|
|
|
 Understanding Security Risks on Social Networks
|
|
Email article
|
|
By Ryan Naraine
|
WHEN THE UNITED STATES MARINE CORPS (USMC) announced an "immediate ban" on the use of social networks on its computer systems because of the risk of information disclosure and hacker attacks, overwhelmed IT administrators nodded in agreement.
The wild popularity of sites like LinkedIn, Facebook, and Twitter has been a blessing and a curse to businesses. On one hand, marketing departments, corporate recruiters and sales personnel have found great value in using social networks to boost revenues or trawl for talent, but, as the Marines discovered, the very nature of social network sites "creates a larger attack and exploitation window, exposes unnecessary information to adversaries, and provides an easy conduit for information leakage."
Social networks are "a proven haven for malicious actors and content," the USMC said in a notice announcing the ban.
These fears are not misplaced. According to anti-virus researchers tracking malicious Internet activity, there's a dramatic surge in hackers exploiting the trusted nature of social networks to hijack sensitive data, steal identities, or plant keyloggers and password-stealers on infected computers.
According to a survey released by Proofpoint, Inc. in August 2009, IT managers are increasingly fearful that employee use of popular social networks could lead to the inadvertent loss of sensitive corporate data.
The annual Proofpoint study of 220 IT decision makers at U.S. companies with more than 1,000 employees found that executives are spending more and more time worrying that employees are posting too much proprietary corporate information within status messages, comments, or blog posts on social networks.
Proofpoint found that about 35 percent of the U.S. companies surveyed had been affected by the exposure of sensitive or embarrassing information over the last year. Close to 50 percent of the respondents were "highly concerned" about the possibility of valuable company information inadvertently leaking out on social networking sites and 10 percent said they had disciplined employees for violating social networking policies in the past year.
TWEETS AND TWITS
It may seem innocent and innocuous but a senior employee mentioning on Twitter that he is worried about layoffs can be a clue about financial problems at a particular company. Another sales executive posting to Facebook about spending too much time on the phone dealing with customer complaints about a product could actually hurt the company's image and affect the bottom line. Even on LinkedIn, which is considered a valuable business-networking tool, an innocuous call for help around a particular topic could provide a valuable clue to competitors about the future direction of a product or corporate plan.
What's even more worrying is that the majority of U.S. businesses, from the mom-and-pop small business to the mid-sized enterprise, don't have a formal policy in place to manage and monitor social networking usage.
"It's hard to have a policy when the CEO is on Facebook, always updating his status and commenting on his wife's photos," grumbled a New York-based IT administrator. "We try to educate our staff about the risks and limit their use of certain sites that are constant targets for viruses, but it's very tough to implement because we use social networks to do business," he added.
Several others, who requested anonymity because they didn't want to put their companies at risk, pointed to a recent Black Hat security conference presentation where researchers created bogus LinkedIn profiles – complete with photographs, references, and full job descriptions – and proceeded to create a network of business contacts for malicious purposes. During the experiment, which was meant to highlight the security risks, the bogus LinkedIn accounts were able to harvest a mountain of data from some high-profile targets, including executives at multi-million dollar U.S. companies.
WITH FRIENDS LIKE THESE...
Sensitive data leakage is only a small part of what has become an exploding security nightmare for businesses. Anti-virus experts have found multiple phishing scams specifically targeting Facebook and LinkedIn. In these attacks, a user receives an e-mail (from a trusted friend or business contact!) with a link to a groundbreaking news event, or an exciting photograph or video. The link redirects the target to a fake site that imitates the login page of Facebook or LinkedIn. When the user logs in to this fake page, the credentials are stolen.
This type of social engineering attack scenario becomes even more dangerous when the URL lure is associated with a drive-by malicious download where a computer gets infected with a virus or data-stealing Trojan by simply surfing to a rigged Website. In one major attack called Koobface, malicious hackers manipulated Facebook's private messaging system to infect computers via a link promising a video file. Unsuspecting users started receiving private messages (again, from trusted friends) with a link to a third-party site and a message that said simply: "You look just awesome in this new movie."
Clicking the link, the user was directed to a Website that popped up an alert that the user needed to download a Flash Player update. That Flash Player update was actually a malicious executable programmed to steal sensitive data off an infected machine. Once that executable is installed on a Facebook or LinkedIn user's machine, the victim then becomes a pawn in the attack. The next time the user of that infected machine logs into Facebook, the lure is then sent to all of their friends and the infected link is automatically added in comments on friends' pages. This creates a network worm capable of propagating an infection across the globe.
According to data security companies monitoring malicious Web activity, we're in the midst of a large-scale drive-by downloads epidemic. Over a recent 10-month period, Google's Anti-Malware Team crawled billions of pages on the Web in search of malicious activity and found more than three million URLs initiating drive-by malware downloads. "An even more troubling finding is that approximately 1.3 percent of the incoming queries to Google's search engine returned at least one URL labeled as malicious in the results page," according to a study released by Google.
HACK ATTACKS
Still worse, hackers have started to hijack legitimate Websites – MLB.com, FoxNews.com, and CNN.com were among the victims – and planted redirect code that silently launches attacks via the browser.
According to data from ScanSafe, a company that tracks Web-based malware threats, 74 percent of all malware spotted in the third quarter of 2008 came from visits to compromised (legitimate) Websites. Attackers also are known to have used poisoned third-party advertising servers to redirect Windows users to rogue servers that are hosting drive-by downloads. These malicious ads (malvertisements) are typically Flash-based and exploit un-patched desktop applications.
As businesses understand the risks/rewards of using social networks, many might want to consider taking the lead set by the U.S. Marines.
Source: United States Computer Emergency Response Team (US-CERT)
|
|
|
|
|
|