AOH :: ISN-3053.HTM

Red alert on Web 2.0 Security




Red alert on Web 2.0 Security
Red alert on Web 2.0 Security



http://www.zdnet.co.kr/etc/eyeon/internet/0,39036962,39151447,00.htm 

By Yoonjung Yoo
September 25th, 2006 	

One by one internet sites and major portals continue to upgrade their 
sites with latest trend, web 2.0. But according to the experts, web 2.0 
has many security vulnerabilities.

On the 18th, Daum Communications (Korea's second largest Internet firm 
after NHN) introduced its AJAX based new homepage with improved UI (User 
Interface), personalized oriented services. Once the users are logged 
in, the newly designed start page enables checking e-mails, updates from 
blog and cafe a breeze, all without having to go to different pages.

Yahoo! Korea also came out with its latest web 2.0/AJAX based homepage 
last August 1. The beta version of the homepage which started in earlier 
May now offers more personalized service to users.

Also in recent, SK communications (3rd behind Daum) introduced new (web 
2.0) search engine service through its Nate and Cyworld websites. As the 
trend indicates, web 2.0 is on the move toward user based service.

However, most of these web 2.0 based websites should not forget about 
security vulnerabilities that exists in web 2.0, according to industry 
experts.

Myspace.com & Yahoo incidents could be duplicated in Korea too With more 
and more websites writing user interactive new programming techniques 
(web 2.0) with Javascripts, something like AJAX (Asynchronous JavaScript 
and XML) also provides ways for hackers to hit a Web server and to 
exploit sites, attack on visitors and increases the possibility of 
malicious attacks through cross-site scripting flaws (XSS), experts 
said.

Counterparts to domestically running Cyworld, worm attacks on US' 
myspace.com or Yamanner targeting Yahoo.com all reveal security 
vulnerabilities with the web 2.0.

"Sites like myspace.com or Google heavily use JavaScripts to write their 
interactive driven web 2.0 service programs. But we know attacks on 
Yahoo and myspace.com surfaced through security flaws in 
JavaScripts"said AhnLab Coconut Inc. consultant Soomin Hong. "These 
incidents are indication of security flaws within the Web 2.0 that needs 
to be addressed. The domestic portals too are vulnerable and there is no 
guarantee that they will not get victimized like Yahoo or myspace.com." 
to address his concerns.

To defend against these kinds of malicious attacks, the security experts 
are recommending usage of internet firewalls. Of course the firewall 
alone won't solve all of security issues but trying to rewrite web code 
(long hours with higher cost), especially with lack of its ability to 
defend using existing firewall. IDS, IPS is just ineffective.

Portals agree need for Firewall but implementation is another matter The 
larger portals acknowledge the need to beef up web 2.0 security using 
firewalls but due to their enormous traffic are unable to come up with 
required equipments that can handle the job. The equipment that can 
digest chatting, cafe blogs and all other contents simply are not 
available.

In addition, with all traffic generated from the web there is huge cost 
involved with setting up internet firewall infrastructure. To defend 
against hundreds of different domain will take huge expenses.

"Portals realize the need for firewalls but are unable to embody it 
presently. And better managing parameters, prescreening for attacks, 
finding weaknesses in source code are all they can do for now. However, 
even with all these extra measures, in the end the whole process is 
handled by a person so the error of margin always exists."

Knowing current market situation, recently SK's Infosec, an information 
security outsourcer and Piolink putout 4 gig web firewall equipment to 
attract those internet firms in need of better web security.

Head of SK Inforsec's business division Sungik Hwang said, "Up to now, 
portals were reluctant to purchase the lower level security hardware and 
wanted something that can handle more than 4 giga level. To meet the 
need we plan to introduce 10 giga level web firewall equipment too."

"We are centering our business on larger portals and e-shopping malls. 
In relatively short period, we should build up list of clients." head of 
Piolink's marketing division Jangno Lee pointed out.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods