Do you remember this add campaign from Sun Microsystems? "The network is the computer." It was supposed to herald a fundamental shift in the architecture of the personal computer. In many ways, it's come true, though perhaps not quite the way Sun intended. The individual computing machine functions in many ways as an access terminal to the Internet or corporate network. For many people, working without a connection simply isn't possible. Even more so, personal use of computers is inextricably tied to an Internet connection. This ubiquity of connectivity has exponentially expanded the target surface for attacks, which also drives the discovery of vulnerabilities, which further drives the security industry. Ok, so nothing new there.

Enter Web 2.0. As tired as we might be of this eMarketing iTerminology, it's useful in this context. The 'web' is that first paragraph. 'Web 2.0' is the user-contributed, public-built web. It's Wikipedia, YouTube, MySpace, the Blogosphere, Google Desktop, and a whole bunch of other sites and tools that allow users to interact with and store content outside of their control. This could be called, generically, Software as a Service. The term SaaS isn't usually taken to include some of the consumer applications like MySpace, but I think it should. They are SaaS just as much as Salesforce.com might be, though with very different business models. The introduction, and adoption, of Google's suite of business tools falls squarely into this category as well.

For users, this SaaS revolution means greater collaboration, features, etc. For security, this means a whole new world of platforms for exploit. At this point, the security industry understands the computer fairly well. We can all get our hands on the existing platforms (mostly) and play with them. With SaaS, it's a different ball game, where there are lots of balls and they're difficult to see.

Let's move to something a little more concrete. So far, we've seen exploits of the Web 2.0 platform that leverage it as an attack vector to get at the traditional computing device. The very simple example of a bad link in the German wikipedia that pointed to a malicious website is a good first start. The attacker just used a highly visited site to propagate a link. This escalates nicely to the recent MySpace worm. The worm came in the form of a Quicktime video that loaded spyware onto the users computer, but also compromised other MySpace accounts via a fake navigational link and fake login page. The evolution here is that the attacker used the platform of MySpace for propagation. The end result of installing spyware was still present, so we're still talking fundamentally about exploit of the traditional computing device.

These platforms aren't alone in having vulnerabilities. Google Desktop has some. Wordpress apparently had a backdoor. Interestingly, I learned early on that the only way to ensure a clean system after compromise is a clean re-install. How exactly do you perform a clean re-install of a hosted Wordpress system? There's even virtual terrorism in Second Life to contend with.

The next evolutionary step in this process is the exploit of the Web 2.0 platform as an end in itself. Financial access can be a big motivator here. The profit motive is what drives exploit more and more, and profit has to be tied back to concrete financial transactions. There's a very understandable business motivation to facilitate those transactions in more places and via more means, but as those transactions are facilitated in more contexts, the target surface grows not only in size, but in attractiveness as well. Think about eBay and PayPal. Now think about MySpace and PayPal, or MySpace and your bank.

Ultimately, the risk is that we in the security industry fail to follow the mindset of the attacker. If we continue to focus on the existing target surface of the individual computer, we'll miss a shift in tactics and incur a sizable loss. There are some darks spots in these terms, and some bright spots as well. Anton Chuvakin points out that some of the disclosure issues we've settled (more or less) in the traditional information security space are not at all the same for the Web 2.0 platform. This is complicated by the fact that one can't grab a pirated copy of flickr or facebook, install it in your garage, hack on it, and report vulnerabilities anonymously. It's harder, though certainly not impossible, to force the disclosure issue in this context. On the other hand, there's the counter-point of the "Month of MySpace Bugs," which takes the very clear and positive step of treating MySpace as a real platform for exploit.

The conclusion, of course, only comes in time, but now is when we as an industry should start defining the rules with which we will inter-operate with these platforms.