Social Networking:
Security and privacy issues you should know about
Rich media and social networking have been the topic of
news stories, tech articles and even newsletter articles
that have appeared in this column. Now word comes out,
again, that social networking and rich media have introduced
new threats to the security of your data. After seeing the
information released about this, a review for everyone who
uses or is thinking about using or allowing rich media and
social networking to be used in their enterprise seemed in
order.
Its a Web 2.0 world
When
everyone talked about the advent of the new web or Web 2.0,
the thought was there would be more content, more
interaction, and a better web experience for everyone. While
true, Symantecs MessageLabs has identified problems that
have cropped up in the Web 2.0 world. Working with hundreds
of computers and seeing the kinds of issues they face with
speed, usually due to interaction with the web, many of the
finding of this report were not a surprise, but the
magnitude of their growth during the past year did make me
pause. In 2008, MessageLabs announced the trend of hackers,
phishers and other internet criminals moving from email as
their primary vehicle for spreading their payloads to
sophisticated web-based attacks. These attacks target
weaknesses in server-based applications, including but
certainly not limited to blogging tools and client-side
browser plug-ins, including Flash. These web-based attacks
have allowed malware to be installed when users simply visit
a web page. Not great news!
Growth of malicious websites
Just
as SPAM increased from 30 percent of all emails to what most
industry analysts now agree is over 90 percent of all
emails, malicious sites are increasing at an exponential
rate. For example, in January 2008 the number of malicious
web sites was about 1,000 per day. By October 2008, that
number had increased dramatically to more than 5,000
malicious sites per day. MessageLabs found users of a global
search engine provider recently were sent to a video site
that instructed them to download and install a flash player
update to view their video. You guessed it, this download
was a new worm. The idea of a site you would assume is safe
asking you to download an update is indicative of the way
these kinds of scams have always been perpetrated and still
continue today. You trust the source so it must not be bad.
This is just like the scam that used to send people emails
that their internet provider, their bank, or their credit
card holder has an issue and you need to send in your
username and password. Misplaced trust on the part of the
user can be disastrous in these cases. This type of scenario
is often repeated with all sorts of rich media content
including flash, video, audio and more!
How bad is social networking?
On
the surface, the idea of connecting with people seems great.
From a personal standpoint, you can stay in contact or
reconnect with friends you have now or had in the past and
want to reconnect with. From a business standpoint it is
simple; the more contacts you have the better your chance
for sales, and who would not want that? Unfortunately, these
are what make the social networking environment so fertile
for these problems. Today, social engineering remains an
effective method of breaching security. The methods used
will sound familiar because they are just variants of ploys
that have been used in the past, both in SPAM emails and
fake websites. They may create a fake profile on a social
networking site and use it to post malicious links and phish
other users. That information acquired through phishing lets
spammers post comments on other members' pages and send
messages from the phished accounts. From there it can
snowball. These messages are often used to distribute spam.
They may use a link within a message and that link could
redirect the browser to a page that claims to host a video.
Upon redirection, the user is advised they must install a
new codec to view the video, but instead of a codec, the
link downloads malicious software.
Does this happen with big name social sites?
Unfortunately,
MessageLabs found that the same thing happens with the
big-name social networking sites, but the method of
infection is different though. The big guys often offer
users applications to enhance their profile pages, making
them more attractive and useful. More often than not, those
applications are written by third parties where the security
of the code is not monitored. After downloading the
application, an unsuspecting user of the social networking
site can inadvertently insert malicious code onto their
profile page, and therefore their computer and potentially
their network. Someone visits that infected users page, and
if the code is active, they are infected too. Another ploy
that emerged on social networking sites in 2008 according to
MessageLabs was fake celebrity and royalty profiles
appearing on social networking sites. Because many companies
have dabbled in using these kinds of sites for business,
these fake profiles bring spoofing into the corporate
environment. To compound the problem, users of social
networking can receive buddy or friend requests from
fake profiles. While safeguards were put in place with SPAM,
anti-virus and anti-malware solutions to stop these threats
when they came in email, those traditional anti-spam
solutions can't differentiate between these requests and
genuine ones. The result: The bad guys can get specific,
private information about users and potentially gather
enough information to formulate a targeted attack.
Open Source Solutions Surge
With
the continued move towards Open Source solutions for
everything from applications for the desktop to ones that
handle back office functions like accounting and customer
relationship management, that flexibility can inject a
vulnerability to security into the enterprise in the form of
viruses or Trojans infections to their desktop or network of
those who use them. The company that makes the leading open
source browser recently discovered, according to MessageLabs,
that a language pack on its official add-on webpage had been
infected for months with rogue code. This infection placed
IT departments and entire enterprises that used this browser
at risk of infection from malicious Trojan Horse code which
was purportedly accidentally embedded in the language
pack. How did it happen? The virus' signature was unknown at
the time, and thus passed the maker's testing of add-ons,
but it shows the need for diligence in making sure that
everything is tested on a continuing basis to remain safe.
What should you do now?
Be vigilant. These security threats are taking place and
like SPAM they will only get worse. You can help though.
Decide if using any social networking sites are right for
your enterprise and if so, protect yourself against the
threats. Pay attention to rich web content and open source
solutions and make sure that the offerings you look at are
from credible sources. Above all, make sure your systems and
your enterprise have adequate protection. This includes
virus scanning software complete with a current subscription
and updates, a firewall that is current and activated and
real-time solutions for controlling Malware and other
cyber-attacks and spyware and a web filtering solution, in
the case of an enterprise solution. As always, apply the
security patches for your operating systems and applications
so you do not fall prey to something that has already been
patched because the hole in security was still present on
your PC. Feel free to contact me with questions or comments!
All product names / logos, company names /
logos are copyrights of their respective holders. John
Boline is an MCSE, CNE, USE, a member of the Network
Professional Association and the Microsoft Partner Research
Panel, . The content herein is often based on late-breaking
events. Much of the material is based on information from
sources that are believed to be reliable. Hagerman &
Company, Inc. disclaims all warranties as to the ultimate
accuracy or completeness of the information. Hagerman &
Company, Inc. and its employees shall have no liability for
errors, omissions or inadequacies in the information
contained within this article or for any interpretations
thereof. The recommendations, positions and best practice
policies outlined herein represent Hagerman & Company, Inc.
initial analysis and therefore are subject to change as
further information which may have bearing on these
positions is made available. The reader assumes sole
responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein
are subject to change without notice. Hagerman & Company,
Inc. assumes no obligation to update the forward-looking
statements made in this newsletter to reflect any change in
circumstances, after the date of publication. Entire
contents 2009 Hagerman & Company, Inc. All rights
reserved. Reproduction of this publication in any form
without prior written permission is forbidden.
CAD/CAM/CAE
Solutions
