The Next Line of Defence: Web2.0! You must read this!

Do you remember my words from my Web2.0 hacking talk: Data in the Cloud, Applications on demand, but for malware! Well it is happening! And I know that a lot of security (sort of) guys out there will simply ignore many of the things we (GNUCITIZEN and others) have to say but the simple fact is that Web2.0 is the most significant development milestone of the Internet, which will bring the next generation of computing to reality and with that, the next generation of problems. With this post I would like to show you an examples of the so called Applications on Demand and dive a bit into what security implications we face when dealing with this type of technologies today and in the future.

Let me bring you up to speed with some concepts first. As I mentioned before, the phrase Data in the Cloud, Applications on Demand symbolizes a new approach to computing, where the data is freely stored on the Web while applications are delivered when demanded, to consume that very same data in order to perform a given task. Traditionally, applications are either on the server or the client. However, with the introduction of AJAX and other client-side technologies, we start to see more of the hybrid type: both servers and clients are seamlessly glued together to produce the desired effect.

Why is this interesting? Let’s put it this way: malware is software, software is moving to the cloud, therefore, malware is moving to the cloud.

The rules of the game change with every single day. I’ve mentioned how Web2.0 technologies can be used/abused in order to gain a technological benefit. This is very, very, very serious. Mashup services, for example, allow you to build applications for the cloud in a few simple steps. It doesn’t take much of creativity to realize that these platforms can be easy turned into war machines. Blogs, feeds, aggregation platforms are the perfect way to distribute content of whatever kind. XSS on a massive scale has never been easer without the social bookmarking infrastructures build to support our ever-curious Web community. And now, cloud applications has become even more easer to deploy. Do you remember mario’s post on the security implications of the nopaste websites? Well, appjet.com is the same but for online applications. Get there. Paste your Server-side/Client-side JavaScript and publish the app. How is that for simple?

Do you want to write a shell script? Well, you can do it at Appjet but the only difference is that while your shell script runs on the top of your system and cannot be easy shared, Appjet apps are available 24/7 online. Or how about writing the next exploit as an Appjet app? There is no such kind of thing as Web anti-virus/malware. These defence technologies simply does not work over the Web’s medium. Here is an example for an Appjet script:

g = wget("google.com");
page.setMode("plain");
print(g);

Yes, it is JavaScript. JavaScript on the top of SpiderMonkey in fact. It is simple, fast, intuitive and more then powerful. And it is not one of a kind. It is just one of the many to come. Web2.0 is pushing the limits of our technology and for good or bad we have to deal with the outcome. Btw, I’ve said it before and I will say it again:

Web2.0 security is not only about input validation of your apps as many of you believe. It is bigger then that. Web2.0 security is mostly about the implications that arise from building loosely connected components. Input validation on its own is so Web1.0 (play with words). It is time to start thinking a bit more globally about the world, the technology, and us. This is what Web2.0 security is all about.

I hope that you can see it as clearly as I can see it today. Meanwhile, give appjet.com a go. The experience you will gain really worth the amount of time invested and you may realize a few thing along the way.

Comments

shmel responds:

Funny toy, indeed. Poor my vacation…
http://foreva.appjet.com/

Jim Manico responds:

I will not shoot my critical data up into the cloud until I can encrypt and project my data no matter where it is with I having the only key.

application.secure responds:

Good stuff… (I saw your presentation about web2.0 at OWASP.) Full agree with you… Input validation is not “the” challenge about security in web2.0… of course, it will continue to be an attention point when developing web 2.0 applications.

As you say, the challenge of 2.0 is more about integration and sharing information and services.

Do never trust external information and services? Is it the golden rule of 2.0?

But(fe) is it not the responsability of service(app) providers like (appjet.com) to deliver trusted services?

pdp responds:

Jim, of course, but at some point in time you will have to.

application.secure, the reason why I mentioned appjet.com is because their service allows you to build tiny applications very rapidly. Also the service gives you the ability to connect to stuff. In the past you will need a compromised system in order to launch an attack. Today, all you need is an account with one of these services. This is what makes it scary.

application.secure responds:

yes, you have the same service with “google mashup”…
Do you think that google or appjet have (or must have) a kind of “antivir” to scan all services and detect malicious services?

rdivilbiss responds:

“Do you think that google or appjet have (or must have) a kind of “antivir” to scan all services and detect malicious services?”

Sounds like the argument Wall Street made before 1929. ergo the SEC, et. al.

Some responsibility for security certainly rests with the service providers, though I can not specifically say how much. It would however be in the best interests of the service providers to intervene before EU or US regulators decide to get involved legislatively.

Shoaib Yousuf responds:

pdp,

I always see you are always pointing out upcoming security threats and warning about security threats in Web 2.0. I totally agree with your posts (no doubt) but it will be great if you start telling us what can be done?

Okay, I agree there are security threats and risks but as security professionals and with so many websites telling us that; we already know what’s going on in WEB 2.0. As your regular user and reader I would like to read your thoughts on how to save defend from WEB 2.0 Security risks and threats in your point of view.

Cheers

Shoaib
Australia

pdp responds:

Shoaib, you are absolutely right. The thing is that GNUCITIZEN research is primary attack oriented. We are mostly interested in the offensive side rather then the defensive side. Though, I will put some defensive techniques with the next post.

thanks for the comment.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation