Saturday, January 27, 2007

Widgets, Mashups and Brand Insecurity

Yes, desktop widgets and web service mashups are fun things to create and own. Yes, they probably are the future of desktop user interactions, and Microsoft may well end up as “middleware”, no matter how sexy Vista turns out to be. But watch out - the widget party is about to turn nasty.

Up until now, the creators of computer malware, including viruses, Trojans and spyware, have usually stuck to a strategy of hiding their code inside “trustworthy” documents or applications, such as Microsoft Word or Excel documents, or within an email proporting to be from a trusted party.

Things are changing. Readily-available widget and gadget-making engines are now making it possible for *anyone*, including an experienced hacker or phishing scammer, to create a slick-looking downloadable desktop application, slap a trusted brand on it, distribute it via one of the large, social-networking sites to millions of people, and start doing “bad things” to their data.

Don’t think this is an issue? Download any of the freely-available widget creation tools and see how long it takes you to create a slick-looking, desktop application with a web browser embedded in it. Pretty fast, right? Now download and embed the logo of a leading brand in that application, so that it looks “trustworthy”. Now put your app up at a social network site frequented by millions of users. Now use standard social engineering techniques to convince someone to click a button on your app or in the app’s browser that will take them to a bogus site that you’ve created (free apps that promise to fix your computer by removing spyware, or games that allow you to win large amounts of money online are proven converters), … and, voila.

Why is this so easy? Because, once again, we’re witnessing the emergence of a wave of new, disruptive technologies created by good guys, that will very soon be coopted by the bad guys. Once again, the good guys will have to scramble because they didn’t think the bad guys would think “bad thoughts” - and use their good technology for evil.

But there’s more to it than that. Brands are under attack. And, as evidenced by the rising wave of sophisticated phishing attacks, brands are becoming *very* easy to manipulate (especially now that the “phishers” are learning to spell and use correct grammar). What I believe we are about to see is the slow but steady emergence of bogus, branded, desktop apps (and browser toolbars), based on a wide range of emerging widget, gadget and mashup development tools and the same proven social engineering rules that the phishing guys like to try and fool us with - interesting content/functionality, allied with a trusted brand.

Expect to see lots of leading brands (including many from the financial space), some extemely tasty interfaces - and lots of stories involving compromised data. And expect to see lots of headlines. Because unless we start seeing some industry-standardized moves towards widget authentication, and start pushing for adoption on a habit-forming level, the coming wave of non-secure, branded desktop widgets and mashups is going to make us long for the old days, where all we had to worry about were Macro viruses.

Note: Please don’t think that I’m giving any black hats any “ideas” here: people far far smarter than me are already hard at work on this stuff. I get to talk with a lot of financial institutions in my job, and hacking for financial gain is exploding as a business, and, according to the FBI and CSI reports, it is responsible for more than 50% of all malware, and receiving tremendous backing from organized crime syndicates. You think slick-looking emails are a concern? Wait until we have to deal with slick-looking *desktop applications* that look and feel exactly like the real thing.

There is some good news out there. This week, Yahoo started pushing its BBAuth (Browser Based Authentication) system, which at least provides Yahoo widget developers with the ability to authenticate users, and user data (with their permission). But this is just one side of the story - and with new widget and mashup development shops popping up everyday, this is one subject that you can expect to see a lot more entries on over the coming months.

No comments: