I'm always looking for good articles describing real security issues on Web 2.0 sites. Web 2.0: Communication, Collaboration -- and Danger is a really good read. Good quotes below if you don’t have the time to read through the article.
Application layer technology can be expensive and hard to implement, however:
Better protect your content!
Hopefully products that address these issues are inexpensive and easy to implement:
Here's a real world example. Read the full article to see more.
continue reading "Good Read: Web 2.0 Security Dangers"
Application layer technology can be expensive and hard to implement, however:
…finds it appalling that 97 percent of organizations are still using packet filters as their firewalls when the threat vector switched five years ago to the application layer. "So essentially everybody is out there today living in the Web 2.0 world using Web 1.0 risk mitigation,
Better protect your content!
virtually everyone out there is simply turning on RSS feeds into their browser to get news in real time, we'll say, yet nobody's considering the consequence of ActiveX or JavaScript being injected into the RSS feed.
Hopefully products that address these issues are inexpensive and easy to implement:
...products that address this issue and provide security with real-time scanning or real-time content inspection. The technology can inspect the code in the wire just before it is about to appear in a browser
Here's a real world example. Read the full article to see more.
When the Trojan is trying to get its command, let's say at midnight, it will connect to a blog service that no one has blocked because it is popular. If this Trojan collected data, it now needs to send it back out to the attacker, and it doesn't need to communicate with the attacker directly. It can be posted as content on the Web 2.0 site-in my MySpace profile or in a blog-and the hacker will connect to the blog, grab the data and then delete that from the blog. So Web 2.0 becomes a hosting platform that the hacker can use to either send commands to the Trojan or get the content out,"