June 29, 2008


By Lawlor, Maryann

Raise the firewalls and batten down the gateways: security risks are rising. Web 2.0 users beware: Social networking technologies may be fun and useful, but the one thing they are not is secure. For all the benefits it offers, the Web 2.0 world is still pretty rowdy, and the risk to enterprises is very serious. Experts warn that capabilities such as social networking and collaborative content sites are a wide-open window to hackers who are using their mega- networking appeal to spread malware and crack into systems. Unless organizations take precautions, not only do they put themselves at risk, but they also may inadvertently become members of a ring of thieves whose goal is to get their virtual hands on information, which equals riches.

Information systems security companies see a whole new world of business opportunities opening up to them with the ever-widening use of Web 2.0 offerings. A study conducted by Forrester Research Incorporated, Cambridge, Massachusetts, reveals that Web 2.0 technologies are already in use or prevalent within organizations but with little regard for the security implications. Commissioned by secure Computing Corporation, Ocala, Florida, the survey showed that while 96 percent of respondents reported finding value from the use of Web 2.0 applications, only 5 percent actually implemented comprehensive protection mechanisms.

Paul A. Henry, vice president of technology evangelism, secure Computing, finds it appalling that 97 percent of organizations are still using packet filters as their firewalls when the threat vector switched five years ago to the application layer. "So essentially everybody is out there today living in the Web 2.0 world using Web 1.0 risk mitigation," Henry states. "Seventy percent of these people are reporting breaches and they wonder why. It escapes me completely."

The bi-directional interaction that is the essence of Web 2.0 makes it a prime venue for hackers. Web sites such as Wikipedia thrive on people adding content; however, organizations that host these and other social media sites are not policing the content. This has led to what is known as Web-borne malware, a phenomenon that, during the last two years, has been effectively replacing the traditional delivery method for viruses: e-mail attachments. This new way of breaking into systems can catch users off guard. "Today the spam you receive is going to have a URL [uniform resource locator] in it. You click on the URL and automatically become part of a bot-net, sending spam yourself or you've had key loggers installed on your PC," Henry explains.

This approach to disseminating malware also is seeping into Web sites that rely on user input. For example, malevolent contributors to Wikipedia have offered a security update for Windows that turned out to be "a rather ruthless piece of malware that people were downloading by clicking on the link," Henry shares.

Mean-spirited activity also is taking place on blogs. Malicious URLs, and in some cases ActiveX or JavaScript, are being added to blogs, and the hypertext markup language is appended with malicious code.

Henry says his company is observing an increase in Web-borne malware. One primary objective today is the installation of key loggers; however, hackers' goals have shifted from stealing banking information to obtaining online gaming credentials because so many online games now involve real currency.

Virtual worlds such as second Life feature an underground economy that also has become fertile ground for eburglars. Hackers take control of accounts and resell property, Henry says. "It used to be that just credit card numbers were the primary currency. Not anymore. Now, it's your online game accounts," he states.

Late last year, the e-greeting card industry became the venue for malware delivery. Large numbers of people received e-greeting card notices based on a socially engineered database so receivers were addressed by name. The spam messages told users that a friend had sent them an e-card and instructed them to click on the URL to view it. "I did a lot of analysis on the malware that was downloaded, and I was amazed. Over 12 different exploits were fired at your browser instantly, looking for a hole to download the malware," Henry shares.

The quest to be the organization with the next hot Web 2.0 portal is one reason malicious Web 2.0 activity is booming. Organizations are rolling out these capabilities with very little consideration for security, Henry states. "So essentially, that puts all of the security requirements in your lap. It just appalls me when I talk to large audiences about Web 2.0. I'll always get a good number of people who tell me that they're not concerned with Web 2.0 because they're not running any Web 2.0-related content on their Web servers. My first question then is, 'Great. So what do you do about your internal users?' " Many companies are oblivious to the fact that their employees are visiting Web 2.0 sites on a daily basis and company officials are doing nothing to manage the activity, he relates.

One of the largest issues for Henry with Web 2.0 technology today is that virtually everyone provides some form of protection for their Web server facing the public Internet, but they do nothing to inspect the traffic that is being returned from publicly accessible servers on the Internet to their internal users. "That's where the big risk comes in. You hit a Web site; it downloads a Trojan; they've backdoored your network; you got a basic packet filter rule that opens up port 80, and you're not inspecting any of that content. Then it becomes trivial to do a targeted attack or even a broad-based attack to gain access to internal networks," Henry explains.

Really Simple Syndication, or RSS, is one of Henry's other concerns. While many people are using RSS feeds today, no one is inspecting them. As a result, this application has become a great methodology for deploying malware because once again, no one is inspecting it, he says. "It truly is a problem today, and it's one that's being missed. Virtually everyone out there is simply turning on RSS feeds into their browser to get news in real time, we'll say, yet nobody's considering the consequence of ActiveX or JavaScript being injected into the RSS feed. You have no protection. It's the age-old problem on the Internet: Everybody thinks the other guy's handling security," Henry says.

Companies hosting Web 2.0 sites may be well aware of the security problem they pose but have chosen to do little about it. "If you read the disclaimers or policies on their sites, they're accepting responsibility for nothing. In fact, read about your rights on Facebook. You have none. The bottom line there is that they go as far as to say that if you're using any third-party software at all, it's your responsibility," he says.

The havoc Web 2.0 capabilities can wreak seeps deeper than malware dispersion; hackers also have designed ways to create data leakage. Many companies believe that simply analyzing all Microsoft Exchange Server outbound traffic for information such as credit card numbers as it leaves networks is enough to prevent data leakage. But when Henry asks members of an audience what their organization is doing to prevent employees from connecting to Yahoo Mail, Microsoft Mail or Gmail, "Most say that they have a policy that employees should not do that," he shares.

"The bottom line is if anybody wants to move information out of the network, and they know you're scanning Exchange, they're simply going to log in to Yahoo and set it up that way. Web-based e-mail becomes a major leaking point, we'll say, in this whole SarbanesOxley-regulated world we live in with public companies. It's a very trivial matter to simply walk into one of the services and get the information out, and it becomes completely untraceable," he says.

Secure Computing recommends that organizations look across all protocols to prevent this data leakage from happening. The company's products address data leakage by scanning all outbound traffic looking for specific keywords that are designated by the client and providing full lexical and clustering image analysis to build the rule base for the customer automatically.

The company also has been offering a URL filtering product for some time. It categorizes URLs, and then an organization's systems administrator can choose which categories staff members will be allowed to visit. "We have augmented that dramatically in the past year. We've added what's referred to as reputation defenses. Networks, Internet protocol addresses, domains, et cetera, across the Internet are scored based on their reputations. Have they been sending spam? Have they been hosting malware, spyware and so on? It's really quite easy to build reputation databases; they just have to have a lot of breadth and depth to be of value.

"We've applied those reputation databases that originally came out of a spam-detecting product that we had from CipherTrust Incorporated, a company we acquired in 2006, and we've added that to our URL filtering products so you no longer have to wait for URLs to be categorized. If that URL is found to be hosting malware, it's updated dynamically, in real time, and you're afforded protection," Henry explains. Reputation-based defenses in a Web 2.0 world can be the primary layer of defense, but it should be backed up with anti- rnalware scanning, he recommends. This second layer of defense analyzes the scripts that are returned over hypertext transfer protocol or hypertext transfer protocol secure and scales them in an analog manner for malicious intent "I'm not saying that we need to replace everybody's antivirus with anti-malware. Anti-malware scanning is a great complement to your traditional antivirus scanning, but it certainly would not be a replacement yet," he states.

Another line of defense comes from Finjan Incorporated of San Jose, California. Yuval Ben-Itzak, chief technology officer for the company, explains that his firm's products deal with malicious codes that do not have signatures. Traditional products require frequent updates, and they can only block the signatures they can identify "Today, hackers are familiar with that, and they're developing attacks that break all of the signatures. Or they will come up from Web 2.0 sites with high reputations, the sites that you don't want to block. This is exactly where today's hackers are putting their malicious code and manage basically to infiltrate a malicious code into the corporate data network," Ben-Itzak says.

Finjan offers products that address this issue and provide security with realtime scanning or real-time content inspection. The technology can inspect the code in the wire just before it is about to appear in a browser. "We really understand what the code intends to do: It's about to delete a file or to change a setting in your machine. If it's trying to do that, the appliance will block that communication and prevent it from reaching your desktop. It doesn't matter if the content came from a trusted site like Yahoo, Google, MySpace or Facebook or from other sites in Europe or in China. As long as the content is not going to do something bad, we will allow it to go in," he explains.

Ben-Itzak compares this methodology to the airport security system. Screening personnel do not have a list of all the people who should be prevented from boarding the aircraft, so they conduct real- time scanning to determine if customers are carrying any metal devices.

About two years ago, Finjan began improving its products to address the Web 2.0 world by including the additional protocols Web 2.0 uses. In addition to providing protection to its corporate clients through its products, Finjan offers secureBrowsing on its Web site as a free download for individual users. The software provides safety ratings of URLs that show up in a browser.

Ben-Itzak agrees with Henry that hackers are taking advantage of trusted companies such as MySpace and Yahoo, in many ways because organizations are loath to block access to these sites. "Enterprises that would like to attract a younger generation, and that would like them to stay in the company, cannot afford to block the sites. These sites are exciting. It's part of the day-today life of the younger generation. This is a problem, and hackers are including or adding them [the sites] to improve their attack techniques and [to] benefit from these types of platforms," he says.

Like secure Computing, Finjan turns to surveys to access trends, and its data confirms what the Forrester study found. In fact, the company's 2007 fourth-quarter trends report revealed a new type of threat in the Web 2.0 world that Finjan calls Trojan 2.0, after the malicious software made famous in the Web 1.0 era.

Ben-Itzak says that this new version of an old weapon works like this: Once a Trojan horse is installed on a machine, it needs to call back to its creator for commands about what action to take next and where to send the stolen data. Many security vendors are trying to locate these command-and-control servers so they can block them, rendering the malware useless. "However, hackers realize that and understand that these are the techniques being used to block them. So, instead of sending the command from their own servers, they are just uploading it to an RSS feed or to a blog service and the blog will include commands for the Trojan. When the Trojan is trying to get its command let's say at midnight, it will connect to a blog service that no one has blocked because it is popular. If this Trojan collected data, it now needs to send it back out to the attacker, and it doesn't need to communicate with the attacker directly. It can be posted as content on the Web 2.0 site-in my MySpace profile or in a blog-and the hacker will connect to the blog, grab the data and then delete that from the blog. So Web 2.0 becomes a hosting platform that the hacker can use to either send commands to the Trojan or get the content out," Ben-Itzak explains.

Although he agrees that risk has increased as a result of Web 2.0 technologies, Ben-Itzak will not quantify the assessment He will admit, however, that the problem is no longer the 15year-old hacker just trying to have some fun. "We're talking about professionals who are very smart and cooperating across the world to get these ideas. This is why they [the attacks] are so sophisticated. And we truly see different types of attacks when we're doing our research. Sometimes we're really impressed with the sophistication that just indicates the talent on the other side," he says.

International collaboration also makes hackers more difficult to track, he adds. As with all Internet technologies, crimes can be committed thousands of miles away from a hacker's home base. Underground multinational cooperation compounds the problem, and Web 2.0 has complicated it even further. For example, in the beginning of 2007, Finjan observed that many of the attacks originated in the United States. However, by summer, the attacks started in Europe, specifically Italy and Germany. By the end of 2007, Chinese hackers dominated the scene. "These police departments need to use all their diplomatic relations to take any action. It's not a static thing. They're moving the servers all around. So it's a very dynamic space, this cyber crowd," he states.

The Trojan 2.0 command and control scheme features attackers using a private server to relay commands to Trojan-infected PCs. The command and control platform then formats the data for the Trojan- infected PCs into a legitimate post to a public blog server. Independently, a Web-based Really Simple Syndication (RSS) aggregator service, such as Google Mash-up Editor, notices the new post on the blog that it monitors and updates itself. Trojan- infected PCs are configured to grab the headlines of the public RSS feed the aggregator generates as customized by the attacker. Once the Trojans "see" the new post, they parse the data in it and execute according to an attacker's commands. The collected data is then posted back on Web 2.0 sites, such as MySpace, as legitimate content.

"It's a very trivial matter to simply walk into one of the services and get the information out, and it becomes completely untraceable."

-Paul A. Henry, vice president of technology evangelism, Secure Computing Corporation


Secure Computing Corporation: www.securecomputing.com

Finjan Incorporated: www.finjan.com

Forrester Research Incorporated: www.forrester.com/rb/research

Copyright Armed Forces Communications and Electronics Association Jun 2008

(c) 2008 Signal. Provided by ProQuest Information and Learning. All rights Reserved.