Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web 2.0 Threats and Risks for Financial Services

Posted by CmdrTaco on from the where-is-my-foil-hat dept.

An anonymous reader writes "Companies are tuning into Web 2.0 but are simultaneously exposing their systems to next generation threats such as Cross site Scripting, Cross Site Request Forgery and Application interconnection issues due to SOA. With regard to security, two dimensions are very critical for financial systems — Identity and Data privacy. Adopting the Web 2.0 framework may involve risks and threats against these two dimensions along with other security concerns. Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises."

56 comments

  1. Who cares? by kadat · · Score: 0, Flamebait

    Who cares about security? AJAX is so slick and it looks so good and you know, customers are so happy. Oh well, maybe they're not but the CEO is because we're so ahead of others in the market with our brand new 3.5MB javascript file.

    Or am I missing something?

    1. Re:Who cares? by Anonymous Coward · · Score: 0

      Web 2.0 is profitable for consumers:

      1. Find a bank using Web 2.0 on their consumer portal.
      2. Open an account and deposit a hundred dollars.
      3. Wait 6-12 months for the inevitable privacy breach and concommitant class action
      4. Profit!

      Or just turn off javascript and give a big finger to Web 2.0

    2. Re:Who cares? by PPH · · Score: 1

      Or am I missing something?

      Yeah. A big animated Flash logo. How can you possibly deploy a usable web service without a dancing logo?

      (Obligatory) Nothing to see here. Move along.

      --
      Have gnu, will travel.
  2. honestly... by cosmocain · · Score: 4, Insightful

    ...i don't need some flashy looking online-banking. i just want to transfer money from account a to account b, wonder, where my money has gone, etc. sometimes this little sentence just makes sense:

    keep it simple. for such ordinary tasks there does not have to be great interaction schemes or whatever comes to your mind. it just has to freaking work. and - it's even more secure the simple way? well, then don't tamper with it.

    1. Re:honestly... by SatanicPuppy · · Score: 2, Insightful

      With complexity comes insecurity. Nothing makes me happier than an old atm with a limited feature set...You know it's not running windows in the background, you know it doesn't have code interpretation vulnerabilities...It's simple, clean, and elegant.

      Likewise the web presence. Whenever I see data change without a page load it creeps me out. It may be sexy looking, but for every piece of flashy 2.0 Ajax, there is a cost in terms of security.

      Sad to say though, there are people out there who are so conditioned to the "new is better" mentality that applies to consumer goods, that they think the same applies to computer code. They view a flashy "new" site as being more secure, rather than less secure, because newer is better, right?

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    2. Re:honestly... by goombah99 · · Score: 2, Insightful

      You'd think some bank could turn this into a marketing ploy. put up a banner saying "please excuse the sluggishness and old fashion style of our web site, unlike our comeptitors we use a transactional accounting system and everything you see on your screen is generated right on our servers. It's safer even if it isn't sexy. But you don't really want your bank to be sexy do you?".

      Now could someone please explain to me what cross site scripting is and why it is so hard to stamp it out.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:honestly... by sarathmenon · · Score: 1

      Nothing makes me happier than an old atm with a limited feature set...You know it's not running windows in the background


      Sadly, my bank's ATM comes from Diebold, the famous company that we all know, and yes, there's no points for guessing that it runs on windows. I've seen it crash atleast a dozen times with BSODs and funny looking dialogs. I am farely sure that these machines can be reverse engineered, and I prefer using their web interface, which from the headers run on iplanet/solaris. Still I guess I count as the exception and not the majority.
      --
      Microsoft: "You've got questions. We've got dancing paperclips."
    4. Re:honestly... by mobby_6kl · · Score: 2, Informative

      > Nothing makes me happier than an old atm with a limited feature set...You know it's not running windows in the background, you know it doesn't have code interpretation vulnerabilities...It's simple, clean, and elegant.

      Depending on your exact meaning of "old", you might be very, very wrong. Many ATMs do, in fact, run Windows.

    5. Re:honestly... by Anonymous Coward · · Score: 0

      Exactly. I first used online banking in 1999 and I believe in those days pages were plain HTML3.2 and they worked just fine.

    6. Re:honestly... by Anonymous Coward · · Score: 0

      Come on, don't you like an interface with a progress bar, and the amount you send is counted upward, and on finish "Transfer completed!" bling bling. Ever watched it in movies? it really cool, would make you feel like transfering millions.

    7. Re:honestly... by Cap'nPedro · · Score: 1

      A simple example of x-site scripting would be where a black-hat cunningly crafts a URL that points to a location on the bank's site. A user of the bank visits this location, and an interesting piece of JavaScript that's been injected into the URL causes the user's details (cookies, login details etc.) to be sent to another site, so the cracker can get them.

    8. Re:honestly... by goombah99 · · Score: 1

      how? if the URL is going to the bank then my browser is "on" the bank's site. How is their latent access to the cookies, and form fields, being retained by the intial site.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    9. Re:honestly... by Cap'nPedro · · Score: 1
      That was a very simple, very quick example. The Wikipedia article explains it in more detail, but essentially it's possible to create a phishing email which will be very convincing (it's pointing to the bank's own site after all).

      For example, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system

      1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
            2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
            3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (ie. the email is spoofed).
            4. Alice visits the URL provided by Mallory while logged into Bob's website.
            5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory's web server without Alice's knowledge.
    10. Re:honestly... by SatanicPuppy · · Score: 1

      Oh I know they do...I saw a photo of one where it had bluescreened, then rebooted to a windows desktop. Some joker had started Windows Media Player, and had left it playing whatever track was included with the OS.

      In my mind, that's just obscene. When I talk about old, I mean super simple code, plain text on a black background, push this for your money, the end. Very simple. Practically unhackable. But build it on Windows, even tossing aside all the known problems with Windows, is HUGELY stupid. You're adding layers and layers of unnecessary code.

      When I put together a Unix server that's going to be in a risky environment, I build it very carefully. It has the services it's going to need, and that's it. Nothing extra. NOTHING. Because every piece of code that's not being used is a possible vulnerability. Every single one. Building an ATM on Windows is taking all the possible flaws in your code, and then ADDING all the flaws of code you can't even check.

      Seriously. Scary.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    11. Re:honestly... by Josef+Meixner · · Score: 1

      Now could someone please explain to me what cross site scripting is and why it is so hard to stamp it out.

      One of the limits on active content (mostly Javascript, but it also applies to some others) is, that a script can only access pages originating from the same server. So a script from server A can change a picture or hide parts of a page which is also from server A, but it is not allowed to do that to stuff comming from server B.

      A cross site scripting vulnerability now enables an attacker to do exactly that, add some script not from server A which is presented in a way, that your browser believes it is from server A and allows it therefore manipulations which are unsafe. That basically means, someone is able to inject arbitrary code into pages and do operations in their context.

      There is a way to not have cross site scription (shorthand for that is XSS) vulnerabilities, white listing. White listing means, you only accept known good data in anything which reaches the server. That includes uploads and forms, URLs and cookies. The problem is, that most sites don't do white listing, but the opposite, black listing. Black listing means, you try to find the things which will break your site and remove them. The problem is, that you will never know all ways which will break your site.

      So why isn't white listing used exclusively? It is much harder, you have to specify what is acceptable, so you are less flexible, whenever you add something as acceptable you have to be sure it won't break something. Black listing is much easier to implement and things you didn't think of work, with the downside that also bad things you didn't think about sometimes work.

    12. Re:honestly... by Anonymous Coward · · Score: 0

      I guess that's why the OP said "old ATM" not just "ATM". Some of us remember ATMs not running Windows :Y

  3. Banks using "Web 2.0"? by Anonymous Coward · · Score: 0

    I can only imagine what a bank's web site would look like...

    Recent Tags:
    laundering, DEPOSIT, WITHDRAWAL, mortgage, phishing, PORN, XXX, savings account, cd, federal reserve

  4. The real problem by CastrTroy · · Score: 4, Insightful

    The real problem is outlined right in the blurb. That problem is: "without adequate threat assessment exercises". I don't think any of these technologies are inherently any worse than any other method, but the problem is that they don't understand the technologies well enough, and aren't testing for vulnerabilities. It's just like with PHP. Sure you can code your pages with really insecure SQL injection technologies, but there's solutions like prepared statements that make it a non-issue. What I want to know is, why are all these financial institutions jumping on the Web 2.0 bandwagon before they fully understand what they are doing? From my point of view, web 1.0 is good enough, and I don't see why everyone wants to switch so fast.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:The real problem by Hal_Porter · · Score: 2, Interesting

      There's an argument that you should do some kind of benefit analysis before you adopt technology I think. Each new thing you add increases the attack surface of the application, so there's no point doing things for purely aesthetic or coolness reasons. Plus most Web 2.0 applications seem to cope very badly with slow or unreliable network connections, and that in itself is a good reason to not use them in critical environments like online banking.

      Fuck it, I'm an old fart and I know it. I'm sure next time I connect to my bank via a flakey VPN connection, it will look like fucking del.ic.io.us or whatever and will either not let me log in in the first place or freeze up when I'm trying to actually use it the way gmail does. There's no point trying to explain this stuff. Next time I go to Starbucks and it's full of goateed Mac users writing PHP code, I'm gonna put strychnine in cinnamon shakers.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:The real problem by NickFitz · · Score: 4, Insightful

      The real problem with TFA becomes apparent at the start of the second page:

      RSS feeds exist in Web 2.0 data format.

      That sentence alone confirmed what I'd been beginning to suspect by the end of the first paragraph: TFA is a mishmash of ill-informed technobabble penned for the purpose of allowing underqualified CTOs to give the impression that they are fully buzzword-compliant.

      --
      Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
    3. Re:The real problem by dkf · · Score: 3, Informative

      All this "Web 2.0" stuff adds one important attack vector, and that is scripts downloaded from a malicious website that manipulates the user's experience of the real site (e.g. to make extra transfers and yet hide the details of those from your view of the log). The proper solution to this is to only allow scripted control of a site (other than from scripts downloaded from the same site) if the controlled site specifically declares that it is OK for scripts from the other site to do so, a policy which would need to be enforced by everyone's browsers. (Yeah, I know. Good luck with getting IE to adopt a sensible default-deny policy on anything.) Of course, this measure completely stuffs most mashups, but is that such a bad thing? :-)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    4. Re:The real problem by brunascle · · Score: 1

      scripts, i believe, dont have access to pages from another domain, so that's not necessary. any web developer worth his weight should not have any sql-injection or XSS vulnerabilities, lest he wish to be stoned, and that only really leaves XSRF, which is much more difficult.

      the only way to really prevent XSRF, that i can see, is having browsers disallow inter-domain POST requests, and making sure all important transactions must be initiated via a POST and not GET request.

    5. Re:The real problem by freezin+fat+guy · · Score: 1

      I've said it before, I'll say it again: we went through the same thing with Windows 95+ and Outlook.

      Masses: "Ooooo look at the shiny features!"
      tiny voice in the distance: "But it's a security nightmare!"
      Masses (louder): "Ooooo look at the shiny features!"

      I don't think any of these technologies are inherently any worse than any other method, but the problem is that they don't understand the technologies well enough, and aren't testing for vulnerabilities.

      Unfortunately They are only part of the problem. It is currently impossible to secure Javascript for reasons that exist well beyond the individual web site.

      The great hazard of client side scripting support (Javascript, Flash, Java, et. al.) is that a breach of the sandbox in one domain can potentially hazard your interactions in other domains. So even if your site is 100% secured Javascript ensures your users can still be at risk. The only solution right now is for 100% of websites to be 100% invulnerable. Is that likely?

      Personally I use Firefox with NoScript but while there may be instances where I can be reasonably sure a site I am visiting is not going to intentionally compromise me, there is no way to know that any site is 100% XSS proof. I know full well that every time I enable a site to use Javascript or Flash I increase my risk.

      Make no mistake, there is a point at which things boil down to features vs. security. We all have a different threshold at which we are comfortable with the compromise.

    6. Re:The real problem by Trails · · Score: 1

      More than that. It's written by the "Director and Founder" of Net Square, "a technology-based security services organization", responsible for such wonderful innovations as "httprint, a web server fingerprinting tool." which looks at response headers and figures out what webserver it is, and "datapipe_http - Raw/HTTP TCP Tunneling", "software based on datapipe port redirector originally written by Todd Vierling in 1995, , opens up a connection with the HTTP proxy server, and uses the CONNECT server:port HTTP/1.0 technique to open a plain bi-directional TCP connection to the destination server." (wow, an HTTP Proxy Client!!! How innovative!!!)

      The article is bloody mess, both editorially and factually. It mixes a restating of the obvious("client-side checks must be backed up by server-side checks as well") with a healthy dose of sensationalism: "All these sources can have different point of origin(supposition) and are totally untrusted(wild blanket statement of purported fact)." (parenthetical stuff added by me)

      This is simply an attempt to drum up business folks, which states absolutely nothing new. Not sure how it made it on to /., but I wish the mods would at least glance over this stuff before posting it.

  5. set up a separate account by nanosquid · · Score: 1

    I think it's foolish to use your usual account and browser for online banking. Just create a separate account, keep the browser clean, don't browse around with that account, and set up good security. That's good for many reasons, not just XSS.

    1. Re:set up a separate account by brunascle · · Score: 1

      that will only help if it's the client's browser that's vulnerable, not the site itself. it wont help with XSS (since, as i just now learned, XSS is just another word for javascript-injection. it's a vulnerability in the server, not the client.)

    2. Re:set up a separate account by nanosquid · · Score: 1

      that will only help if it's the client's browser that's vulnerable

      Yes, that's the case you need to be concerned about.

      not the site itself.

      How would the banking sites be vulnerable? They don't allow any kind of user content to be uploaded.

    3. Re:set up a separate account by brunascle · · Score: 1

      Yes, that's the case you need to be concerned about.
      i disagree. i'm fairly confident my browser is secure, and if it isnt and there's an exploit in the wild, i'll probably hear about it in less than a day and there's a good chance a patch will be released by then.

      what i'm not confident about is the competency of the developers that put together the site i'm browsing.
    4. Re:set up a separate account by nanosquid · · Score: 1

      what i'm not confident about is the competency of the developers that put together the site i'm browsing.

      It doesn't matter how competent/incompetent the banking developers may be, banking sites just don't have uploadable content.

      Therefore, the XSS attacks you have to worry about (and the only ones you can control anyway) are the ones that use your browser. Those are real and often go undetected for a while before a patch becomes available.

    5. Re:set up a separate account by brunascle · · Score: 1

      banking sites just don't have uploadable content
      pretty much every web-app has uploadable content. any time you fill out a form you're uploading content. every just by modifying the GET params, you could be uploading content that will display on the web page.

      the XSS attacks you have to worry about... are the ones that use your browser
      but that's not XSS, that's just a browser vulnerability. they do exist but i cant think of any cases i've heard of in the past that have had a chance at affecting me. XSS, on the other hand, is all over the place, though, granted not so much on a banking website since content you upload is unlikely to be seen by anyone but yourself.
    6. Re:set up a separate account by nanosquid · · Score: 1

      pretty much every web-app has uploadable content. any time you fill out a form you're uploading content. every just by modifying the GET params, you could be uploading content that will display on the web page.

      Yup, but banking apps only show you what you have uploaded.

      but that's not XSS, that's just a browser vulnerability.

      Well, if a bug in your browser permits third party to be uploaded onto your bank's site (something fairly harmless in itself), then you may have a dangerous XSS. Using a separate account also protects you against some forms of social engineering.

  6. The great web 2.0 by enven · · Score: 1

    "Many Web entrepreneurs and established software providers are hoping that AJAX can reinvigorate the PC software business by marrying the graphical user interface of desktop computers with the benefits of the Web."
    http://news.com.com/AJAX+gives+software+a+fresh+lo ok/2100-1007_3-5886709.html

    This is a little over two years ago, on the subject of Ajax...and Web 2.0/ other buzzwords/works seem to be plugged more on technological forums/media...Who wouldn't want to be hip..Especially when your information's reputation is on the line.

    -

    IMO: Online Banking/money transfer/any sort of transaction/communique' that needs security should be held in the highest regards, with the most minimal in looks! Give us the information, not the bells and whistles!

  7. The biggest threat is not the web 2.0 itself by holywarrior21c · · Score: 0, Offtopic
    but the biggest threat is prolonging existence of active x. in Korea every bank website must use verification system made for asp servers and the client must install active x in order to be verfified to the websites and use of the credit cards online. that means that in order to log into any of the bank website to check your account or to buy anything from online with credit card means that you need to have windows in your machine. Hope this situation change soon with the already came vista. in fact Korean government is one of the few gov in the world to fine microsoft for monopolistic practices. (300million) hope our gov start building up some damn good infra out of that.

    Microsoft vows to fight South Korean antitrust rulinghttp://www.theregister.co.uk/2005/12/07/micr osoft_south_korea_antitrust//

    --

  8. Web 2.0 not necessary for banks by adrenalinerush · · Score: 2, Insightful

    Hmmm... my bank's website is still quite web 1.0, and I don't have any problem with that. I don't really see where the '2.0' technologies would improve my online banking experience enough to outweigh the potential security holes. I foresee my bank sticking with 1.0.

    Why is this even being considered?

  9. please buy my security solution .. by rs232 · · Score: 3, Insightful

    Shouldn't security be built into these Web 2.0 application from the ground up and not added on as an afterthought.

    --
    davecb5620@gmail.com
    1. Re:please buy my security solution .. by Opportunist · · Score: 4, Insightful

      Has it ever been that way?

      I was there when a certain bank that better remains anonymous (not because of being innocent, but because they got more & better lawyers than me) jumped the train for online business. All the managers saw how much work could be put onto the customers and how much we can save by not having people come in and actually talk to the teller or drop transfer orders in our boxes. They'd do all themselves! And we can charge them for that! Good God, we need that! No matter the cost! Security? Aw heck, ignore that, who'd dare to attack a bank here (Seriously, that was actually the attitude towards it)? And even, what could go wrong? We got https, we got security certificates, our servers are kept tight by the best people money can buy...

      The average annual damage for actual physical bank robberies is a tiny fraction by now of what online frauds cause. Especially since you get about 90-95% of the guys that come with a gun to your bank, while 90-95% of those coming online slip past you.

      And now everyone's all over security and everyone wants it secure damn right now or else.... But you can't secure something that is inherently insecure. It was designed insecurely, it was created insecurely, it's run insecurely. Yes, the key attack point is the customer, not the bank, but all in all, the damage rests on the banks. Either they pay the damage, or they don't and word gets out, and everyone will stop using online banking. THAT damage, though, would be even higher!

      So take my word for it, nobody will give a rat's rear about security until it's too late. Why should it be different this time?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:please buy my security solution .. by Intron · · Score: 1

      It's already too late. In-person bank robberies typically net only $10,000 or so, online robbery is doing far more.

      --
      Intron: the portion of DNA which expresses nothing useful.
  10. This just in ... by boyfaceddog · · Score: 1

    New technologies may present unseen risks. Use with caution.

    --
    Here will be an old abusing of God's patience and the king's English.
  11. Different meanings ... by ThirdPrize · · Score: 1

    Most programs on telly that mention Web 2.0 think it means "Social Networking". I think that's because the main sites that jumped on the AJAX bandwaggon were the social ones. Security wise, I would think that the more you shift the application to the browser the more you make it open to hacking. Talk about public APIs.

    --
    I have excellent Karma and I am not afraid to Troll it.
  12. CSRF and XSS FAQ's by mrkitty · · Score: 3, Informative


    The Cross Site Request Forgery FAQ
    The Cross Site Scripting FAQ

    --
    Believe me, if I started murdering people, there would be none of you left.
  13. How critical? by tygerstripes · · Score: 1

    two dimensions are very critical for financial systems

    Urgently, pivotally critical, even.

    --
    Meta will eat itself
  14. even witn Web 1.0 by Anonymous Coward · · Score: 0

    They are vulnerable to crsf, xss, and all sorts of other potential problems. Using web 2.0 can increase the attack surface, but its really the same problems you need to prevent. Its really the web 2.0 features built into our web browsers that make us vulnerable. Some one should really just slap the makers of Flock upside the head. Of course firefox and just about every modern browser is vunrable as well. But advertising a "better web 2.0 broswer" should earn them a special spot in hades.

  15. An article without proof by ThoreauHD · · Score: 1

    First, I don't know wtf web 2.0 is. Is this something people just made up- or am I not cool enough to know what that means for present day 1 mbit connections. Second, banks aren't using ajax and activex. SSL and certificates, and all the rest is low footprint. Banks are more apt to run into Duke Nukem Forever before web 2.0. This article is pulled out of somebodys ass. I've worked all kinds of banks security and that BS just doesn't fly.

    1. Re:An article without proof by Intron · · Score: 1

      web 2.0 doesn't refer to a particular technology. It just means using the web for two-way applications, interaction and sharing instead of one-way presenting static pages. Web as application platform instead of billboard.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:An article without proof by Knara · · Score: 1

      Er, so web 2.0 started in like, 1995 when you could submit forms?

    3. Re:An article without proof by Anonymous Coward · · Score: 0

      Nope. Forms are static pages, and the returned page is a static page. All web 1.0.

    4. Re:An article without proof by Knara · · Score: 1

      Your demarcation boundary for considering what is "interactive" seems arbitrary, AC.

  16. XSS = new??? by Anonymous Coward · · Score: 0

    Sorry to tell you bud... XSS is not new, nor is XSF. People are just now realizing how deep the rabbitt hole goes with exploitation. See Billy Rios's paper from blackhat amsterdam.

  17. XSS is a next generation threat? by Neumann · · Score: 1

    That's what I love about computing. A problem that has been around for years and years becomes a new dangerous threat simply because the developers of new technology didnt know about it before.

  18. Intranet by Tablizer · · Score: 1

    The Ajax stuff seems best suited to intranet and perhaps B-to-B. Public stuff should probably not use Ajax, especially if it involves money transfer. If you expose your site to a million potential hackers you are at a much greater risk than exposing it to one or two. Or at least don't use Ajax for final verification pages. Maybe use it for proposed transactions.

    --
    Table-ized A.I.
  19. Summary by giafly · · Score: 1

    When writing Web 2.0, don't trust anything from the browser because it's not secure and it will be modified by tards and script kiddies.

    The rest is to fill 4 pages so there's somewhere for the adverts.

    --
    Reduce, reuse, cycle
  20. Lessons from the past - Nobody really cares by Anonymous Coward · · Score: 1, Interesting

    Web 2.0 is strikingly like the state of Microsoft Windows about 10 years ago, as far as security goes. Back then, Windows was well known to be vulnerable to Internet attacks. Which has led to tons of zombies, spyware, and other crap installed on people's computers.

    The lesson learned from that is that NOBODY cares. Even after they've been bitten (and sometimes bitten badly, with identify theft, and serious banking repercussions), they still want to use Windows. They prefer the Devil that they know, over something that they aren't familiar with.

    In short, people want their "Oooo - shiny!" widgets. They simply don't care enough about anything else to switch to a more secure system, or even implement proper security measures. And there are enough technically clueless button-pushers who call themselves developers that will provide the Shiny languages and widgets to propagate this crap.

    The proper solution is to start by redesigning Javascript with security in mind. But that will never happen.

    In short, Web 2.0 is the MS Windows of today. We can expect lots of exploits. But people will adopt it, the heck with the ramifications. Sorry to be pessimistic here. But I see nothing to contradict this lesson from the past.

  21. next generation threats debunked. by EddyPearson · · Score: 1

    "exposing their systems to next generation threats such as Cross site Scripting, Cross Site Request Forgery"

    New? New how? All this scaremongering is making me feel like partying like its 1999 (obscure millenium bug reference)...again.

    "Web 2.0" (I really can't stand the term), IMHO is largly considered to be the "next generation" sites using AJAX. AJAX is nothing new, its Javascript, XML and DHTML. The principal is EXACTLY the same as a webservice request (its just from a Javascript client).

    So:
    Write secure webservices (We've been doing this for years, its not a problem)
    Write secure javascript (We've been doing this for years, its not a problem)

    How do you write secure javascript with the advent of XMLHTTP Components? Excatly the same way you'd write secure server side code,
    Don't output unvalidated user controlled data (Cross Site Scripting)
    Dont do anything stupid like entering a user controlled, unvalidated data into a DB (SQL Injections)

    With regards to Cross Site Request Forgery, its been around for years, now the requests are being made silenty (i.e With no refresh) rather than just redirecting the Victim elsewhere. It's a clever kind of Cross Site Scripting.

    Please feel free to correct, or enlighten me of any unique security issues associated with "Web 2.0", but as far as I can tell, nothings really changed.

    --
    You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
  22. Buzz-words might be biggest threat for financials by AllanVanHulst · · Score: 1

    I'm going to become rich and famous after I invent this ACME buzzword-detection-device. No seriously, I think the biggest Web 2.0 threat for 'financial services' might be the paychecks from the fried-air department.

  23. Customer privacy vs. great user experience by Anonymous Coward · · Score: 0

    There seems to be a fine balance between the need for companies to gather customer data, so they better understand their needs and tailor the user experience, and the possible risks with collecting and managing all of that information. It can be pretty tricky for organizations to convince customers that the collection of data is ultimately a mutually beneficial exercise. I just saw a cool VOD of the CIO of Circuit City and Tom Ridge (ex-Secretary of Homeland Security) talk about how the government and the corporate world deal with thee issues. Check it out at www.cioleadershipforum.com