Highly publicized criticisms of Web 2.0 security weaknesses could open up revenue-generating possibilities for telcos, whose networks intrinsically possess strong authorization and security elements, and whose infrastructure comprises high-performance OSS.
While most social networking sites feature user-generated content, sites like MySpace, Facebook and YouTube could morph into transaction-oriented commerce sites. Already, companies are posting pages for interactions on MySpace, and Google Checkout demonstrates a shift away from sharing files and toward facilitating commerce. As social sites make this transition, the management of user IDs, credit card transactions, payments and customer complaints will require partnerships between social sites and companies with high-performance solutions.
Application and middleware platform providers will be eager to step in, but telcos’ AAA, customer care and billing expertise and assets provide an advantage. Telecom operators’ platforms could provide the means for social networks to transition to transaction-oriented business models. With millions of participants, these sites hold huge potential for telcos willing to think outside of the box.
CHAPERONES NEEDED
Social sites have not yet had to develop experience with provisioning, billing and settlement, QoS, quality management and customer care. Accountability hasn’t been part of the equation for opt-in and user-generated content. That is changing, however, because of the negative publicity about potential sexual predators on social sites. Whether hype or reality, the issue has incited consumers to protest against such risks. The New York and New Jersey attorneys general have launched inquests of possible sexual offenders on Facebook. In other cases, sites like MySpace have suffered from digital rights infractions when members used the site to share content that was the property of major media producers.
While some may argue it ultimately is the responsibility of the parents, enterprises and individuals to restrict access according to the risks, there obviously is widespread ignorance about the lack of sophistication of security, management and customer care infrastructure on social networking sites. The “wild west” environment drives innovation, but also makes it so that average users can’t track or protect against the threats to which their seemingly innocuous Web browsers and social sites are prone.
“If network operators are going to eventually monetize social networking, they might have to conduct third-party security reviews and due diligence that mirrors that of financial services and health industries,” predicts Rebecca Herold, a Cutter Consortium senior consultant in charge of a quarterly multimedia awareness product called “Protecting Information,” published by Information Shield Inc.
“If telcos are going to link up with other sites, they have to be aware that typical end users believe they are going into safe, secure environments. Lay people don’t realize that a lot of promises are not backed up with solid technology and procedures,” adds Herold.
WHO'S LIABLE?
If a widespread attack were to compromise important personal or financial information, where responsibility would fall is a contentious question. Legislators could put the onus on social sites. If they do, why would they stop there? Legislation might mandate that Web browser software provide tutorials to show users how to optimize their security features. Or perhaps network operators would be made responsible for what goes over their pipes.
Whether the onus is on parents, individuals, social sites or network providers, most agree action by the industry overall would be better than government legislation. Government intervention might serve to slow down innovation and compromise users’ privacy, industry experts say.
Some believe proactive warning labels and tutorials about optimizing Web browsers should be placed on Web sites as a first step. Then, parents and individuals would have a better sense of the dangers involved — analogous to warnings about the dangers of pharmaceuticals, cigarettes or alcohol. Others believe, however, that no amount of education on the consumer side would be enough to prevent or avoid fraud.
“Education does little for fraud ratios,” says Robert Hansen, CEO of SecTheory LLC, an application and network security company. “Statistically, user education doesn’t work on a large scale. It works for individuals proactively seeking it, but not for the mainstream.” He urges carriers and all involved in the value chain to do a better job of training programmers to better apply security features in their code.
SOCIAL EXPLOITS
“The point of Web 2.0 is personalizing the browser so that it gives you the look and feel of a Windows-based environment,” explains Hansen. “That enables you to develop a richer, more dynamic experience on the Internet,” he says.
Rather than doing validation in one spot on a server, it should take place on the client as well. If validation doesn’t happen in both places, then anything sensitive like databases of personal information or passwords resides in two places, which creates a problem when Web developers assume people cannot “look under the hood.” Infiltration increasingly occurs on the client side, putting the onus on the partners in the value chain to educate programmers about internal and external threats.
“People can inject Java script and launch cross-site scripting attacks like the SAMY worm, which infiltrates a social network’s filters and embeds exploits within user profiles. That means that anyone visiting a user’s page gets infected and is open to the attack,” explains Dave Shackleford, vice president for the Center for Internet Security. He notes the use of AJAX, Java script and Flash objects pushes control to individuals. “You inevitably have more social engineering to lure people to pages where exploits are executed through browsers. Because social sites innovate by opening up development platforms to anyone wanting to develop an application, there is enough momentum that they are starting to realize the threats are real.”
“We strive to uphold high standards for privacy, and we are now working on processes and technologies that will further improve safety and user control on the site,” says Brandee Barker, a Facebook spokeswoman. “We take the concerns of the Office of the New York attorney general very seriously, so now that our service has grown, so too will our responsibility to our users. We want to empower them with the tools necessary to communicate efficiently and safely,” Barker says.
TELCOS CAN CREATE A SAFER EXPERIANCE
Online threats may catch carriers’ interests for two main reasons. First, carriers are interested in online communities and enabling value chains as a business opportunity. Second, junior-level developers are writing applications to enable emerging services that require e-commerce links with partners. Many synapses exist in the nervous system of a Web 2.0-type service — each of which can be capitalized on by carriers, and each of which poses a threat to carriers.
As collaborative services emerge as a result of Web 2.0 principles, the value chains will require interactions among host network operators and their partners, such as content providers (media or entertainment companies), aggregators (MVNEs and portals) and other service providers (MVNOs, resellers, cable operators and ISPs). Even though some social sites are trying to do more to protect their users and their content, their efforts take place in isolation.
For example, Google, which operates the social site Orkut, is trying to use data mining and machine learning to identify copyrighted content. This same type of pattern-matching technique could reign in some of the problems with offensive or copyright materials on social sites. Few companies can employ these kinds of secure capabilities, much less share them transparently with partners.
Operators need to evaluate the “joints” that exist among different components in the value chain. In these plug-in points, incumbents can inject their own brand of authentication and authorization, customer care and billing to make them the strongest, rather than the weakest, links.
INEXPERIENCED DEVELOPERS
In its study, “Web Services Provider: Threat or Opportunity?” Convergys Corp. in 2006 noted how the increasing use of Web Services to open up applications to third parties is driving innovation, but not without exposing carriers to inherent weaknesses that often are outside of their control. The study acknowledged that Web Services developers generally were junior-level. As a result, they often were not well-versed in applying or developing the best security mechanisms to protect the processes and information they could expose when enabling new services. Carriers should begin to consider their role in brokering services for directory, authentication, service authorization and service-delivery management. Third-party developers can draw on these services to bolster their own offerings and applications.
“It at least behooves carriers to get potential partners to adopt standards around authentication schemes,” says Stephen Weagraff, senior architect at Convergys, which refers to Web 2.0 as the “second wave of convergence.” He believes common platforms will be critical to managing collaborative services. “Consortia like the Liberty Alliance and specs like SAML 2.0 all work to strengthen pieces of the overall framework with federated identity and authentication, privacy and security specs for online identity management,” says Weagraff.
Alcatel-Lucent, BEA Systems Inc., Microsoft Corp., Sun Microsystems Inc. and others also recently have made efforts to improve their service-delivery frameworks by leveraging standards, such as IMS and its authentication and security principles and protocols. “Ultimately, people will want dial-tone quality for the Internet,” says Weagraff. Along with it, he says, users will want high-quality performance and effective authorization and authentication. “Customers now want ease of use,” Weagraff says, “but also transparency and auditability.”
