a 
relatively short period, we should be able to build up a list of 
clients."

Yoonjung Yoo of ZDNet Korea reported from Seoul.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Oct 16 2006 - 23:32:21 PDT