Hackers Invade Social Networks

By
Dan Lohrmann
  on August 14, 2008 5:00 AM | | Comments (0)
Bookmark and Share

Several recent security reports warn of dangers found on social networking sites like MySpace and Facebook. As the popularity of these sites has grown, the risks have grown as well. Yesterday,  USA Today proclaimed, "Hackers want to be your (malicious) friend." 

Here's an excerpt from that article: "Last week, computer security firm Sophos detailed an attack in which messages posted on the walls of users' Facebook pages urged them to view
a video that claimed to be hosted on a Google website. But when the link was clicked, the victim was diverted to a website containing malware."


Earlier this month, Jennifer Leggio, who blogs for ZDNet, described "Facebook's (futile) malware exorcism - can social networks fight back?"  She doubts the claim, made by Max Kelly who is Facebook's head of security, that they have identified and blocked the ability to link to malicious websites from within Facebook. Jennifer says:

  • "Making a social network secure is darn near impossible. As fast as Facebook (or any other social network) blocks those known malicious site hackers will come up with new ones. There's no "patch" or "fix" for these issues.
  • Why? The major flaw with social networks comes down to user awareness and user responsibility. Kelly correctly states that many people use the Internet without any knowledge of security threats posed by hackers. Which makes these users... (susceptible).  
  • ... If users are unaware as to the threats presented by clicking on outside links, they are easily going to be spoofed. clicking on outside links, they are easily going to be spoofed. Facebook cannot keep its users from clicking off the site and downloading files. 

    •  

    Jennifer also references a DefCon 16 session with a great name: Satan is on My Friends list: Attacking Social Networks.  The sesson description for that breakout says this:

    "Social Networking is shaping up to be the perfect storm... An implicit trust of those in one's network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML (Hello? MySpace? 1998 called. It wants its markup vulns back). Yikes.

    But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks...."

    Lest you think this topic is brand new - think again. While the hacker tricks change with the times, PC World proclaimed: "Hackers Crash the Social Networking Party," almost two years ago.

    There are also plenty of other online publications writing about these problems, with over 1.3 million page views available for the Google search "social network malware." What's to be done? There are plenty of suggestions for MySpace and Facebook roaming around in cyberspace. Nevertheless, most experts continue to point back to end user awareness and more training. 

    Perhaps the best advice comes from an age-old Biblical Proverb: "A man of many companions may come to ruin, but there is a friend who sticks closer than a brother." In other words, know your online friends.

    Any comments on social networking at work?   

    Tags:

    Leave a comment