Attackers are now focused on compromising Web sites with good reputations. Of all the malicious Web sites out there, 77 per cent are legitimate Web sites that have been compromised, says Stephan Chenette, senior security researcher with Websense Security Labs, which has a threat seeker network that scans two million Web sites every 24 hours. CNN.com was compromised, for example, when attackers bought third-party ad space and used a flash banner.
Many of these sites rely on user-generated content. “A lot of these media files that make social networking sites so interactive have actually played a part in making social networking sites so vulnerable to attack,” says Chenette.
Companies are using blogs to communicate with customers and YouTube to show videos of product usage, so there’s much more potential for uploading malicious content. Twitter has also become hugely popular, and some news correspondents have already had their tweeting accounts hijacked. Facebook continues to be plagued by outbreaks of the Koobface worm; PCs are getting infected and data is being stolen from users’ machines.
“Organizations should still allow users to visit Web 2.0 sites, but they have to do it in such a way that they’re protected from that malicious content,” says Chenette. Websense has created something called Honey Jax, which is a honeypot for the Web 2.0 network (particular nodes try to attract malicious behaviour, so it can be actively analyzed).
One of its products is a Web security gateway that helps users surf Web 2.0 sites in a more secure manner. “In the past, Web filtering was an on or off feature, so Facebook was good or bad,” says Fiaaz Walji, Canadian country manager with Websense. “We’re trying to shift that paradigm.” It offers an on-premise and a hosted solution.
But not everyone agrees that security is ready for Web 2.0. “I’m not a big proponent of the use of social networking at work, even business-related social networking like LinkedIn,” says Info-Tech’s Quin. “I appreciate it can have value, but it’s the wild, wild west of the Internet.”
When you look at the security tools we have today, they really exist for a Web 1.0 world. In a Web 2.0 world where there’s a message-delivery capability within the social network itself, those regular established controls on the Internet can’t see what’s going on. “Our tools are not in a position where they can adequately protect us from Web 2.0 threats,” he says, “so just don’t do it.”