bling bling blog

Bling Bling Blog

mercoledì, agosto 09, 2006

WEB 2.0 attenzione ad usarlo

Lo sapevate che Web 2.0 e' un trademark coniato dall'editore americano O'Reilly?
...attenzione dunque ad usarlo, potreste essere citati in giudizio!
Per chi volesse saperne di piu':
http://www.tomrafteryit.net/oreilly-trademarks-web-20-and-sets-lawyers-on-itcork/
http://radar.oreilly.com/archives/2006/05/controversy_about_our_web_20_s.html
http://www.crunchnotes.com/?p=216

3 commenti:

Massimo Cavazzini ha detto...

Forse c'è anche un secondo motivo per non usarlo... "The hidden flaws in Web 2.0" di Chris Nuttall, sul Financial Times del 7 agosto :-)

Destiny ha detto...

The hidden flaws in Web 2.0
By Chris Nuttall

FT.com
Published: August 7 2006 18:36 | Last updated: August 7 2006 18:36

A dark side to the shiny new world of Web 2.0 is being exposed by virus writers and the internet security companies that counter them.

The linked-up, sharing, live-updating melting pot of web technologies that has been dubbed the second version of the web is proving fertile ground for infiltrators seeking to inject malicious code into the mix.


Massimo, anzitutto grazie per la segnalazione. Se tu avessi modo di postare tutto l'articolo sarebbe molto utile. Ce l'hai?

Anonimo ha detto...

Sperando di fare cosa gradita:

The hidden flaw in Web 2.0
von Chris Nuttall

New-generation web-driven applications make it easy for users to build sites - but also for virus writers to attack. While the technology and tools may bring new freedoms, they also represent virgin territory for virus writers and identity thieves.
Adark side to the shiny new world of Web 2.0 is being exposed by virus writers and the internet security companies that counter them. The linked-up, sharing, live-updating melting pot of web technologies that has been dubbed the second version of the web is proving fertile ground for infiltrators seeking to inject malicious code into the mix.

While Microsoft was once the prime target, with vulnerabilities exploited in its word-processing application, browser and operating system, Google, Yahoo and MySpace are now as likely to be hit by attacks as the focus moves from computer desktop applications to web-driven ones.

In Web 2.0, the action is inside the browser. Google users, for example, can fill out spreadsheets, do word processing and see their calendars and e-mail inboxes being updated in the same manner as when they use Microsoft's hard disk-based Office suite of programs. The difference is the information is being embedded in web pages delivered from Google's servers to the user's browser, most commonly Internet Explorer or Firefox.

Web 2.0 also stands for the social software of wikis, blogs, really simple syndication (RSS) news feeds, tagging and community sites. It is a permissive society where users borrow, append and mix their data freely with one another. However, while the technology and tools may bring new freedoms, they also represent virgin territory for virus writers and identity thieves.

Part of Web 2.0's appeal to the developers of "malware" - malicious software - is the complexity of processes going on in the background to enable it. Ajax (short for asynchronous Java Script and XML) is the umbrella name given to a wide range of technologies used to make web pages more interactive. They come alive as small amounts of data are exchanged with the server to refresh part of a web page, such as a changing stock price or sports score.

"There are about 100 different ways to encode Java Script. Firefox and Explorer have 50 ways each," says HD Moore, security research director at BreakingPoint Systems. "Bad code" struck Yahoo's web mail service in June when a virus writer sent out an e-mail with some Java Script code embedded invisibly inside it. Yahoo Mail was vulnerable to what became known as the Yamanner worm as it allowed Java Script to be executed.

Anyone opening the e-mail triggered the script, which made requests for the user's address book and sent the worm on to everyone listed. The aim was probably to collect addresses for spam lists.

"The Yamanner worm couldn't have happened without Ajax," says Billy Hoffman, security researcher at SPI Dynamics.

"This is the frightening thing - from Yahoo's point of view, nothing dangerous happened, the user just composed and sent an e-mail. It's the same for the browser - it saw some Java and it just ran it, and the end user couldn't do anything about it either." A similar flaw in Google's RSS reader was spotted last month. Google uses Java Script to allow users to add news feeds to their reader, and a security expert was able to append data to the news feed address and redirect the browser to another site.

These weaknesses of coding in Web 2.0 sites are known in the security industry as cross-site scripting, or XSS vulnerabilities. The best known exploitation of an XSS hole in recent times was a relatively benign attack last October on MySpace, now the biggest social networking site with 54m users.

"Samy", a 19-year-old software developer from Los Angeles, wrote a worm that gained him more than 1m online "friends" before MySpace was able to disable it. He placed JavaScript code in his MySpace profile so that anyone viewing it would unknowingly execute the code. The code added him as one of the user's friends, which normally requires the user's approval, but his worm granted this in the background using Ajax.

It then opened the user's own profile, copied the malicious code and appended Samy to any list of heroes there, with the words "but most of all, samy is my hero". Anyone viewing the user's profile would be similarly infected and so Samy's fame and popularity quickly spread to 1m MySpace members.

By this time, the site's administrators were aware of the mass activity and were forced to take MySpace down for several hours to remove the worm. "What is biting MySpace, Google and Yahoo on the butt is XSS," says Alex Stamos, principal partner at the iSEC Partners security company. "You can prevent it with input and output filtering of scripts and in the traditional Web 1.0 world, there was just one big web page in standard HTML, so the job to keep these scripts out was not hard." With Web 2.0, however, there are so many ways to get scripts in that preventing it is much more difficult, he says, and the person who writes the web application cannot just use off-the-shelf filters any more.

"The whole idea of using the Ajax framework is you don't have to understand how it works. But our contention is that if you don't know how it works, you don't know how to use it securely," says Mr Stamos. His company has explored vulnerabilities where users have multiple browser windows open and visiting a malicious site in one window can lead to information being grabbed and scripts executed in another.

It demonstrated to an online stockbroker how malware assumed the identity of a member, bought and sold their shares and emptied their bank account. Yet many Web 2.0 start-ups are too small to be able to dedicate much time to security. "With Web 1.0, security came later, and it always lags [behind], which is natural," says Mr Stamos.

"You can't go to a venture capitalist and say you're going to have the most secure mash-up site and get $20m. You can say you're going to have the coolest way that people can interact with each other. That will get you the money.