Social network tools have changed the way we interact in our personal lives and are in the process of transforming our professional lives. Increasingly, they play a significant role in how business gets done. But they're also high risk. With hundreds of millions of users, these tools have attracted attackers more than any other target in recent years.
Social network sites: Block or not?
Here, according to Palo Alto Networks, are the top 10 social network threats/risks that enterprises must consider when developing policies:
1. Social networking worms: Social networking worms include Koobface, which has become, according to researchers, "the largest Web 2.0 botnet." While a multi-faceted threat like Koobface challenges the definition of "worm," it is specifically designed to propagate across social networks (e.g., Facebook, mySpace, Twitter, hi5, Friendster and Bebo), enlist more machines into its botnet, and hijack more accounts to send more spam to enlist more machines. All the while making money with the usual botnet business, including scareware and Russian dating services.
2. Phishing bait: Remember FBAction? The e-mail that lured you to sign into Facebook, hoping you don't pick up on the fbaction.net URL in the browser? Many Facebook users had their accounts compromised, and although it was only a "tiny fraction of a percent," when you realize Facebook has over 350 million users, it's still a significant number. To its credit, Facebook acted quickly, working to blacklist that domain, but lots of copycat efforts ensued (e.g., fbstarter.com). Facebook has since gotten rather adept at Whack-A-Mole.
3. Trojans: Social networks have become a great vector for trojans -- "click here" and you get:
* Zeus -- a potent and popular banking Trojan that has been given new life by social networks. There have been several recent high-profile thefts blamed on Zeus, notably the Duanesburg Central School district in New York State late in 2009.
* URL Zone -- is a similar banking Trojan, but even smarter, it can calculate the value of the victim's accounts to help decide the priority for the thief.
4. Data leaks: Social networks are all about sharing. Unfortunately, many users share a bit too much about the organization -- projects, products, financials, organizational changes, scandals, or other sensitive information. Even spouses sometimes over-share how much their significant other is working late on top-secret project, and a few too many of the details associated with said project. The resulting issues include the embarrassing, the damaging and the legal.
5. Shortened links: People use URL shortening services (e.g., bit.ly and tinyurl) to fit long URLs into tight spaces. They also do a nice job of obfuscating the link so it isn't immediately apparent to victims that they're clicking on a malware install, not a CNN video. These shortened links are easy to use and ubiquitous. Many of the Twitter clients will automatically shorten any link. And folks are used to seeing them.
6. Botnets: Late last year, security researchers uncovered Twitter accounts being used as a command and control channel for a few botnets. The standard command and control channel is IRC, but some have used other applications -- P2P file sharing in the case of Storm -- and now, cleverly, Twitter. Twitter is shutting these accounts down, but given the ease of access of infected machines to Twitter, this will continue. So Twitter will become expert at Whack-A-Mole too...
7. Advanced persistent threats: One of the key elements of advanced persistent threats (APT) is the gathering of intelligence of persons of interest (e.g., executives, officers, high-net-worth individuals), for which social networks can be a treasure trove of data. Perpetrators of APTs use this information to further their threats -- placing more intelligence gathering (e.g., malware, trojans), and then gaining access to sensitive systems. So while not directly related to APTs, social networks are a data source. Less exotic, but no less important to individuals is the fact that information on your whereabouts and activities can give more run-of-the-mill criminals an opportunity.
8. Cross-Site Request Forgery (CSRF): While it isn't a specific kind of threat -- more like a technique used to spread a sophisticated social networking worm, CSRF attacks exploit the trust a social networking application has in a logged-in user's browser. So as long as the social network application isn't checking the referrer header, it's easy for an attack to "share" an image in a user's event stream that other users might click on to catch/spread the attack.
9. Impersonation: The social network accounts of several prominent individuals with thousands of followers have been hacked (most recently, a handful of British politicians). Furthermore, several impersonators have gathered hundreds and thousands of followers on Twitter -- and then embarrassed the folks they impersonate (e.g., CNN, Jonathan Ive, Steve Wozniak, and the Dalai Lama), or worse. Twitter will now shut down impersonators attempting to smear their victims, but at Twitter's discretion. Admittedly, most of the impersonators aren't distributing malware, but some of the hacked accounts certainly have (e.g. Guy Kawasaki).
10. Trust: The common thread across almost all of these threats is the tremendous amount of trust users have in these social applications. Like e-mail, when it hit the mainstream, or instant messaging when it became ubiquitous, people trust links, pictures, videos and executables when they come from "friends," until they get burned a few times. Social applications haven't burned enough people yet. The difference with social networks is that the entire purpose of them is to share -- a lot -- which will result in a steeper learning curve for users. Translation -- you'll have to get burned a few more times.