Top social networking websites present new 'battleground for malware'

By Ron Condon, U.K. Bureau Chief 30 Jul 2009 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

As Sophos explains in its "Security threat report: July 2009 update," which covers the first six months of 2009, hackers are increasingly using sites such as MySpace, Facebook and Twitter to gather valuable information and launch phishing attacks.

In response, many organisations say they are blocking access to the sites from work systems, partly to prevent a loss of productivity, but also because of security fears.

"Social network sites need to take time to bolster security; otherwise the hackers and cybercriminals will take advantage of them in a big way," said Graham Cluley, a senior consultant at Sophos.

Cluley said the social networking websites need to "grow up," and he singled out Twitter for special criticism, saying: "You can set up a Twitter account without giving it an email address, so they have no way of sending you a confirmation email. Furthermore, if you want to run a dictionary attack against a Twitter account, the service allows you to try as many times as you like. Any sensible website would allow you three or four tries before blocking access. It is basic stuff."

The sites could also provide users with better feedback on the strength of their passwords, and help them create passwords that are more difficult to guess. "It would be terrific if more of these sites actually graded your password, and gave you an idea of how strong it is," he said. "They could block the use of dictionary words, for instance. Those things are relatively trivial for social networking sites to implement, but they haven't really grown up yet. Their businesses have grown so quickly that they are running before they can walk."

Cluley advised organisations not to ban use of the sites altogether, but rather to educate users about the dangers and to instil best practices. "Social networks are going to become key to the way some businesses work," he said. "Many companies now use the sites to reach out to their customers, and for recruitment. If you take the tools away from people, then they will not be as productive."

The Sophos report reveals that more than half of all organisations currently block access to social networking websites, primarily to prevent time-wasting. But security concerns are also growing, with 63% of system administrators admitting that they worry about employees sharing too much personal information via their social networking sites.

In other areas of security, Sophos also identified increasing dangers, and what it calls a "conveyor belt of crime," as Internet crime becomes more professionally organised.

Sophos notes that instead of simply looking for operating system and browser vulnerabilities, hackers are also exploring security holes in other widely used programs and tools such as Adobe Flash and PDFs.

"The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build Web attack pages incorporating booby-trapped code," the researchers said. "The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date."

In the wake of these attacks, Adobe has followed Microsoft's lead by instituting a regular patch update of its products on the second Tuesday of every third month. The first took place in June.

Graham Cluley, senior consultant at Sophos, reviews how social networking sites should be managed in an enterprise setting.

Tags: Data Protection Solutions and Strategy,  Web Application Security,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy Safend expands data leakage prevention product to plug more gaps Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations U.K. police arrest two in connection with Zeus Trojan How to detect if machines have been infected with Trojans, keyloggers Web Application Security Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul Cybercriminals invest in social networking attacks Facebook and YouTube consume corporate network bandwidth Security Policies and User Awareness Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Essential guide: Pandemic planning for H1N1 How to prevent phishing attacks with social engineering tests Complacent consumers allow cybercrime, phishing attacks to flourish

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary