ContraRISK

The report of a vulnerability in Facebook applications is just the latest sign that threats to the average web user’s security are moving off into the clouds.

The proof-of-concept javascript exploit (reported at The Register) takes advantage of a failure by Facebook’s systems to sanitise code.

What is significant about this new breed of vulnerability is that it makes no difference how good your firewall is, how up to date your patching, how many anti-virus packages you’re running or even what operating system you’re using (so OS X and Linux users can take that smug smile off their faces). In the much-hyped world of Web 2.0 and cloud computing, the applications that contain the flaws come nowhere near your own machine.

That’s bad enough. It means you have no means of fixing the vulnerability other than waiting for the system’s owner to admit there’s a problem (which, so far, Facebook has refused to do) and get around to sorting it. You have no control over your own level of risk and exposure other than to stop using the system.

In that sense, it’s not much different to using proprietary, closed-source software. But there is a difference. Even if you do stop using the system, it probably won’t be enough. And that’s because the real danger lies in the exposure or misuse of your private information. The dangers posed by the Facebook flaw, for example, range from letting everyone see your private photos through to ID theft. And this is because it’s not just the application that lives in the clouds: your personal information is there too. And unlike the sensitive data residing on your hard disk, you can’t personally take any steps to protect it. It’s out of your hands.

As social networking becomes a social norm, people are putting more and more of their lives on to the servers of Facebook, MySpace and who knows how many other Web 2.0 sites. Their documents, address books and spreadsheets now exist in Google’s cloud. Leaving these sites - shutting down an account and having all your personal information wiped from the servers - is notoriously difficult, with no guarantee that it has been competently accomplished. So even if you learn of a vulnerability, the options open to you to mitigate any potential damage are … well, essentially none.

So, in the Web 2.0 world, we are no longer capable of managing our personal security. Perhaps it’s time for the service providers to accept more stringent requirements and greater legal responsibility. Given they they have such total control over our security, it’s time for them to accept the risk.

A new report details the current generation of threats to web security.

Finjan, which describes itself as a pro-active Web security and anti-spam specialist, has released its Q2 2007 IT security trends report.

The report details some interesting types of attacks designed to by-pass signature-based and database-reliant IT security technology.

The report also details the proliferation of affiliation networks based on a ‘hosted model’ for malicious code, which use off-the-shelf malicious code packages to compromise popular web sites.

The last major discovery on the malware and hacker attack front from Finjan was last year, when the company revealed hackers were starting to use code obfuscation (hiding) techniques to prevent their malware being discovered.

These techniques even stretched to storing the malware and/or infected code on a cached server, such as Google’s Webcache, meaning that conventional URL filters could not spot the malware, and allowed hapless web users to load up the infected pages without question.

But now it gets worse, as Finjan has discovered that hackers are keeping track of the actual IP addresses of visitors to a particular site or web page.

Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address.

Put simply, this means that the second time an IP address tries to access the malicious page, a benign page will be loaded in its place, causing all traces of the original infected pages to disappear.

According to the report, hackers are also being motivated by commercial greed, locating infected pages on a dedicated malicious code server and then offering affiliate codes - which are added to the web site URL - to third-party hackers.

These third-party hackers are then paid commissions according to the number of infected visitors to the main site.

Basically hackers are being rewarded for driving traffic by fair means or foul (and usually the latter) to a malware-laden web site.

For the master hackers involved in these types of scams, the rewards are potentially quite high, as the infected pages load key logging and other site logging programs to the hackee’s PC.

The hackee’s PC then drip feeds personal data such as bank account log-in details and credit card details back to a web storage site, from which the hacker’s harvest data for fraudulent usage.

According to Yuval Ben-Itzhak, Finjan’s CTO, the problem with these types of attacks is that a growing number of sites are getting hit by stealthy attacks.

These attacks, he says, leave no visible damage and simply insert a line of HTML code that points to malicious code on an external server.

“The upshot is that any visitor to such a site may be jeopardising his/her personal identity, bank account details and credit card numbers to the criminals behind these operations,” he explained.

As you might expect, Ben-Itzhak is keen to promote Finjan’s IT security technology, but he does note - quite correctly - that businesses that rely solely on signature-based anti-virus or URL filtering technology may be left vulnerable to these types of attacks.

Against this backdrop, Finjan offers the following advice for business users of IT security technology:

1. Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always ‘too little, too late’, particularly if you get hit by a zero-day attack that your security solution does not recognise.

2. Make sure that your IT security technology is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.

3. Check your vendor’s research capabilities and its ability to provide up-to-date information which is immediately translated into actionable security measures.

4. Examine your egress data policy to make sure that you cover all known and suspicious sites.