The Trend Skeptic: Social Networking is a Benign Technology
Yes, social networking opens up new marketing opportunities; it provides more immediate customer interactions; and it can help employees connect with in-house experts. But it can also undermine security, gobble up bandwidth and generate bad PR.
Take the recent MySpace hack. Cyber-crooks turned a hacked MySpace profile into a roosting site for the TFactory Trojan. It works like this: Attackers send out friend requests. People who respond encounter a download window that prompts them to install Microsofts Windows Malicious Software Removal Toola real tool just released this month.
The update box is actually just part of the larger corrupted image. If a user clicks anywhere on that image, TFactory and its nasty payload of downloaders and backdoor connections starts to download.
McAfee discovered and publicized the exploit, but as of now, no one is sure how the attack originated. The guess is that a MySpace user was phished (the corrupted page displays the profile of a woman named Rita). Another possibility is that hackers discovered a code flaw they were able to exploit.
Why You Should Care
How does all of this relate to corporate IT? After all, most organizations dont want their employees trolling MySpace during work hours, anyway, and most anti-virus programs block TFactory. The trouble is that social networking is here to stay, whether IT likes it or not, and as attacks evolve beyond year-old Trojans to things like cross-site request forgeries, traditional security will be put to the test.
Most security pros dont realize how big of an issue social networking is, said Michael Montecillo, an analyst with Enterprise Management Associates. This is especially true with sites that allow users to express (them)selves.
Sites like MySpace that accommodate external content open the door to malware. They also make it easy for your corporate identity to be linked, however casually, to content that runs counter to your corporate message. The very connectedness that makes these sites appealing also makes them risky. With dynamic relationships, security is incredibly hard, Montecillo said. Essentially, youre stuck trying to plan for an infinite number of possibilities.
Consider the friends networks on these sites. How many friend requests do you get from random strangers loosely linked to a friend of a friend somewhere online, usually via someone who accepts everyone and anyone who asks to be a friend?
These watered-down relationships offer little or no value, and they arent limited to MySpace. LinkedIn suffers from the same sort of casual connectedness. Its tempting to write this off as nothing more than a nuisance, but in a business context these non-friend friends undermine what business-class social networking seeks to establish: Trust.
A real-world analogy is the door-to-door salesman. This past weekend a college student came to my door hawking magazines. Nothing new in that, but she was savvy enough to mention that one of my neighbors suggested that she come talk to me. At first, I didnt know why she stopped by, but since Larry said she should talk to me, I listened. The first half of her pitch focused on my neighbors, and how they had been helping her out.
Why they were helping and what they were helping with took a while to get to, and had she not name-dropped, I wouldnt have listened very long at all. Eventually, she got around to the point: she was selling magazines. She wasnt representing a charity, and the markup on her subscriptions was extreme. I didnt end up buying anything from her, but I did waste a heck of a lot of time getting rid of her.
In writing this story, it also became apparent that I ended up trusting my neighbor Larrys judgment a little bit less than I had before. With my neighbor, well share a beer, chat about the weather or sports, and all will be forgiven. With a business brand, on the other hand, the bad impression wont be so easy to fix.