• Security Engineer
• Chief Information Officer
• Calling All C++ & AI Game...
• Senior Project Manager - Multi...
• Support Analyst Programmer

The Web's security seams set to burst

Beverley Head, Information Age

19/02/2008 11:58:21

When you're burgled, one of the first things you do is upgrade your security. It's the same with data attacks.

The 2007 poster child for corporate computer attacks was US-based company TJX, which owns a series of fashion outlets. In the US companies must report attacks where customer information may have been compromised and last year TJX announced that its database containing details of 45 million credit cards had been attacked with some of the information sold over the Internet.

Later in the year it admitted the driver's licence details of some customers who had returned goods to shops had also been compromised. By August TJX was saying the attack had cost it at least $US256 million - 10 times its initial estimate.

As its Web site explains: "Since discovering the problem, we have strengthened the security of our computer systems." Be mad not to.

The Australian Institute of Criminology is surveying 10,000 Australian organisations about their experience of computer crime. The results (which according to the AIC's principal criminologist Dr Russell Smith, will be available in the middle of the year) should provide the clearest picture yet of the extent of the problem in Australia.

Reporting computer crime isn't mandatory in Australia, so determining how rife computer crime really is can be a challenge.

But according to analyst IDC Australia it's significant enough that around $USbn was spent last year on security solutions in Australia and New Zealand, signalling that the threat, though hard to quantify, is taken seriously.

Throughout 2008 individuals and corporates will have to continue to invest in new and updated security solutions in order to keep their systems secure from new threats as they emerge.

Suppliers of security tools and services meanwhile are constantly having to sniff out potential problems and offer patches, antiviral updates and site blocks on the fly.

Websense, for example, claims to data-mine over 90 million Web sites looking for malicious and damaging code. When it finds some it applies real time blocks to the Web site so that users of its security systems are prevented from accessing a potentially damaging Web site.

Such is the rising demand for such tools and services that by 2011 IDC predicts we'll be spending $US1.6 billion a year on data security tools.

Security tools are important - but so is commonsense. And it's worth asking just how sensible is it to upload vast amounts of personal information onto social networking sites such as Facebook, MySpace and YouTube?

Many social networkers were alarmed last year to find that images and information posted on such sites quickly found their way into the newspapers, and that some recruiters were routinely checking social networking sites for additional information about potential hires. It made many people think twice about what they loaded up.

While there's little doubt that social networking will stay, the degree to which people open their online kimono may change. A survey released in December by Unisys found that 83 per cent of respondents were uncomfortable providing personal information to a social networking site.

Younger people were more comfortable than older folks, but even so only 40 per cent of 18-34 year olds were entirely happy providing their full name to an online social networking site - not that much greater than the 25 per cent of people aged 50-64 who were happy to provide their name.

In its 2007 security report, released late last year, MessageLabs gave a clue as to why there may be a growing reluctance to reveal all online. That report noted that "Web sites such as Facebook, LinkedIn and Plaxo present rich pickings to cyber criminals looking to gather personal information for use in identity theft or targeted attacks".

In addition, "Web 2.0 has spawned a proliferation of Web users that visit chat rooms, social networking sites and special interest Web sites...these sites provide attackers with potential victims that fall within a certain age group, wealth bracket or people with particular purchasing habits".

Just as individuals have bought antivirus tools and installed firewalls on their home PCs to prevent unauthorised access to systems, they might in 2008 reconsider hanging up so much of their online laundry out for everyone to see.

The so-called digital natives are among the most enthusiastic users of Web 2.0 tools; the CIOs who have to deal with more digital natives than most are university CIOs. Confirming social networks' popularity with students, Gulcin Cribb, director of information services at Bond University, said that last year Bond University had 2600 Facebook users.

The CIO of another university, who did not want to be named in case talking about security "made us a target", said that at present most online interactions between the university and its students were over a secure university portal "which is not quite as open as the Web 2.0 blogging wiki model" making security a little easier to manage.

However he predicted that ultimately students would interact with universities using a virtual reality paradigm - a little like Second Life - and with that would come new security challenges.

Again though, he suggested the university might create its own internal virtual reality environment in order to get better control, with the university taking a layered approach to security and closely monitoring who had access to what, and where information was held.

Individuals, universities, corporations and the public sector are potentially all at risk from new Web 2.0 style attacks. According to Websense: "The Web is an entanglement of links and content."

The advent of Web 2.0 additions such as Google Adsense, mash-ups, widgets, and social networks along with the massive amounts of Web advertisements linked to Web pages have increased the likelihood of "weak links" - or Web sites and content that are vulnerable to compromise.

Websense predicts that attackers will increasingly exploit the weakest links within the Web infrastructure in order to target the greatest number of Internet users.

Most vulnerable to these attacks are search engines and large user networks such as MySpace, Facebook or other social networking sites.

Joel Camissar, Australia and NZ country manager for Websense, said that larger organisations, such as banks and government departments had already identified both the security and productivity risks associated with social networking.

While some had attempted to introduce blanket bans on use of such sites, employees often resisted the bans. "There was one consultant who was approached by one of the big banks, but when she learned that that was part of their Internet access policy she refused to work for them," he said.

More sensible was a policy which permitted social network access, but with specified guidelines and limits, he said.

In general however Camissar believes employee education regarding security risks is the missing link in most enterprises' security plans. While they installed the technology and tools to protect themselves, they did not always invest in education programs to back that up.

And in the future the need for improved education would increase just as the range of threats was likely to increase, especially as converged devices such as PDAs or iPhones become more widely deployed and used for both business and consumer applications.

"We have seen hackers attack Skype this year, and hackers will target other platforms. We are starting to see a real risk for those devices," said Camissar.

A retreat to luddism is unlikely and unwarranted. A dose of caution and commonsense however would be wise.

.