It is a lot more difficult for even discerning computer enthusiasts and really advanced users to guard themselves against these kinds of threats. When you have messaging and browsing being the two most ubiquitous functional activities that happen at a computer, it becomes difficult to discern between what is a valid e-mail and non-valid e-mail or what is a valid Web site and non-valid Web site. Those binary black and white terms are no longer easy distinctions to make. You reach a whole gray area in which you can't easily determine a secure Web site.
Is there a perception of security that perhaps is unwarranted with some Web sites?
If you were to interview 100 people, and say, "List the top five trusted legitimate Web sites," a majority would say MySpace or YouTube and ironically enough those are two of the riskier Web sites that could be leveraged for attacks with MySpace worms and MySpace spam as well as embedded QuickTime malware and other media format malware hitting specific to YouTube.
Are these types of community sites creating a bigger threat on the Internet than users realize?
The explosion of Web 2.0 convergence and the democratization of content and opening up of traditional content barriers on the Internet have made it so that, at least from the browser perspective, making the distinction of what is safe and what is not safe isn't an easy proposition. You can't just assume that because the source is trusted that the Web site is safe.
What is it about Web 2.0 that poses such a risk?
A year ago the risk was much greater because there were about 120 different Web 2.0 APIs and a various number of application frameworks that represent different areas that would need to be protected. Now as the market as matured, the APIs and technologies and Web 2.0 platforms are becoming more standard and can be more easily protected. Last year Web 2.0 was a very precarious area to secure because there were not a lot of standards or a whole lot of consolidation in the industry. Now security vendors can focus on a handful of mainstream technologies now that we see which are being adopted most.
Can you give some examples?
There are a bunch of XML-related threats that are similar to traditional SQL attacks, but targeted at the XML data layer. Because XML is seen as ubiquitous in transferring data from site to site and Web service to Web service, attackers can target that, but vendors can also better secure it. As XML as become more of a standard, security vendors are able to deliver solutions that ensure integrity of XML data and ensure XML can't be manipulated. Also as AJAX becomes more mainstream as the client side data messaging system powering a lot of Web 2.0 frameworks, vendors can focus on protecting the Java script and XML again in those environments. Even today certain network solutions are very effective in securing Web 2.0 infrastructures if they are stateful, protocol-based IPS products.