From: InfoSec News (alertsinfosecnews.org)
Date: Tue Oct 17 2006 - 01:26:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.zdnetasia.com/news/security/0,39044215,61960166,00.htm

By Yoonjung Yoo
Special to ZDNet Asia
October 17 2006

Even as Internet sites and major portals continue to upgrade their sites
in line with the Web 2.0 revolution, experts warn of security
vulnerabilities associated with the phenomenon.

In September, Daum Communications--Korea's second largest Internet
services provider after NHN--introduced its AJAX (Asynchronous
JavaScript and XML) based new homepage with an improved user interface,
personalized oriented services. Once the users are logged in, the newly
designed start page enables checking e-mail and Web log (blog) updates
without having to go to different pages.

Yahoo! Korea also came out with its latest Web 2.0/AJAX based homepage
last August. The beta version of the homepage which started in earlier
May now offers more personalized services to users.

Also recently, SK communications, another major player after Daum,
introduced a new search engine service through its Nate and Cyworld Web
sites.

According to industry experts however, these sites should not forget
about security vulnerabilities that exist in Web 2.0.

Myspace.com and Yahoo incidents could be duplicated in Korea too The use
of new interactive programming techniques such AJAX opens up
opportunities for hackers to hit a Web server, exploit sites and attack
visitors. It also increases the possibility of malicious attacks through
cross-site scripting flaws (XSS), experts said.

Worm attacks on Myspace.com or Yamanner targeting Yahoo.com all reveal
security vulnerabilities with Web 2.0.

"Sites like Myspace.com or Google heavily use JavaScripts to write their
interactive driven Web 2.0 service programs," said AhnLab Coconut Inc.
consultant Soomin Hong. "But we know attacks on Yahoo and Myspace.com
surfaced through security flaws in JavaScripts.

"These incidents are indication of security flaws within Web 2.0 that
need to be addressed. The domestic portals too are vulnerable and there
is no guarantee that they will not get victimized like Yahoo or
Myspace.com," he added.

To defend against these kinds of malicious attacks, the security experts
recommend usage of Internet firewalls. Firewalls alone wont solve all
security issues but trying to rewrite Web code (long hours with higher
cost), especially when it lacks the ability to defend using existing
firewall, intrusion detection or prevention systems, is just as
ineffective.

Implementation is another matter

The larger portals acknowledge the need to beef up Web 2.0 security
using firewalls but due to their enormous traffic are unable to come up
with required equipments that can handle the job. The equipment that can
digest chatting, cafe blogs and all other contents are not available.

In addition, with all traffic generated from the web there is huge cost
involved with setting up Internet firewall infrastructure. To defend
against hundreds of different domains, huge expenses will be incurred.

"Portals realize the need for firewalls but are presently unable to
implement them. Better management of parameters, prescreening for
attacks, and searching for weaknesses in source code are all they can do
for now. However, even with all these extra measures, the whole process
is ultimately handled by a person so the error of margin always exists,"
noted AnhLab's Hong.

In response to current market circumstances, SKs Infosec, an information
security outsourcer and Piolink recently launched a 4GB Web firewall
equipment to attract ISPs in need of better Web security.

"Up to now, portals were reluctant to purchase the lower level security
hardware and wanted something that can handle more than 4 giga-levels,"
head of SK Inforsecs business division Sungik Hwang said. "To meet the
need we plan to introduce 10 giga-level Web firewall equipment too."

Added the head of Piolinks marketing division Jangno Lee: "We are
centering our business on larger portals and e-shopping malls. In a
relatively short period, we should be able to build up a list of
clients."

Yoonjung Yoo of ZDNet Korea reported from Seoul.

_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]