Web 2.0, the second wave of Web development and design, is thriving, and so too are applications that take advantage of this technology.

Interactive sites like LinkedIn, Twitter and even company Web sites are becoming ever more popular, and yet, many IT departments are unprepared for the associated new and emerging threats.

As more and more companies take to the Web to conduct business, the opportunity for attack is significantly increased and organisations need to re-adjust their security practices for the Web 2.0 world.

Traditionally, potential security breaches, or vulnerabilities, target personal and business information that is created and stored in certain Web 2.0 applications, such as Google Docs and Mobile Me.

Using sophisticated JavaScript programmes developed specifically to capture data, hackers can redirect users to a perfect copy of the site they are expecting to see. Then, when log in details are entered, they are unknowingly sent to the attacker, providing them with the information they need to access sensitive business information.

New attack methods are constantly being employed by the hackers, taking advantage of technologies that are already in place. With Facebook for example, third-parties can host their own applications on the site in the form of games or quizzes. The code needed to do this is run independently of Facebook.

Attackers continuously try to bypass the security systems in place on Facebook, and gain access to information using the code that is running on the browser through the third-party.

For the opportunistic hacker, even filling out forms online presents them with the chance to obtain details. Although the site may be secure, the ‘behind the scenes’ technology, which communicates suggestions on possible entries based on past information, can be intercepted and with it, data on the individual or business.

There is a difference though in the way these attackers operate. Some choose to exploit Web applications, like Twitter, which suffered an attack back in January 2009, resulting in the accounts of high profile members being hacked and offensive mock status updates uploaded. The other approach is where they exploit the Web browser.

Here hackers pepper large numbers of Web sites with JavaScript which enables them to ultimately collect data on visitors to those sites. Rather than specific Web applications being targeted, the browser instead acts as the delivery mechanism, where links can be used to either redirect users to other ‘fake’ sites, or load damaging content from other destinations.

In the same way the methodology of these attacks changes, so too does the motivation of the hackers. In early Web attacks, it was all about site defacement where the content would be edited, with messages being incorporated or offensive images being added. This has now changed and the emphasis is on remaining undetected so that the site owners will not know that security has been compromised. JavaScript enables hackers to use these attacks for financial gain instead of to just be a nuisance.

In 2007, the Web site of The Dolphin Stadium, home to America’s Super Bowl XLI, was attacked and malicious JavaScript installed on its front page header. The result of this was that a keylogger/backdoor file was downloaded on to the user’s computer, giving the hacker full access to it.

The hack went undetected until a security firm came across the site as part of a scanning effort. While the stadium’s Web site was likely targeted because it was topical and popular at that point in time, the hack was part of a larger effort that attacked over 25,000 Web sites.

Many people associate hacking with credit card and bank fraud – but this is not the case. All information holds some kind of value to someone. ID theft for example is not just about being able to spend somebody else’s money, but can instead be used to get set up credit accounts with business suppliers or open up new premises, all at another’s expense. Client and employee data could also hold value to some organisations.

While it seems that hackers are constantly evolving and adapting to new technologies, like Web 2.0, businesses are responding just as well. Individual employees, as well as IT departments, are now aware of security risks and most companies have policies in place about the download of Web-based applications. Patches, security alerts and updates are now issued regularly from the vendors and should be monitored and downloaded when available.

In addition, there are a number of tools which can help to prevent such attacks – Web application scanning in particular. This is an automated process which searches for software vulnerabilities in Web sites by launching its own attacks and analysing the results.

Using this data, it will provide a list of actions which the user should undertake in order to prevent hackers gaining access to their systems. This is especially useful for SMBs where Web security is an issue but there is not always the resource – in terms of people and cost – to manage this on an ongoing basis.

Source code scanning and continuous site monitoring are also valuable methods to protect against hacking attacks. Technology continues to advance at an alarming rate – and with it those people who are willing to exploit others for financial gain. By staying informed of the potential risks and combining the tried and tested preventative methodologies, IT departments can ensure that they are well-equipped to deal with the constant threat of Web 2.0 attacks.