Web 2.0 Leaves Browsers Under Constant Siege
The emergence of social media, online multimedia and other user driven content is placing an ever-increasing level of pressure on browser security issues as attackers continue to cook up a seemingly endless array of techniques for assailing the applications using everything from malware to social engineering ploys, experts contend.
In a new white paper that addresses the browser security crisis, hosted security services provider Purewire takes a closer look at the multi-faceted nature of the range of current attacks aimed at somehow compromising the vital applications that allow computer users to view and interact with the Web.
A litany of dangerous "people, places and things" are combining to use browser-based capabilities and vulnerabilities against the people on whose machines they run, the report maintains.
More malware distributors than ever have abandoned e-mail-based campaigns in favor of tactics that seek to compromise the vulnerabilities commonly found in this software found on virtually every Internet-connected PC in the world, specifically targeting Web 2.0 channels over which to deliver their threats, Purewire experts point out.
From the pervasive existence of software flaws to opportunities for social engineering, Web 2.0 presents a host of hard-to-address browser security risks.
"The emergence of Web 2.0 has created a fertile threat environment for malware writers and distributors to spread their wares [and] social networks, blogs, wikis and other collaborative sites pose an ongoing risk of employees discussing proprietary corporate information or posting inappropriate information," the researchers said.
In terms of dangerous locales, over 100,000 Web sites created with the sole purpose of distributing malware are online at any given time these days, Purewire contends. And of course, an even larger number of legitimate URLs that have been hacked and carry out the same function are operating at the same time.
Then you have popular social networking sites like Twitter and Facebook, which attackers are using to trick people into visiting their sites via various methods of technical and social engineering.
As far as dangerous things go, over 17,000 new malware threats are appearing per day and some 5.5 million pieces of malware were identified last year alone, the report claims.
"The stealth of malware in the age of Web 2.0 is precisely what makes it so dangerous; while users remain blissfully unaware of its presence, the malware can install key loggers, steal passwords, and send critical information directly from the end-user PC to a remote host," Purewire researchers said.
Phishing and different forms of cross-site scripting continue to proliferate at a rapid and exponential rate of growth as well.
Then you have the people, with trust relationships, particularly those maintained over Web 2.0 platforms, making it easier for the bad guys to find their prey and target the right content at them.
"Web 2.0 is centered on user-generated content and user-based commerce. There are unknown people posting and sending the content and unknown people behind the transactions. That said, the more you know about a user, the better decisions you can make around interacting in this environment," the experts point out.
With the continued spread of the cyber-crime and malware epidemic using techniques that target browsers, organizations need to reconsider the types of security tools that they use, Purewire submits in making its points.
However, if the company's answer to many of these current problems lies in the use of hosted online security services, one has to stop and question how issues of browser security must certainly impact that model as well.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.