Web Security - A Report by Websense for first half of 2009

WebSense (websense.com) is a leading web security research company.

They have released report of web-security for the first 2 quarters of year 2009.

Its worth reading. Here is the summary:

Web Security

• Websense Security Labs identified a 233 percent growth in the number of malicious Web sites in the last six months

and a 671 percent growth during the last year.

• 77 percent of Web sites with malicious code are legitimate sites that have been compromised. This remains

unchanged from the last six-month period.

• 61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting

victims from legitimate sites to malicious sites.

• 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious.

• 50 percent of Web pages linked to Web sites categorized as “Sex” also served malicious content.

• 69 percent of all Web pages with any objectionable content (e.g. Sex, Adult Content, Gambling, Drugs) also had at

least one malicious link.

• 78 percent of new Web pages discovered in the first half of 2009 with any objectionable content had at least one

malicious link.

Email Security

• 87.7 percent of email messages were spam. This represents a three percent increase over the last six months.

• 85.6 percent of all unwanted emails in circulation during this period contained links to spam sites and/or malicious

Web sites.

• Shopping remained the leading topic of spam (28 percent), followed closely by cosmetics (18.4 percent), medical

(11.9 percent) and education (9.5 percent). Education themed spam has nearly doubled over the previous period

and may be related to the recession as spammers seek to exploit people looking to gain new skills or obtain fake

qualifications to help their job prospects.

Data Security

• 37 percent of malicious Web/HTTP attacks included data-stealing code. This remains unchanged from the last

six-month period.

• 57 percent of data-stealing attacks are conducted over the Web. This number has stayed consistent over the

six-month period.

Read more here:

http://www.websense.com/site/docs/whitepapers/en/WSL_Q1_Q2_2009_FNL.PDF

Few interesting facts:

More than 47 percent of the top 100 sites support user-generated content.

• Not surprisingly, sites that allow user-generated content comprise the majority of the top 50 most

active distributors of malicious content. Blog hosting sites that offer free hosting and good reputations

provide malware authors with the perfect combination to compromise unsuspecting users.

• 61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to

lure unsuspecting victims from legitimate sites to malicious sites. In many cases these redirects

appeared as the actual Web site, when in fact the content served on that page was being hosted

elsewhere.

• Websense Defensio technology enabled Websense Security Labs to identify a significant and

alarming trend regarding the ease with which Web 2.0 sites can be compromised: 95 percent

of user generated comments

Microformats- the buzz word

Microformats are simple, open design patterns based on existing standards that you use to describe and add meaning to common web content, such as that about people, places, events and links. These structured data patterns allow machines like computers, user agents and applications to extract that content for a wide range of uses.

Sites already using microformats, includs Google, Yahoo!, Facebook, Twitter, Flickr, and LinkedIn. But these are just some of the more well-known names..

...How pervasive microformats are. For example, according to Yahoo! SearchMonkey, there are 1,450,000,000 web pages that publish hCard and 36,200,000 pages marked up with hCalendar.

Few good links to get set go:

http://visitmix.com/Articles/Microformats-Role-Play#200909160429190

http://microformats.org/wiki/Main_Page

http://visitmix.com/lab/oomph

Privacy guideliance from Microsoft

This document provides basic criteria to consider when building privacy into software releases.

Ten Things You Must Do to Protect Privacy

• Collect user data only if you have a compelling business and user value proposition. Collect data only if you can clearly explain the net benefit to the user. If you are hesitant to tell users what you plan to do, then don’t collect their data.

• Collect the smallest amount of data for the shortest period of time. Collect personal data only if you absolutely must, and delete it as soon as possible. If there exists a need to retain personal data, ensure that there is business justification for the added cost and risk. Do not collect data for undefined future use.

• Collect the least sensitive form of data. If you must collect data, collect it anonymously if possible. Collect personal data only if you are absolutely certain you need it. If you must include an ID, use one that has a short life span (for example, lasting a single session). Use less sensitive forms of data (for example, telephone area code rather than full phone number). Whenever possible, aggregate personal data from many individuals.

• Provide a prominent notice and obtain explicit consent before transferring personal data from the user's computer. Before you transfer any personal data, you must tell the user what data will be transferred, how it will be used, and who will have access to it. Important aspects of the transfer must be visible to the user in the user interface.

• Prevent unauthorized access to personal data. If you store or transfer personal data you must help protect it from unauthorized access, including blocking access to other users on the same system, using technologies that help protect data sent over the Internet, and limiting access to stored data.

• Get parental consent before collecting and transferring a child's personal data. Special rules for interacting with children apply any time you know the user is a child (because you know the child’s age) or when the content is targeted at or attractive to a child.

• Provide administrators with a way to prevent transfers. In an organization, the administrator must have the authority to say whether any data is transferred outside the organization's firewall. You must identify or provide a mechanism that allows the administrator to suppress such transfers. This control must supersede any user preferences.

• Honor the terms that were in place when the data was originally collected. If your team decides to use data, its use must be subject to the disclosure terms that were presented to the user when it was collected.

• Provide users access to their stored personal data. Users have a right to inspect the personal data you collect from them and correct it if it is inaccurate—especially contact information and preferences. You also need to ensure that the user is authenticated before he or she is allowed to inspect or change the information.

• Respond promptly to user questions about privacy. Inevitably, some users will have questions about your practices. It is essential that you respond quickly to such concerns. Unanswered questions cause a loss of trust. Be sure a member of your staff is ready to respond whenever a user asks about a privacy issue.

JSON is fun- JSON is for masses

JSON is fun- JSON is for masses

Really a interesting and great post / article on JSON

http://www.dustindiaz.com/json-for-the-masses/