Networking

Not Deserving of Trust

By Robert Lemos

When he wants to break into a corporate network, Kevin Johnson looks first to social networks to provide a way in.

The popular services, such as Facebook and Twitter, provide Johnson with connections to employees, information about their habits and a way to deliver hacking programs designed to infiltrate their computers. As a penetration tester for security firm InGuardians -- where he pretends to be the bad guy to help clients spot holes in their security -- Johnson has come to appreciate the ease with which social networks can be used to attack users.

"In the last three years, if there are a handful of [penetration] tests where we have not used social networks, I would be surprised," he says.

Like Johnson, attackers have started focusing on social networks as well. Incidents of spam on social networks are up 70 percent, according to a survey conducted by antivirus firm Sophos. The Koobface worm, which started spreading among Facebook accounts in 2008, became much nastier last year, attacking users of other social networks and attempting to compromise victims' computer systems.

In 2010, social networks will become a hunting ground for online thieves and fraudsters, says Ed Rowley, product manager for M86 Security.

"The most fundamental reason is that is where lots of people are going in 2010," says Rowley. "But also, there is a degree of trust when people are talking with their friends. When you send a link, people are more likely to click on it."

Personal attacks
Users tend to feel safer on social networks, believing them to be gated communities on the Internet filled with contacts and friends. Yet, Facebook, with its more than 350 million users, and Twitter, boasting more than 75 million users, have based their business on making it easy to connect to other people.

Attackers like that personal touch. Unlike the mass email campaigns common with spammers, causing a person to send messages to all their friends makes it more likely that the recipients will pay more attention to an unwanted advertisement or click on a dangerous link.

"The level of wariness that people have when they get an email is different than when they get a message from a friend on a social network," says Kevin Haley, director of security response at Symantec.

The technique is not new. Much of the success that the LoveLetter virus had in 2000 was due to its ability to send copies of itself through email to all the victim's contacts, Haley says.

"Loveletter got on your machine and it went through your e-mail contacts to send itself to other people," he says. "That is essentially what is going on with social networks. What we are seeing is old techniques adapted to new infrastructure."

Leap of faith
The added functionality that makes Facebook, MySpace and other services easy to use also makes the services easier to abuse.

"The more functional we make something, the less secure it seems to be," says Roger Thompson, chief research officer for security firm AVG.

For example, another major advantage for attackers is the increasing use of shortened Web addresses, or URLs, on social networks, especially on Twitter, where the service's 140-character limit puts a premium on space.

Shortened URLs remove a first line of defense for knowledgeable online users: The ability to do a quick sanity check on any link before they click on it. Frequently, links to malicious websites will use simple tricks to mask their destinations that technically savvy users can spot.

Conversely, whenever an online user clicks on a shortened URL, it's a blind leap of faith -- they have no idea where it will lead.

"Even if we were savvy enough to pay attention and look at the link, we don't have that opportunity anymore," says Symantec's Haley.

Online thieves are making use of shortened URLs beyond Twitter, masking the destination of links in email and postings to other social networks. While major URL-shortening services such as TinyURL and Bit.Ly have started checking the destination against lists of bad sites, fraudsters are starting to set up their own sites to get around such restrictions.

Trust, but verify
The first defense against attacks directed through social networks is a hefty sense of suspicion, says Haley.

"People need to be careful, and if something does not seem right in a post sent to them by a friend, then it's not the end of the world if they don't click on it," says Haley.

Users should also make sure that they are running some sort of antivirus or anti-malware software and that their PCs have the most recent updates. In addition, to better protect against online threats, browser plugins -- such as NoScript for Firefox or SecureBrowsing for Internet Explorer and Firefox -- can be used to prevent code from unknown sites from running without a warning and to weed out known malicious sites.  Finally, some Websites and plugins can reverse the process of URL shortening, returning the full Web address to which a link points.

"It is a bit like driving a car," says M86 Security's Rowley. "If you get in and don't have a clue, you will have an accident. With a few lessons, you can get from A to B successfully."

Yet, staying secure should not just be up to the users. The companies behind the social networks have to step up to the plate as well, says Adam Wosotowsky, anti-spam technical lead for McAfee.

"If users don't see Facebook or Twitter responding to the needs of their audience, they are going to go somewhere else," says Wosotowsky.

In other words, trust is a two-way street. If the social networks cannot find a way to let people trust their friends, users will find services that can.