IT Compliance Advisor

Aug 26 2009   3:15PM GMT

Twitter security hole highlights need for a social media policy today

GuyPardon Guy Pardon Profile: GuyPardon

Once again, Twitter security is in the headlines. Yesterday, SEO expert Dave Naylor posted that James Slater had found a cross-site scripting vulnerability in Twitter. Cross-site scripting (XSS) is a common – and nasty – security exploit allows a malicious hacker to insert JavaScript code into links that a user believes are trustworty. Instead of sending a user to a given website, that script would then execute, which could allow any number of ugly outcomes, including worms, malware infections or harvesting of session cookies.

While no apparent damage to privacy or senstive data has occurred through this XSS exploit, the lesson from the past 24 hours is that a social media usage policy needs to be drafted, promulgated and enforced ASAP.

Although Ben Parr wrote on the social media blog Mashable that Twitter exploit had been fixed, echoing Twitter staff comments, Naylor followed up today with evidence that the Twitter exploit still works – just visit @APIfail2 for a (harmless) example. You’ll need to view the account using a Web browser, given that 3rd party clients are not affected by the issue.

TechCrunch has picked up the lack of resolution to the Twitter security issue. Robin Wauters, the author of the post, has sought further comment from the startup. Although the security team at the online social messaging startup is no doubt working overtime to address the issue in a more substantive way, this episode only adds fresh concerns about the Twitter security risks I reported on in June. Twitter may need to hire a CISO soon.

Such online security concerns, however, aren’t hardly limited to Twitter. If anything, Facebook is an even bigger target, both because of its size and the likelihood of more personal information in profiles. That reality hasn’t gone unnoticed by hackers, as rogue Facebook phishing applications popped up last week.

In this photo illu...

What does this all means for the compliance and security community? It’s time to get serious about addressing the risk by drafting a social media policy that uses available DLP technology, sets expectations for online privacy and, perhaps most importantly, includes user education about Web app security, social engineering and phishing. As I reported earlier this month in a story exploring social media and compliance, “fewer than one-third respondents in a recent survey said their organization had a policy in place governing social media use” – and “only 10% of the companies surveyed indicated that they had conducted employee training on such use.”

According to a another survey, from security firm AVG, only 27% social networking users are taking steps too protect themselves against similar online threats. According to “Bringing Social Security to the Online Community,” conducted with the CMO Council, 20% of social networking users have been the victim of identity theft. 55% experienced a phishing attack. And 47% said that they’ve had to deal with malware. Stark numbers.

In other words, if social media security wasn’t on your task list already, it should be now.

Reblog this post [with Zemanta]

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • MichaelSeese
    I work for a large midwestern bank. Although our users complain (a lot) we block access to social networking sites from corporate computers. I'm sure some day we will need to open the door. But for now, simply keeping folks out seems like the best strategy. -- Michael Seese, CISSP, CIPP author of [A href="http://www.amazon.com/Scrappy-Information-Security-plain-English-Biometrics/dp/1600051324/ref=sr_1_1?ie=UTF8&s=books&qid=1245928166&sr=1-1"]Scrappy Information Security
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: