Video Screencast Help
Security Response

Security and privacy in a Web 2.0 world: take 2

Created: 06 Sep 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:19 GMT
Dave Cole's picture
0 0 Votes
Login to vote

Last month, I blogged on the security and privacy implications surrounding Web 2.0, but left a little for another day. Following up after this year’s Black Hat, where Web 2.0 issues were cast into the spotlight, I’m here to finish what I started and provide an update on some interesting happenings.

Since my last post
To begin with, the potential for AJAX to empower sophisticated JavaScript malware and a host of invasive Web applications was demonstrated at Black Hat in Las Vegas. From port scanning to fingerprinting and basic network mapping, all done using the AJAX group of technologies, it’s clear that we’ve only begun to see what’s possible via malicious Web sites. While they may not have the immediate impact of a WMF-style vulnerability (i.e. remote admin-level control), they leave no trace once the browser is closed and don’t rely on a researcher uncovering a Godzilla-style hole in a popular Web browser.

It’s worth noting that most high-impact attacks may be performed on popular sites where someone has embedded an attack in an otherwise benign location for user-created content, advertisements, or comments. Sure, there will be enticements to bring people to outright nasty sites loaded with exploits, but a more successful and insidious attack would leverage a person’s trust of an already known, popular site. Although I mentioned this in my last post, one thing I think is noteworthy of calling out is the fact that these type of attacks can impact many people quickly, but they can also be halted in short order because they have a central chokepoint: the organization hosting the Web site or Web service in question. Take a look at the image below; the graph shows what happened to the Web site that JS.Yamanner@m redirected to while the worm continued to infect. Starting on the 11th, you can see a massive spike in hits on the site, due to the spread of Yamanner. The spike then peaks out on the 12th, and then drops off precipitously when Yahoo! pulled the plug on the threat by patching the flaw it leveraged. The point of this being that this type of attack will not have the staying power of old threats, such as Slammer, Nimda, or other worms that rely on unpatched machines and a decentralized Internet—they may burn brightly, but should extinguish quickly as well.

WebStats4U Record of Hits to Yamanner Worm Websites

Beta is not a four-letter word
Beta has long been known as a dirty word when it comes to software quality. Any manner of flaw or bug could be forgiven if an application was labeled “beta” and all bets were off if it was deemed “alpha”. While this still may be the case in many instances, take a look at Gmail and other popular Web services out there today. Gmail is proudly emblazoned “beta” and Flickr considers itself “gamma”. If only all betas worked as well as my Gmail account! What this signals is that the development cycles for Web services are likely to be much, much shorter and decidedly more experimental than in the past. Flickr’s lead developer indicated that they deploy builds up to every half hour. While this certainly allows for quick delivery of new features and functionality, moving this fast with code changes is bound to occasionally introduce a flaw that previously did not exist. Again, attacks on Web services such as these will likely be opportunistic and could affect thousands of people quickly; however, the attacks will also be short lived, as fixes can be deployed rapidly and patches deployed centrally at the server-level, with no need for them to be sent out to thousands (let alone millions) of systems.

Violation by accumulation
I’ll finish up with a topic that is not entirely new, but bears revisiting in light of the new style of user-as-publisher Web services. Take a moment and think about the following questions:
• Do you have a blog or publicly visible page on a social networking service?
• Have you posted any content to a site like YouTube or Flickr? Do you have a visible profile on these sites?
• Are there pictures or stories that include your name on a friend or colleague’s Web site or blog?
• Are you listed as a member of groups or clubs on any Web sites?
• Have you posted any comments on a forum or bulletin board?
• Do you have any registered domain names?
• (And, the list goes on.)

Now, think about all the public record information that is available (or just check out this list). Indulge me for a moment in a series of “what ifs”:
• What if there was enough info out there to associate your Internet handle(s) to your “real” name? (This is assuming you take pains to disassociate the two by using a somewhat anonymous handle, some people don’t.)
• What if you reused the same handle across all or most online services/sites?
• Now, what if there was a service that could couple your offline identity through public records with your online identity and assemble them all into a single picture of who you are?

While there are certainly some barriers to bringing together a person’s entire identity (online + offline), I’d argue that it could be done with an adequate investment of resources and an acceptable margin of error (at the very least, basic methods are available today). This process is aided by the fact that many people do not do what is needed to make themselves anonymous online, or reuse the same handle across many services. What they post, publish, and disclose online could be associated with “official” info, including where they live, phone numbers, legal judgments, bankruptcies and criminal records, to name only a few. Any one piece of information does not in and of itself violate someone’s privacy, but as each one of the information fragments accumulate, they could combine to form a very detailed view of what kind of a person you are, from your interests and hobbies to your physical location and background.

The real difference now is how much information we offer up through user-based publishing and how pervasive these services have become, especially for the younger, tech-savvy generation. Following years of blogging, social networking, and other activities online, how much information might be available about them by the time they are ready to join the workforce—available to their potential employer as part of a background service?

The new breed of Web services, development, and publishing models that are taking center stage have breathed life into an industry that was suffering from a serious hangover following the bursting of the dotcom bubble. At this point, we’ve seen just enough of Web 2.0 to know that it’s different, but how much impact it will have on us socially and technically remains to be seen. As for the security and privacy implications, the early lessons have unfolded, but the long-term crystal ball is far from crystal clear. I’m all for a little change; for some reason, the splog that recently landed on my personal blog site was more interesting than irritating (wish I could say the same for the spam in my Inbox). While the curiosity will no doubt fade, the current wave of Web 2.0 services and trends have at least put a fresh face on many old issues.