Some Thoughts on Web 2.0 Security
Posted on Oct 10th 2007 5:19PM by Joseph Manna
Filed under: Privacy and Security, Other Stuff, Community Info, Marvelous Mob, Online Safety
Earlier today, I attended a Web 2.0 Security conference sponsored by AOL Developer Network, which focused on the array of threats and solutions to hacking in today's age of Web 2.0. Naturally, I'm very interested in Information Technology (IT) Security so I decided to learn more about it.
The slides opened up with an overview of the history of security on the Internet, as well as statistics on the behavior of the "underground" deviating from traditional Worms and Viruses towards Botnets, Rootkits, and Professional Phishing.
Our IT Security folks also informed the audience that they thwart attacks against our servers every minute by leveraging different technologies to prevent security risks to AOL (and Time Warner, collectively).
Then came the geeky stuff like preventing Cross Site Scripting (XSS) and SQL Injection attacks against a Web server. One of the proven methods discussed was how to secure Web servers from attacks with a free Web application firewall known as ModSecurity. This can be an invaluable component for system administrators to analyze and prevent common attacks against Web servers and generate informative log files for later review. It's free and works with Apache.
On a more relevant note for you, a Web user, it's important to understand that many security exploits aren't technical, but prey on human error. For instance, take Phishing (when scammers try to trick private info out of you): We tend to trust something if it looks official (such as e-mails that carry a company's logo), and may neglect to check the URL or look for other signs that an e-mail is a fake (such as e-mail headers).
You don't need to be a security expert to protect yourself -- there are plenty of easy ways to spot risky e-mails. We have a tips on how to spot phishing scams, so does Microsoft, eBay and PayPal. You can put your phish-finding skills to the test with this fun phishing game [link via PC World].
Besides reporting spam on phishy e-mails, you can volunteer that information to Phishtank [link via Security Fix] to report phishing Web sites. There you can also track and verify them and check out some interesting phishing statistics collected from users. Yesterday, they published a report on ISPs that host the most phishing sites: Right now, SBC, Comcast and Road Runner are the top three.
Maybe now is a good time to plug the free McAfee VirusScan Plus provided by AOL which includes a firewall and McAfee SiteAdvisor as helpful tool to detect phishing sites as you browse the Web.
Other tips include (for all users and system administrators) keeping your computer updated with updates from the vendor. This includes Windows Updates, Mac OS updates, as well as software updates (like AOL 9.0 VR or AIM 6.5) so many vulnerabilities are closed from online criminals.
These are my thoughts on security in a Web 2.0 world. What questions or tips do you have on staying safe and secure on today's Web? Post your thoughts in the comments below.
~ Joseph
The slides opened up with an overview of the history of security on the Internet, as well as statistics on the behavior of the "underground" deviating from traditional Worms and Viruses towards Botnets, Rootkits, and Professional Phishing.
Our IT Security folks also informed the audience that they thwart attacks against our servers every minute by leveraging different technologies to prevent security risks to AOL (and Time Warner, collectively).
Then came the geeky stuff like preventing Cross Site Scripting (XSS) and SQL Injection attacks against a Web server. One of the proven methods discussed was how to secure Web servers from attacks with a free Web application firewall known as ModSecurity. This can be an invaluable component for system administrators to analyze and prevent common attacks against Web servers and generate informative log files for later review. It's free and works with Apache.
On a more relevant note for you, a Web user, it's important to understand that many security exploits aren't technical, but prey on human error. For instance, take Phishing (when scammers try to trick private info out of you): We tend to trust something if it looks official (such as e-mails that carry a company's logo), and may neglect to check the URL or look for other signs that an e-mail is a fake (such as e-mail headers).
You don't need to be a security expert to protect yourself -- there are plenty of easy ways to spot risky e-mails. We have a tips on how to spot phishing scams, so does Microsoft, eBay and PayPal. You can put your phish-finding skills to the test with this fun phishing game [link via PC World].
Besides reporting spam on phishy e-mails, you can volunteer that information to Phishtank [link via Security Fix] to report phishing Web sites. There you can also track and verify them and check out some interesting phishing statistics collected from users. Yesterday, they published a report on ISPs that host the most phishing sites: Right now, SBC, Comcast and Road Runner are the top three.
Maybe now is a good time to plug the free McAfee VirusScan Plus provided by AOL which includes a firewall and McAfee SiteAdvisor as helpful tool to detect phishing sites as you browse the Web.
Other tips include (for all users and system administrators) keeping your computer updated with updates from the vendor. This includes Windows Updates, Mac OS updates, as well as software updates (like AOL 9.0 VR or AIM 6.5) so many vulnerabilities are closed from online criminals.
These are my thoughts on security in a Web 2.0 world. What questions or tips do you have on staying safe and secure on today's Web? Post your thoughts in the comments below.
~ Joseph
Most Commented On (Last 30 Days)