Securing the Web 2.0

‘The only constant is change’ was a favourite maxim of a former employer. It’s certainly true of technology, where a bewildering array of new products and versions follow one another in quick succession and the period between a product’s launch and its demise seems to get shorter and shorter. Technology, of course, is only one half of the equation. The other is the human factor. On the one hand, technology enables people to do more, better, and faster. On the other hand, people drive technological change.

This applies to the Internet as well. Since its humble beginnings in 1990, the web has come to play more and more of a role in everyday life, both business and personal, and the technologies that power it have continued to evolve. Some argue that this evolution has resulted in a second generation of web services, often referred to as Web 2.0.

Although ‘2.0’ suggests a technical release, or updated standard, there’s no clear definition of Web 2.0. Tim O’Reilly, who is credited with first using the term, defines it as a ‘business revolution in the computer industry caused by the move to the Internet as platform, and an attempt to understand the rules for success on that new platform.’ Chief among those rules, according to O’Reilly is: ‘Build applications that harness network effects to get better the more people use them.’

That said, there are technological changes too. These include AJAX (Asynchronous Java Script and XML) and other technologies that support web-based applications and the content creation and sharing characteristic of Web 2.0.

Even if Web 2.0 is dismissed as a marketing buzz-word/phrase, the changes it denotes are real enough. We’ve seen a transition from a web of static information stores and one-to-one relationships between sellers and buyers, to a highly interactive web in which almost anyone can post anything anywhere. In particular, there has been a massive growth in the popularity of social networking websites, such as Bebo, Friends Reunited, MySpace, etc.

The security implications of these changes are twofold. For one thing, the use of exploits to launch code or steal confidential data is likely to increase. We also face the prospect of malicious code that spreads from online profile to online profile, rather than seeking a home on the victim’s computer.

There’s also a heightened risk of identity theft. Many social networking sites have a very large number of users. Moreover, the nature of these sites means that users are predisposed to share a lot of personal information – data which is attractive to cyber criminals.

This problem is exacerbated by password issues. Users who have accounts on social networking sites are likely to be active on other sites. Many use weak passwords that reference personal information such as spouse’s name, date of birth, etc. Unfortunately, few of these users have a unique password for each site.

Some people dismiss attempts to change the behaviour of employees and home users as futile. However, I believe that if the human factor is such a significant part of the problem, then it must also form part of the solution.

I’m not suggesting that there are any quick fixes. However, evidence suggests that behaviour can be reshaped over time: campaigns designed to encourage seat belt usage in cars and to discourage drink-driving have borne fruit. And this makes me wonder if we’re using the wrong means to reach the people we want to educate. There is plenty of good information online, but you have to know where (and how) to find it – not easy for an inexperienced user.

Maybe now it’s time to shift the online security message into the offline world: a series of TV ads, like those used in anti drink-driving and anti-drug campaigns, or maybe print ads; as IT security experts, we sometimes forget that people still read newspapers. I believe that advertising safe computing practices offline could have a significant impact on the security of Web 2.0.

Latest articles:

Bulletin Archive