Friday | 15 Dec 2017
Welcome to Digital Opportunity, the ‘all about ICT for Development’ channel, brought to you by OneWorld South Asia that informs on digital inclusion, showcases best practices in the sector and provides space for sharing and collaboration amongst ICT for D practitioners.
About Digital Opportunity
OneWorld websites and resources
Appropriate Technology Choice

'Remove the risks associated with new technologies'


29 December 2009

Bookmark and Share

Both designers and users need to be aware of the risks posed by the combination of new technologies and free participation in the web, says Avinash Kadam, Director, MIEL e-Security Technologies. If Web 2.0 has helped in improving connectivity, it has also unfolded many risks, he adds.

The Web is a constantly evolving phenomenon. To assign discrete numbers like 1.0 or 2.0 appears difficult. But there has been a distinct change in the usage of the web, which merited coining the term Web 2.0.

Avinash.JPG
Image credits: Network Computing/ Avinash Kadam

Web 1.0 was like an orderly publishing house. Almost everything was tightly controlled by someone, who reviewed and edited the content, before putting it on the web. A good example of Web 1.0 is Encyclopedia Britannica Online.

In stark contrast to this approach is Wikipedia. The entire content of Wikipedia is contributed, reviewed and edited by individual volunteers.

This is a participative way of developing content on the web, where the user is also the creator of the content.

The power of the web is used to harness ‘collective intelligence’ or the ‘wisdom of crowds.’ This approach is now so well accepted that Web 2.0 sites like Wikipedia, Facebook, Myspace, Orkut, YouTube, Twitter and various other social networking and blogging sites are the most heavily-trafficked websites today.

Participative yes, but what are the risks?

The main anchor of Web 2.0 also constitutes its main risk – namely trusting the user to generate the content. User participation is facilitated by various technologies, which are not necessarily entirely new.

They are better packaged to assist the architecture of participation. Technologies like AJAX (Asynchronous Java Script and XML) can refresh only a portion of the screen, rather than the entire screen.

This is done automatically rather than through user request. RSS (Really Simple Syndication) notifies the user each time there is a website update. While these technologies help to create an enhanced user experience and interactivity, they may change over time.

Web 2.0 vulnerabilities are not necessarily related only to the technologies, but are also due to the novel use of technology:

  • Information leakage constitutes a major risk which emanates from information-sharing among multiple users and multiple systems through web services. The borderline between personal and enterprise information is getting blurred on Web 2.0 sites.
  • Given the dependence on user-contributed data, integrity of information can be a major concern since malicious users can publish erroneous or misleading information and spread false information.
  • Insufficient authentication control is another issue since multiple users can change information – however, not all of them may use stringent security measures like strong and frequently updated passwords. Cracking the admin password may lead to a compromise of the entire system. This was demonstrated by the infamous Twitter hack.
  • Among the technological risks which get accentuated due to the participative nature of Web 2.0 sites is the risk of Cross Site Scripting (XSS), where malicious input can be inserted by an attacker, stored on the system and displayed to other users. There are numerous examples of XSS worms affecting social networks, blogs and wikis.
  • Cross Site Request Forgery (CSRF) is another risk. Visiting a malicious website may trigger a request to a different website, which the user is authorised to access, perhaps through a persistent cookie. Such a request may perform an operation on behalf of the user – such as transferring money to a hacker’s bank account.

The use of AJAX will not leave a visual track, and as such, the user will not notice the action.
Both the key technologies of Web 2.0, web services and AJAX, use XML. Web 2.0 applications are expected to perform client-side validation, which an attacker can bypass. Input could be inserted into XML records without sufficient validation, leading to an XML injection attack, thus modifying the XML record structure.

An XPATH injection could be used to alter a query to reveal more information than intended, the way SQL injection alters a database query.
Web 2.0 is the new, accepted way of the web. But, we have to be aware of the risks posed by this combination – new technologies, freedom of use – both as designers, and as users.

 
Global Goals 2030
festival ECONOMIA trento
Helpi - your personal safety app
EVENTS & ANNOUNCEMENTS
» Online climate conference
Online,  November 5, 2012.
» Open Knowledge Festival 2012
Helsinki, Finland,  September 17,2012.
» ITU Green Standards Week
39, quai du Président Roosevelt 92130 Issy-les-Moulineaux, France,  September 17

Digital Opportunity channels and collaborative projects include:
Ek Duniya Anek Awaaz OneWorld Open Knowledge Network ItrainOnline TIKI the Penguin, Kids Channel
Digital Opportunity