Welcome!

PHP Authors: Liz McMillan, Carmen Gonzalez, Hovhannes Avoyan, Lori MacVittie, Trevor Parsons

Blog Feed Post

Excuse Me But Is That a Gazebo On Your Site?!

There are few things in reality that can match The Gazebo in its ability to evoke fear and suspicion amongst gamers. The links on your web site may be one of them.

gazebo In the history of Dungeons and Dragons there exists the urban legend known to all as “The Gazebo.” The Gazebo, over the years, has become a gaming euphemism for a situation in which people over analyze and overestimate the risk involved with interacting with some “thing”. In the case of The Gazebo the “thing” was, as you might guess, a gazebo. Yes, a simple wooden structure placed in gardens where lovers meet under the moon and all that. A player, according to legend, would not believe this simple gazebo was not dangerous. So he attacked it and, failing to elicit a response, eventually decides to run away. The DM (Dungeon Master), having been frustrated by the waste of time that was the encounter, decides the gazebo was a threat after all and has it eat the player’s character.

Now it might be the case that gamers are just overly suspicious, as many types of geeks are wont to be. I will admit, with just a bit of embarrassment, that I was a part of a group of gamers who once frustrated Don for hours by treating some apparently innocent green algae as though it was a giant, poisonous snake. Yes, our “gazebo” was in fact just normal, everyday mold. Luckily for us Don was kinder than the DM in the Gazebo incident and we eventually realized how foolish we were and continued on with our game.

It may come as a surprise to you, but if you allow user-generated content on your site then thanks to circumstances beyond your control your users are probably running into Gazebos all over your site.

THE GAZEBO ON YOUR SITE

with many apologies to my fellow gamers and especially Richard Aronson

Web Master: You see a well-designed web site. In the middle, on a post, you see a link.

Eric: A link? What color is it?

Web Master: (Pause) It's blue [default ‘unvisited link’ color], Eric.

Eric: How far away is it?

Web Master: About half way down the page.

Eric: What’s the domain name?

Web Master: (Pause) It's thislinkisokaytoclickonipromise.com.

Eric: (clicks mouse) I view source to detect whether it's good.

Web Master: It's not good or bad, Eric. It's a link!

Eric: (Unusually long pause, even for Eric) I put my mouse over it.

Web Master: It says “Follow me”. It's a link!

Eric: (Pause) I close the source view and open my anti-virus scanner. Does it respond in any way?

Web Master: No, Eric. It's a link!

Eric: I run the anti-virus scanner. What happened?

Web Master: You are now using 80% of your CPU to run anti-virus.

Eric: (Pause) Didn’t it neutralize it?

Web Master: Of course not, Eric! It's a link!

Eric: (Whimper) But the anti-virus should detect if it’s malicious or not!

Web Master: It's a link, Eric, a link! 

Eric: (Long pause - he has no more ideas) I close the page.

Web Master: (Thoroughly frustrated) It's too late. You've awakened the link, and it automatically downloads a virus that eats all the data on your hard drive.

Eric: (Reaching for his CDs) Maybe I'll install Linux so I can avenge my Windows install...

The latest study “State of Internet Security” from WebSense indicates that 95% of all user-generated content is, well, to put it simply, “bad”. Even more frightening is the conclusion that “61 percent of the top 100 sites either hosted malicious content or contained a masked redirect” and “77 percent of Web sites with malicious code are legitimate sites that have been compromised.”

Basically, the Internet is full of Gazebos and it’s enough to make users shy away from clicking on any link on any site lest they become infected with the latest malware du jour.

The InfoSec community spends a lot of time talking about how businesses can protect themselves against miscreants, but we don’t often talk about how we can protect our users from, well, other users. Yet according to the WebSense study and “top ten lists” of attack techniques, it is user-generated content that puts both business and its users at risk for malware, for attack, for theft of identity and personal information. That’s probably because we can control many of the variables that put the business at risk but there’s less we can do to protect users from other users and themselves.

THERE’S NO FOOL-PROOF SOLUTION TO THIS ONE
The use of user-generated content as a means to exploit vulnerabilities in both client and server side systems means that the first line of defense should be at the web-application, at the point at which the user is generating the content. Simply disabling the ability to share information via links is not an option today as the majority of sites are based entirely on the is capability and without links the Internet essentially breaks.

Now if the link being submitted or included in the user-generated content contains something “evil” it’s easy enough for a web application firewall (WAF) or the application’s own security checks to stop it from being added to the system and later propagated out to users. A WAF can determine when someone is trying to inject a malicious link into a site via XSS or SQLi or through obfuscation and stop that from happening, but if the link is “just a link”, there’s really no good way to determine its “goodness” or “badness” without following it and examining its content and environment.

But links are neither “good” nor “bad” themselves, they’re just a mechanism for connecting (integrating) two disparate sites together. It’s the content behind the links that’s the problem, and that’s something that’s far more difficult to ascertain when the content is somewhere else. If it’s just a link and someone is trying to entice a user to visit it and it is at the destination site where “bad” content resides, neither a WAF nor the application’s security checks can really address the problem.

We’ve solved this problem, to a large degree, with e-mail and SPAM already through the use of reputation-based systems. These systems evaluate the reputation of the sender and, based on that information, determine whether the mail will be accepted or not. Now we can’t necessarily do that with users generating content but we could do something similar to that with links. If you’ve ever read through descriptions of worms and viruses and links that spread malware you’ll note that the common theme across all the links is that they’re going to one of a short list of URLs with some identifying characteristics.

It is those identifying characteristics we could use to determine the “goodness” or “badness” of the link and thus either allow or deny the user to include it in their user-generated content. If we already know there is a scam going around we can use network-side scripting to update a list of URLs or those identifying characteristics so that as the content is being generated we can scan the content for those URLs and if we find one of the “bad” ones, refuse to add the content to our site. But that assumes we know what the “bad” URLs and domains already are, which is not always the case. If we don’t already recognize a domain as “bad”, we really can’t do much about it. We have to assume it’s good and let it pass. 

But if we take the concept of metadata hubs sharing information across the Internet we could easily apply this to sharing “bad link” information and thus eliminate the manual processes that require solutions be updated by hand every time a new “bad link” is discovered. David O’Berry first suggested this concept as a means to create a threat distribution channel for InfoSec and that idea is applicable over a wide variety of “threats” – including “bad links”. A more real-time approach to sharing information regarding “bad” domains might improve the situation, but it remains that applications and security infrastructure would need to take advantage of that data and that’s a capability no one really has today.

So basically no single solution has the answer to this one. It’s going to require a combination of solutions – some of which do not exist today – to reduce the risk of shared, user-generated content. The only thing that is certain is that we need to address the problem before users become so paranoid that they refuse to click on any link. Because that, my friends, would be the end of the game, er Internet.

Follow me on TwitterView Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related blogs & articles:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...