As everyone would have expected, finally a group of companies have started a security forum. These include Credit Suisse, Reuters and Standard Chartered.
Here is the article.
Security is a very important component of Web 2.0 considering the amount of data that is shared and number of users participating in creation of these data. It is a promising step taken by these companies that will only in help the growth Web 2.0 users and applications.
Though I am not sure if it is going to be significantly different than OWASP.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Saturday, February 09, 2008
Issues with Social Graph API usage
One of the common spamming techniques in the social networking sites is
using specialized spamming software such as FriendBot/BuddyBot which are actually automated friend adders or the tools that posts comments/notes to multiple users. Such tools use the sites' search tools to reach a certain section of the users and communicate with them from a fake account. Now with the Social graphs, it would be easier for such bot tools to retrieve number of such related users.
Further, Social graphs api can be used as a tool by social engineering hackers,
to earn the undeserved trust by creating and exposing the the network of
weak social connections. This can be exploited further to carry out
phishing attacks.
using specialized spamming software such as FriendBot/BuddyBot which are actually automated friend adders or the tools that posts comments/notes to multiple users. Such tools use the sites' search tools to reach a certain section of the users and communicate with them from a fake account. Now with the Social graphs, it would be easier for such bot tools to retrieve number of such related users.
Further, Social graphs api can be used as a tool by social engineering hackers,
to earn the undeserved trust by creating and exposing the the network of
weak social connections. This can be exploited further to carry out
phishing attacks.
Thursday, February 07, 2008
Security? We'll get to that later.
There have been a couple of posts about security here, and we have seen an example of a website getting hacked in - what was it? minutes? - in yesterday's lecture.
So why do we see security and privacy problems popping up in the Web 2.0 world?
One possible explanation is that if you want to share things with others (and Web 2.0 is all about sharing), then you must sacrifice a certain degree of privacy. Also, if your code is open-source, then hackers will find exploits by merely looking at your code.
But there's another explanation: this article suggests that developers are just too eager to implement new features, and security gets neglected. This phenomenon is not new: the same thing was going on when new and exciting desktop apps were coming up, the philosophy being that the priority is shiny new features for the user, and a stable and secure back-end is merely an afterthought: something that would be nice to have, but no one will notice if it's not there.
So why do we see security and privacy problems popping up in the Web 2.0 world?
One possible explanation is that if you want to share things with others (and Web 2.0 is all about sharing), then you must sacrifice a certain degree of privacy. Also, if your code is open-source, then hackers will find exploits by merely looking at your code.
But there's another explanation: this article suggests that developers are just too eager to implement new features, and security gets neglected. This phenomenon is not new: the same thing was going on when new and exciting desktop apps were coming up, the philosophy being that the priority is shiny new features for the user, and a stable and secure back-end is merely an afterthought: something that would be nice to have, but no one will notice if it's not there.
Friday, February 01, 2008
Privacy Issues In Social Web. A Good Real Example is Us!
Few days ago, Dr. Chen sent me an invitation to the Weekly Blogging Assignment spreadsheet. It looked kind of strange to me. Because it contained UMBC Capus IDs instead of just the email IDs. Later I was told that it was done for privacy reasons.
Well, it was a good decision to go this way. But maybe he should not have trusted the app he chose to host this file. Yes, Google docs could reveal some information anyway.
There are more than one ways to know which ID belongs to which user. First, when you open the document and open the "Discuss" pane on the right, it shows a color box in front of the user(s) who is currently editing the document. And the area on the document that this user is editing is also shown with the same color. Assuming that users work only in their respective rows, one can know which Campus ID belongs to which user.
Another more easy way to reveal this is by viewing the "Revisions" to the document. This is self explanatory.
Thats why I say, we need security first.
Another minor issue: I am able to see unpublished drafts some people have saved on blogger. Beware, others might steal your posts/ideas :)
Note:
If someone's IDs got revealed because of the picture above, or there are any serious implications please let me know and I will delete this post.
Wednesday, January 30, 2008
We need to secure gnizr
Since I have a little bit of web security background, I thought I would assess the security incorporated in this application. Turns out that it failed even the basic XSS test.
Web 2.0 involves combined efforts from all users of the internet. But this makes it even more necessary that we respect their privacy and ensure security of their accounts.
Demo
This is the simplest possible form of XSS.
Web 2.0 involves combined efforts from all users of the internet. But this makes it even more necessary that we respect their privacy and ensure security of their accounts.
Demo
This is the simplest possible form of XSS.
Blogged with Flock
Subscribe to:
Posts (Atom)
