Social Networks Are Risky Business

By Richard Stiennon

(Back to article)

Why does it seem that most IT departments are woefully un-prepared for IT innovation? Why are they usually viewed as the detractors and inhibitors of technology rather than the innovators and enablers? My own analysis is that the IT department is saddled with processes based on project management that do not allow for innovation.

The typical process calls for annual plans, budgets, needs assessment, and staff assignments with the requisite meetings, status reports, and tracking metrics. Look at the technologies that have made their way into the enterprise with none of these management overlays: the Internet, email, Instant Messaging, WiFi, Blackberrys and now iPhones. When you look at that list you have to ask, “Just what did the IT department bring to the party?”

If your organization is like most, the IT department is tasked with cleaning up after the fact. The most urgent need is usually security. All of these technologies have introduced dire security threats but the benefits from them are tremendous. Most businesses today cannot even function without email. Part of my job is to help enterprises think about these new technologies and attempt to secure them before they get deployed. This is so the painful implementation of policies and security after the fact does not detract from the technology’s benefit. In that light, I am writing today about social networking.

Social networking is simply people using technology to work together, share information, and communicate. A big part of it is the discovery and exploration of people and information that should be linked. Tools that contribute to successful social networking include Facebook, Twitter, LinkedIn, Sharepoint, blogs, and hundreds of applications and spin off websites that support these. And like the other consumer technologies mentioned here, you will be just as successful at blocking the use of social networks as you were at blocking email or the Internet.

Lack of Password Control

Social networks, so called web 2.0 sites in particular, have become the masters of quick and easy signup. The norm has become to ask users for a unique name, password, and email address. To avoid excessive spamming of the groups a confirmation email is sent. Digg, Reddit, De.licio.us, are like this, making it easy for users to be anonymous. Some sites, Twitter in particular, fail to even ask for a useable email address. These sites are the most vulnerable to abuse. One aspect of social networks that is deleterious to good security behavior is the tendency for new applications built off of existing ones to ask for your passwords. It is very common for a new social site to request Google, MSN, and Yahoo! passwords so that your contact list can be harvested to recruit more members.

During the November elections a site was launched in India to take an impromptu vote from Twitter users. It required you to enter your Twitter ID and password so they could keep track of unique votes. After I blogged about the obvious risk of giving your password to a third party, the authors assured me they had no malicious intent.

Over 20,000 people voted, giving up their IDs and passwords to an unknown site. The risk of losing control over a Twitter account is exacerbated by the fact that most people re-use passwords at multiple sites. In other words, a lost account at Twitter could quickly lead to loss of control to Gmail, Yahoo! or even their corporate access. Does the CEO of Zappos, a prolific and famous Twitter-er, use a strong password for his Twitter account? Does he use a different password than his remote access credentials? I don’t know but I’d bet I’m not the only one wondering.

Brand Identity

Twitter is already succumbing to a new form of cyber squatting, which used to mean sitting on domain names for potential sale. (Has your brand/IP protection service provider or legal department investigated reserving critical social network IDs?) Now the term also applies to any site with free signup that becomes popular and does no checks on ownership of brand. See www.twitter.com/panera to see an example of some homesteader staking out a commercial entity’s brand.

New Virus Vectors

As I predicted over a year ago, social networking sites are beginning to be used as vectors for transmitting viruses. The mechanism should be familiar by now: a message is sent that asks a member to click on a cool link. Or, in the case of Koobface, spreading rapidly this month on Facebook, the member is told to “look at these videos of you I found on the Internet”. The destination is, of course, a malicious URL that infects the user and uses the fact that they are logged in to Facebook to send similar messages to the user’s “friends” thus becoming self propagating. In the meantime, the user’s computer is drafted into a bot army for later mischief.

Twitter is particularly vulnerable to this form of virus transport. Because Twitter constrains message length to 140 characters they provide a utility that automatically contracts long URLs using tinyurl.com. That means that Twitter members frequently click on obfuscated URLs. Expect Koobface attacks on Twitter within weeks.

Avoiding The Risk

Over time the social sites will learn to reduce their own exposure to these types of abuse. In the mean time, enterprises should protect themselves. My advice is simple:

·       Enforce strong password management. Remote access should be controlled with tokens or some other two-part authentication scheme. In this way you do not expose your organization to the consequences of your users’ sloppy password habits.

·       Deploy content control. There are many solutions for blocking access to malicious sites. Some, such as Websense and IBM, block access based on the URL. Others, such as Finjan, and Fortinet detect and block the malware as it tries to download. Content control can be applied to instant messaging services such as AIM and Skype, as well.

·       Reserve your social site brand names as soon as possible. The cost is only the cost of tracking and maintaining a list of sites and IDs. Someday your marketing and legal departments will thank you.

While getting ahead of the threats represented by social networking just makes good security sense, I advise against blocking access to social media. The benefits may be hard to quantify today, but they will be there in the future.

Richard Stiennon is a security industry analyst. He writes the security blog for ThreatChaos.com and has re-launched IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors.  He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor.  Prior to that he was VP Threat Research at Webroot Software and before that VP Research for a major analyst firm.