 |
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Asia. --------------------------------------------------------------
|
Red alert on Web 2.0 security
By Yoonjung Yoo
Tuesday, October 17 2006 11:06 AM URL: http://www.zdnetasia.com/news/security/0,39044215,61960166,00.htm Even as Internet sites and major portals continue to upgrade their sites in line with the Web 2.0 revolution, experts warn of security vulnerabilities associated with the phenomenon. In September, Daum Communications--Korea's second largest Internet services provider after NHN--introduced its AJAX (Asynchronous JavaScript and XML) based new homepage with an improved user interface, personalized oriented services. Once the users are logged in, the newly designed start page enables checking e-mail and Web log (blog) updates without having to go to different pages. Yahoo! Korea also came out with its latest Web 2.0/AJAX based homepage last August. The beta version of the homepage which started in earlier May now offers more personalized services to users. Also recently, SK communications, another major player after Daum, introduced a new search engine service through its Nate and Cyworld Web sites. According to industry experts however, these sites should not forget about security vulnerabilities that exist in Web 2.0. Myspace.com and Yahoo incidents could be
duplicated in Korea too Worm attacks on Myspace.com or Yamanner targeting Yahoo.com all reveal security vulnerabilities with Web 2.0. "Sites like Myspace.com or Google heavily use JavaScripts to write their interactive driven Web 2.0 service programs," said AhnLab Coconut Inc. consultant Soomin Hong. "But we know attacks on Yahoo and Myspace.com surfaced through security flaws in JavaScripts. "These incidents are indication of security flaws within Web 2.0 that need to be addressed. The domestic portals too are vulnerable and there is no guarantee that they will not get victimized like Yahoo or Myspace.com," he added. To defend against these kinds of malicious attacks, the security experts recommend usage of Internet firewalls. Firewalls alone won’t solve all security issues but trying to rewrite Web code (long hours with higher cost), especially when it lacks the ability to defend using existing firewall, intrusion detection or prevention systems, is just as ineffective. Implementation is another matter In addition, with all traffic generated from the web there is huge cost involved with setting up Internet firewall infrastructure. To defend against hundreds of different domains, huge expenses will be incurred. "Portals realize the need for firewalls but are presently unable to implement them. Better management of parameters, prescreening for attacks, and searching for weaknesses in source code are all they can do for now. However, even with all these extra measures, the whole process is ultimately handled by a person so the error of margin always exists," noted AnhLab's Hong. In response to current market circumstances, SK’s Infosec, an information security outsourcer and Piolink recently launched a 4GB Web firewall equipment to attract ISPs in need of better Web security. "Up to now, portals were reluctant to purchase the lower level security hardware and wanted something that can handle more than 4 giga-levels," head of SK Inforsec’s business division Sungik Hwang said. "To meet the need we plan to introduce 10 giga-level Web firewall equipment too." Added the head of Piolink’s marketing division Jangno Lee: "We are centering our business on larger portals and e-shopping malls. In a relatively short period, we should be able to build up a list of clients." Yoonjung Yoo of ZDNet Korea reported from Seoul. |