[ISN] Justice, Commerce warn of Web 2.0 - and 3.0 - security risks

From: InfoSec News (alerts@private)
Date: Fri Apr 04 2008 - 01:03:01 PST


http://www.gcn.com/online/vol1_no1/46063-1.html

By Dan Campbell
Special to GCN
04/03/08 

Defense-in-depth protection for agency Web sites is the recommendation 
from Justice and Commerce department representatives who spoke during 
the FOSE 2008 Conference and Exposition about the dangers of targeted 
attacks.

.[The] Web is a collaboration method, but the benefits of collaboration 
will not be realized unless that collaboration is done securely,. said 
Michael Castagna, Commerce.s chief information security officer.

.We must understand the promise and peril of technology,. he added. 
.Criminal syndicates are targeting intellectual assets such as credit 
card data and personal information and then are selling that 
information..

Castagna also spoke about Web 2.0 risks. He described the three 
components of Web 2.0 as service-oriented architecture, application 
program interfaces, and rich Internet applications that use technologies 
such as Flash, Really Simple Syndication, and Asynchronous JavaScript 
and Extensible Markup Language.

Web 2.0 is about the user experience, with an emphasis on 
user-contributed content. In Web 2.0, the Web has become the 
application, but in Web 3.0, the Web becomes a database. Castagna 
asserted that although Web 2.0 presents its own security risks, he is 
also looking ahead to Web 3.0 and the risks it might present. .Web 3.0 
will consist of a database of machine-to-machine content,. he said. 
.Search moves from contextual to semantic where it is interactive and 
powerful and must be secured..

Mischel Kwon, deputy director of IT security at Justice, spoke about the 
danger of the relatively new IFrame attacks.

An IFrame (short for inline frame) is an HTML element that makes it 
possible to embed another HTML source inside the main document. In an 
IFrame attack, malicious code is injected into Web pages that redirect 
visitors to third-party malware sites.

Despite the persistence of such attacks, Kwon acknowledged the power of 
Web applications. .To be effectively used, Web applications require ease 
of access, connectivity to other applications and rich functionality,. 
she said. .The last thing you want to do is inhibit it via security. You 
must balance security with mission necessity and do risk analysis to 
decide what risks we are willing to take to allow that rich 
functionality..


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Apr 04 2008 - 01:18:53 PST