Web 2.0 is all the rage nowadays. Sites like Facebook and MySpace continue to show incredible registered user and web traffic gains, and that gets everyone excited about the future of computing and how user-generated content is going to impact it. The success of these new web properties is actually pretty easy to see in hindsight. It's about community. Folks want a place to belong and Web 2.0 sites provide that.

The good news is that Web 2.0 can bring you closer to people, many of who are good folks. But not all are, and that leads us to the bad news about Web 2.0. It brings you closer to people -- maybe the wrong people. But is this a lot different that the application attacks we've been facing for the past two to three years?

The answer is no. Web 2.0 makes everything happen a bit faster and the issues are a bit more acute because users can add content to web sites they don't control. That's right; a simple comment field could be turned upside down and be used to do the evil biddings of attackers.

But let's not get too far into the discussion before we do a little laundry list of the different Web 2.0 attack vectors. The list is reasonably long, but in terms of categories, it breaks down like this:

• Malware - Yes, malicious code can be inserted into comment fields and blog posts. That means anyone else that renders the page would execute the malicious code and be compromised. This is the attack behind all the MySpace and Facebook hacks, as well as blog attacks. This is relatively straightforward to fix, if you know what to do.
• Spam - Yup, spam is still alive and well and making most of us miserable in some way, shape or form. The spammers have figured out how to attack your social networking accounts and force you to spend time cleaning out the crap. Be wary that many of these spammy invites to "friend" also hide malicious code. So the bad guys are trying to kill two birds with one stone.
• Application attacks - Web 2.0 sites are just as vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) as other web apps. So you have more talented attackers trying to insert these types of attacks into the web sites.
• Targeted attacks - High profile targets (like high net worth individuals) are also being attacked through customized, very specific attacks. For example, an attacker will try to "friend" a target with a legitimate-looking request. The request uses a social engineering attack to dupe the target into accepting the request or clicking on a link, and then it's game over.

-1-

Explore Our Topics

• BPM & Enterprise Architecture
• BPM Standards
• BPM Implementation
• BPM Best Practices
• Cloud BPM
• Continuous Process Improvement
• BPM Governance
• Service Governance

• Business to Business (B2B)
• BPM for Supply Chain
• BPM for Customer Management
• BPM for Financial Services
• BPM for Healthcare & Insurance
• BPM for Government

• Business Activity Monitoring
• Event Processing
• Process Intelligence
• Business Rules Management
• Decision Management
• Operational Intelligence

• Workflow Automation
• BPM & Enterprise 2.0
• BPM & Web 2.0
• BPM & ECM
• Case Management
• Collaboration
• Enterprise Portals
• Social BPM

• BPM & Cloud Integration
• BPM Analysis & Optimization
• Business Process Simulation
• Process Visibility & Monitoring
• Process Orchestration
• Process Discovery
• Process Modeling

Home
Webinars
Blogs
ebizQ Forum
All Topics
Subscriptions
White Papers
Analyst Corner
Follow us on Twitter
Fan us on Facebook

Explore Our Topics

BPM Strategy
BPM Solutions
Event Processing Strategy
Content-Centric & Collaborative BPM
Process-Centric BPM

About Us
Editorial Submissions
Feedback
FAQ
Advertise With Us
Site Map
Privacy Policy
Unsubscribe