WHILE computer security firms here have not seen any major security compromises arising from the use of Web 2.0 platforms among local users, they are now warning companies and individuals to be alert to new possible security compromises that could come with the use of these new technologies.

Web 2.0, dubbed the next generation of the Internet, is best exemplified in social computing websites like Facebook, Myspace, Friendster and Linkedin. It is also embodied in blogs and wikis, and a key characteristic of these new platforms is that they almost always encourage user participation.

Christopher Low, chief technology officer of homegrown security firm ThinkSecure, noted that with the range of Web 2.0 platforms available, it has become a lot harder to stop information leakage from an organisation.

Graham Cluley, senior technology consultant at Sophos, said: "Employees are acting irresponsibly on Web 2.0 websites, posting personal information about themselves, embarrassing photographs and confidential data about their company onto sites where the entire world can find it.

"Determining whether information which is published on an interactive site is true or not is also going to be more difficult, because of various exploits that can affect Web applications, which would in turn affect the information feeds these applications pump out."

Mr Low cited the example of a recent defacing of the United Nations website by a hacker.

"The UN site carried information which most people would presume to be legitimate facts. If the attacker had simply modified some information on the site which was being subsequently fed to 100 other sources - typical for many Web 2.0 sites providing RSS feeds, and these 100 other sources in turn fed it on to 1,000 other news sources who would pick it up as a routine news feed, then the fraudulent information would have been disseminated worldwide."

A RSS, or Really Simple Syndication, feed enables users to read automated summaries of frequently updated content from websites.

With the rapid spread of data with such platforms, Mr Low also pointed out that the threat of a cross-domain, cross platform attack has been highlighted by his industry peers.

Darric Hor, general manager of Symantec Singapore, said: "The borderless and viral nature of the Internet means that online threats are not confined to one specific location or geography. There are numerous Web 2.0 security threats out there, and regardless of where they originate, they have a way of propagating and finding their way across the world."

Mr Cluley said: "Web 2.0 is a marvellous way for people to connect with each other, and share knowledge. But it also provides an ideal framework for identity thieves and hackers to find a way to break into your company."

In a recent Sophos release, the company highlighted that a large number of users on social computing website Facebook were happy to divulge personal information to strangers.

Sophos had set up a fictitious profile on Facebook, and sent out requests to 200 strangers on the site.

It managed to solicit a response from 41 per cent of these 200 "friends", of which some divulged details such as their e-mail addresses, date of birth, details about their education or workplace, current address, current phone number and their instant messaging names.

Identity theft was also a concern shared by Mr Low. "From a social perspective, more information about an individual is being exposed and archived on the Web than ever before. This increases the likelihood of identity theft for any given individual.

"Social or networking sites are a prime target for information harvesting or competitive intelligence gathering because people tend to boast about their work in an online setting."

While Web 2.0 platforms offer a rich, interactive user interface, Mr Low warned that the same technologies which enhance interactivity such as Javascript, Java and Flash used in Web browsers, could open up more doors to possible attacks.

Willie Low, a senior analyst with research firm IDC, said: "The danger really lies in the increased interactivity with the end-user made possible by the technology.

"This presents new opportunities for attackers, which were not available in static websites, if developers of these Web 2.0 applications have not considered security implications carefully."

Mr Cluley also claimed that "Web 2.0 has made it easier for hackers to break into sites and post Trojan horses and drive-by browser exploits".

However, Mr Hor noted that at the end of the day, technology is just part of the equation in many security breaches, and that the "human factor" is often still the weakest link.

Is this article useful to you?