SlideShare a Scribd company logo

Insecure Trends in Web 2.0

Download as PPS, PDF
Ferruh Mavituna, profile picture
Ferruh Mavituna

The document discusses insecure trends in web 2.0 applications, noting that while usability and simplicity are important, security ("keep it simple, stupid, and secure") has been overlooked. Several specific insecure practices are outlined, such as not requiring current passwords when changing them, excessive personal information sharing online, weak password policies, and overuse of external components, APIs, and widgets. The document argues these issues stem from a lack of security best practices and prioritization of speed and money over security in web 2.0 development.

TechnologyDesign
1 of 20
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Insecure Trends in Web 2.0 Applications
It’s all about Web 2.0 It’s in everywhere This is the new way Second dot com craziness, and it’s not going to burst this time ...
Web 2.0 Trends Usability Simplicity Sociability Integration Outsourcing
Usability & Simplicity Instead of KISS - Keep It Simple & Stupid it should be KISSS - Keep It Simple, Stupid & Secure
Just “Stupid” Changing password without requiring the current one Guilty : Twitter Impact: Permanent account hijacking
Just “Stupid” – Password pls . “ Give me your hotmail password so I can send spam to your contact list ” Guilty : Bebo, Facebook, Diigo ve tüm diğer sosyal hoppalık içeren Web 2.0 uygulamaları What’s next? Websites will request password of our online bank? ( Wait ! It’s already done ! – mint.com )
Just “Stupid” – remember me “ Remember Me” functionality Guilty : Everyone ! Impact: Increasing the success possibility of Cross-site Scripting and similar session hijacking attacks .
Just “Stupid” – send it away Resetting passwords without requiring an extra information other than an e-mail Guilty : Everyone ! Impact: If victim’s e-mail compromised than all of his or her identity will be gone within minutes .
Just “Stupid” – password1 Limiting password length, not allowing user to choose secure passwords. Guilty: A Lot ! Impact: Forcing user to be insecure ! Really poor interpretation of KISS .
Sociability Kevin Mitnick gotta love Web 2.0 !
Social Attractions – Where were you last night? Too much personal information online. Guilty : Linkedin, youtube, twitter, facebook, blog s , the crazy guy who shot your photo and posted to flickr , “ transparent ” company blogs etc . Impact: Easier social engineering attacks ...
Integration – Get this API and hack me Overpowered API s , Facebook widgets , RSS madness ! Guilty : Facebook, Feedburner. Impact: Using API functionality to hack the website who provides the API .
Outsourcing Too much external component usage Guilty : Blogosphere, video embedding, flash embedding, widgets, stats, external javascripts ... All new websites . Impact: Increased attack surface , To able to make one website secure you have to secure 10 websites .
SSL ? What happened to SSL? Guilty : Gmail ( after 4 years they fixed ), and lots, lots of other Web 2.0 applications . Impact: Isn’t it obvious?
Did you say “Best Practice”? Agile Programming , Shorter Dead-line s , Fast development means more money , Lack of defined best practices about new technologies
Security doesn’t sell MS Vista proved it! Unfortunately, Web 2.0 is not an exception
Web 2.0 Followers Every single day new Web 2.0 startups are launching all over the world and they do follow all these bad practices, because big guys are doing them.
Security ... First make it secure , then make it Web 2.0
Questions and Discussion @fmavituna finished his talk, and waiting some question from the audience. (*) *not so obscure twitter joke
Thanks ...

More Related Content

KEY
Privacy security
hanjunxian
 
PDF
Passwords and Botnets and Zombies (oh my!)
jessepollak
 
PPTX
Border crossing mobile social media life-saving security tips
Ernest Staats
 
PPT
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 
PPTX
What The Fuck Is Web Squared - Web²
Salah Benzakour
 
PPTX
Digital safety
psusmith
 
PPTX
Lkw Security Part 1_MVPs Azra & Sanjay
Quek Lilian
 
PPT
Internet for everyone
Ashesh R
 
Privacy security
hanjunxian
 
Passwords and Botnets and Zombies (oh my!)
jessepollak
 
Border crossing mobile social media life-saving security tips
Ernest Staats
 
Joe CFO for CiscoLive Berlin 2016 Email and Web Security Presentation
Bruce Johnson
 
What The Fuck Is Web Squared - Web²
Salah Benzakour
 
Digital safety
psusmith
 
Lkw Security Part 1_MVPs Azra & Sanjay
Quek Lilian
 
Internet for everyone
Ashesh R
 

What's hot (20)

PPT
When web 2.0 sneezes, everyone gets sick
Stefan Tanase
 
PPT
Computer And Internet Security
JFashant
 
PPT
Security for javascript
Hữu Đại
 
PPTX
Web security
ekostyuk
 
PDF
Hacker halted2
samsniderheld
 
PPT
Douglas Crockford - Ajax Security
Web Directions
 
DOCX
Punto 16
Laura Gálvez
 
DOCX
Punto 16
Laura Gálvez
 
PDF
Session hijacking by rahul tyagi
amansyal
 
PPTX
Where To Start When Your Environment is Fucked
Amanda Berlin
 
PPT
2011 Social Media Malware Trends
Lumension
 
PDF
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
PPTX
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
PPTX
Year 7 - Week 5 esafety
teachesict
 
PPTX
The Enemy On The Web
Bishan Singh
 
PDF
Passwords, Attacks, and Security oh my!
Michele Butcher-Jones
 
PPTX
Content Management System Security
Samvel Gevorgyan
 
PPTX
Mastering windows 10 (English version)
Takae Sakushima
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PPT
Sept 2014 cloud security presentation
Joan Dembowski
 
When web 2.0 sneezes, everyone gets sick
Stefan Tanase
 
Computer And Internet Security
JFashant
 
Security for javascript
Hữu Đại
 
Web security
ekostyuk
 
Hacker halted2
samsniderheld
 
Douglas Crockford - Ajax Security
Web Directions
 
Punto 16
Laura Gálvez
 
Punto 16
Laura Gálvez
 
Session hijacking by rahul tyagi
amansyal
 
Where To Start When Your Environment is Fucked
Amanda Berlin
 
2011 Social Media Malware Trends
Lumension
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Year 7 - Week 5 esafety
teachesict
 
The Enemy On The Web
Bishan Singh
 
Passwords, Attacks, and Security oh my!
Michele Butcher-Jones
 
Content Management System Security
Samvel Gevorgyan
 
Mastering windows 10 (English version)
Takae Sakushima
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
Sept 2014 cloud security presentation
Joan Dembowski
 
Ad

Viewers also liked (9)

PDF
One Click Ownage
Ferruh Mavituna
 
PPT
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
PDF
One Click Ownage
Ferruh Mavituna
 
PPT
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
PPTX
5 Dakkada Beşiktaş
Ferruh Mavituna
 
PPS
Flash Security
Ferruh Mavituna
 
PPTX
Beşiktaş çarşi grubu
efiliz
 
PDF
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
PPTX
Beşi̇ktaş sunumu
seydacagan
 
One Click Ownage
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
One Click Ownage
Ferruh Mavituna
 
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
5 Dakkada Beşiktaş
Ferruh Mavituna
 
Flash Security
Ferruh Mavituna
 
Beşiktaş çarşi grubu
efiliz
 
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Beşi̇ktaş sunumu
seydacagan
 
Ad

Similar to Insecure Trends in Web 2.0 (20)

PPTX
Social networks security risks
osuhaibany
 
PDF
Protecting Against Web Threats
Kim Jensen
 
PPTX
Web 2.0 security woes
SensePost
 
PPTX
Corp Web Risks and Concerns
PINT Inc
 
PDF
Mitigating Web 2.0 Threats
Kim Jensen
 
PDF
Managing and Securing Web 2.0
Jason Edelstein
 
PPTX
You are the weakest link
Sergio Dutra
 
PPTX
Web 2.0 Presentation
xia_bofa
 
PDF
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
PDF
Luis Grangeia IBWAS
Luis Grangeia
 
PDF
The Thing That Should Not Be
morisson
 
PDF
Addressing Security Challenges of Mobility and Web 2.0 2009
Jason Edelstein
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PDF
Web security 2012
Mohamed Elabnody
 
PDF
Web 20 Security Defending Ajax Ria And Soa Shreeraj Shah
gqkbolrijy636
 
PDF
What every product manager needs to know about security
AIPMM Administration
 
PPTX
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
PDF
IDC Report : Web Security
Kim Jensen
 
PDF
Things that go bump on the web - Web Application Security
Christian Heilmann
 
PDF
What every product manager needs to know about security
Silicon Valley ProductCamp
 
Social networks security risks
osuhaibany
 
Protecting Against Web Threats
Kim Jensen
 
Web 2.0 security woes
SensePost
 
Corp Web Risks and Concerns
PINT Inc
 
Mitigating Web 2.0 Threats
Kim Jensen
 
Managing and Securing Web 2.0
Jason Edelstein
 
You are the weakest link
Sergio Dutra
 
Web 2.0 Presentation
xia_bofa
 
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia
 
The Thing That Should Not Be
morisson
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Jason Edelstein
 
OWASP Top Ten in Practice
Security Innovation
 
Web security 2012
Mohamed Elabnody
 
Web 20 Security Defending Ajax Ria And Soa Shreeraj Shah
gqkbolrijy636
 
What every product manager needs to know about security
AIPMM Administration
 
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
IDC Report : Web Security
Kim Jensen
 
Things that go bump on the web - Web Application Security
Christian Heilmann
 
What every product manager needs to know about security
Silicon Valley ProductCamp
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Approach and Philosophy of On baking technology
30anthuong17
 
Teaching material agriculture food technology
LiaRayya
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Insecure Trends in Web 2.0

  • 1. Insecure Trends in Web 2.0 Applications
  • 2. It’s all about Web 2.0 It’s in everywhere This is the new way Second dot com craziness, and it’s not going to burst this time ...
  • 3. Web 2.0 Trends Usability Simplicity Sociability Integration Outsourcing
  • 4. Usability & Simplicity Instead of KISS - Keep It Simple & Stupid it should be KISSS - Keep It Simple, Stupid & Secure
  • 5. Just “Stupid” Changing password without requiring the current one Guilty : Twitter Impact: Permanent account hijacking
  • 6. Just “Stupid” – Password pls . “ Give me your hotmail password so I can send spam to your contact list ” Guilty : Bebo, Facebook, Diigo ve tüm diğer sosyal hoppalık içeren Web 2.0 uygulamaları What’s next? Websites will request password of our online bank? ( Wait ! It’s already done ! – mint.com )
  • 7. Just “Stupid” – remember me “ Remember Me” functionality Guilty : Everyone ! Impact: Increasing the success possibility of Cross-site Scripting and similar session hijacking attacks .
  • 8. Just “Stupid” – send it away Resetting passwords without requiring an extra information other than an e-mail Guilty : Everyone ! Impact: If victim’s e-mail compromised than all of his or her identity will be gone within minutes .
  • 9. Just “Stupid” – password1 Limiting password length, not allowing user to choose secure passwords. Guilty: A Lot ! Impact: Forcing user to be insecure ! Really poor interpretation of KISS .
  • 10. Sociability Kevin Mitnick gotta love Web 2.0 !
  • 11. Social Attractions – Where were you last night? Too much personal information online. Guilty : Linkedin, youtube, twitter, facebook, blog s , the crazy guy who shot your photo and posted to flickr , “ transparent ” company blogs etc . Impact: Easier social engineering attacks ...
  • 12. Integration – Get this API and hack me Overpowered API s , Facebook widgets , RSS madness ! Guilty : Facebook, Feedburner. Impact: Using API functionality to hack the website who provides the API .
  • 13. Outsourcing Too much external component usage Guilty : Blogosphere, video embedding, flash embedding, widgets, stats, external javascripts ... All new websites . Impact: Increased attack surface , To able to make one website secure you have to secure 10 websites .
  • 14. SSL ? What happened to SSL? Guilty : Gmail ( after 4 years they fixed ), and lots, lots of other Web 2.0 applications . Impact: Isn’t it obvious?
  • 15. Did you say “Best Practice”? Agile Programming , Shorter Dead-line s , Fast development means more money , Lack of defined best practices about new technologies
  • 16. Security doesn’t sell MS Vista proved it! Unfortunately, Web 2.0 is not an exception
  • 17. Web 2.0 Followers Every single day new Web 2.0 startups are launching all over the world and they do follow all these bad practices, because big guys are doing them.
  • 18. Security ... First make it secure , then make it Web 2.0
  • 19. Questions and Discussion @fmavituna finished his talk, and waiting some question from the audience. (*) *not so obscure twitter joke