Thursday, December 9, 2010

WEB 2.0 - The new playground for hackers.

We all have viewed so many alpha and beta versions of popular websites like yahoo , gmail , orkut etc. But the crux of the development of these websites lies in the advanced version of the web which we now call as the WEB 2.0
The web 2.0 demonstrates  web applications that facilitate interactive information sharing  and collaboration of the world wide web. This term associates with it are  various new technologies that are a major part of today’s web that we see .Client-side/web browser technologies typically used in Web 2.0 development are Asynchronous JavaScript and XML (ajax), Adobe Flash  and the Adobe Flex framework, and JavaScript /Ajax frameworks such as Yahoo UI, Dojo Toolkit, and JQuery .Ajax programming uses JavaScript to upload and download new data from the web server without undergoing a full page reload.
With the advancement comes the challanges and challanges are much different from those of the previous version of the web . Certainly web 2.0 has much more to provide to the hackers than it was before. They have a much bigger , sophisticated and advanced playground now . They need to rebuild there tools and infrastructure .

Modern hacks of web 2.0

The growing complexity of browser-based applications creates new targets for hackers to exploit. Most of these applications are centered on the Internet browser, which is where a rapidly increasing number of software vulnerabilities are being discovered (no matter what browser is being used). Additionally, the proliferation of social networking sites, on which users are sharing ever more content, likes and links, poses a much greater risk than those caused by Web-based and mass-emailer attacks.
 Combine that with the spread of small, smart Internet-enabled devices, MP3 players, smart phones, PDAs and Internet tablets that all provide “always-on”  access to these applications and information, and organizations face severe security challenges. Enterprises should waste no time in their. In fact, attacks in these areas
already are well underway. Consider this: in August 2005, a major manufacturer of MP3 players reportedly shipped 3,700 virus-infected devices. Toward the end of February 2006, news reports surfaced from several security companies about a Trojan-horse, dubbed RedBrowser, which is capable of infecting virtually any PDA or mobile phone driven by Java 2 Micro Edition (J2ME). Then, there is the growing amount of proof of concept viruses is  one example and now  it has crossed over from wired PCs to wireless pocket PCs– that are targeting mobile platforms. It is only a matter of time before truly malicious software writers begin targeting mobile devices  to steal, snoop and spread their sewage, and a large-scale security event occurs. Eventually, these types of events will become commonplace; enterprises must put in security measures to combat them.

The new hacks include the Cross site scripting (XSS) which allows the attacker to inject malicious client side scripts into webpages viewed by other users. The “bom sabado” attack on google’s social networking website Orkut is the recent example.
Web Servers have become very sophisticated now and are the core of the coolest web applications we see on the internet today. They have become the new “hackers-paradise” to test there skills. Every now and then the popular web servers have been put down to shame by the hackers. Consider the example of the website of US Army got hacked through the IIS hole , and Digg was also brought down in 2009 because of vunability in IIS Server. Several such flaws of popular web servers made many headlines.
Ajax which has now become the backbone of most of the websites today has also been targeted by hackers successfully. While most downloads from legitimate sites are perfectly safe, the openness of the underlying Internet infrastructure most certainly is not. Consider how display ads and other readily available content such as mashups are used. For instance, Trojan-laced banner ads have been displayed on high-profile Web 2.0 sites such as MySpace and PhotoBucket, and what’s more is that these attacks often require no user interaction to activate infection. Additionally, caching systems themselves can become infected, and when shared cache gets compromised, every user will be fed malware continuously until the service manages to clean its system. These, and similar types of attacks, gained attention after the widespread Download.ject attacks, which started June 23,
2004, and were the  noted cases in which users of Internet Explorer for Windows could infect their computers with malware (a backdoor and key logger) merely by viewing a Web page.

Web browser vulnerability announcements, many of them true “zero-day” vulnerabilities, have been rising steadily for years.  And they are afecting nearly every browser on the market, including Internet Explorer, Mozilla, Safari and Opera. Attackers are improving their Web browser vulnerability discovery and exploitation tactics greatly, whether to display pop-up advertisements, install spyware to spy on users’ Web browsing habits, or insert Trojans designed to steal passwords and account information.
It is not just browser vulnerabilities that are a problem. Malware continues to increase so rapidly that the anti-malware vendor signature model (that is, creating fingerprints to identify known threats) no longer is sustainable. By some accounts, there are as many as 22,000 new malware threats unleashed per day. The "big bang" attacks such as Code Red, Blaster and SQL Slammer have become events of the past as attackers move to make a profit and create crimeware that cannot be detected readily. The complexity of Web 2.0 makes it a perfect place to distribute malware clandestinely in user-generated content, display ads, Trojan applications, flash files, and more. Every day, more than 100,000 Web sites are running with the singular goal of spreading crimeware. These trends, plus vulnerable browsers, can cripple the effectiveness of information security efforts, as end points are comprised and the security of systems and information is placed in jeopardy. 

Is web 2.0 becoming the wild list?

There is a growing risk that as organizations rush to add Web 2.0 and AJAX (the combination of XML and JavaScript) functionality to their Web applications, they leave good security development practices behind. There is no doubt that Rich Internet Applications (RIAs) have changed the way we interact with the Web, and certainly how it interacts with us. When visiting Web pages, visitors are greeted by a vibrant, desktop-like computing experience, and not by boring stagnant Web pages. Unfortunately, AJAX and similar development approaches are new to many programmers. And, for the sake of speed and convenience, powerful business logic routines no longer are performed on the server, but within the browser of the end user. The result is significant increased risk because developers often do not understand, or even consider, the security consequences of their actions, creating even more potential points for attackers to insert malicious code.

The trends have changed both in the web and in the hackers .  The new playground is obviously more challenging , exciting and fun for the hackers. Not to forget that the development of the web as a hole is a big contribution of various bright minded ethical hackers around hte world . The web would not have been so happening without them . The pace of change in web makes me think of Moore’s law(the rate of change of numbr of chips on a transistor in one and half  year is same as that of the web) , which is very much applicable in the web scenario as well. But one thing that has really changed from previous web to this one is that hackers are no more considered as the real bad guys. Its  just  there counterpart (crackers) who are troublesome.  Every organization now understands the need of real hackers to make  Web2.0 a more secure and interactive place. We hope that the next version may eliminate their counterparts as well.