social networking flaws

Some Facebook applications lead to Russian attack sites

Poor coding on some Facebook apps lead to websites pushing malware, rogue antivirus.

Security researchers at antivirus vendor AVG Technologies have discovered that faulty coding in some Facebook applications are being targeted by cybercriminals. Roger Thompson, chief research officer of AVG cited several hacked Facebook applications that appear to be pushing Facebook users to Russian-based attack websites that push out malware and rogue antivirus software. In a blog entry, Thompson cited several examples and called the application developers victims, not the perpetrators of the attacks.

Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the DataSnatchers are using to hack the applications.

So far, about eight Facebook applications have been targeted by the cybercriminals. Most of the applications are games. Check out Thompson’s blog entry for the list. He warns that there could be more.

Twitter gets condemned by CISOs at Forrester forum

Security professionals are worried the social network could cause security problems for their companies.

CISOs attending Forrester Research Inc.’s security forum held Sept. 10-11 in San Diego must have gotten an earful from the forum’s keynote speaker: Marcus Ranum. According to Forrester analyst Rob Whiteley, attendees responded to Ranum’s opposition to Twitter with “loud, thunderous applause.”

Writing about some of the highlights from the two day forum, Whiteley said he was shocked by the audience reaction:

It’s very clear to me that we’re at an inflection point in information security. What we called a “shift in ownership” will be the challenge of all CISOs heading into 2010. It’s no longer sufficient — and definitely not necessary — to denounce the use of social media.

In an interview I had with Whiteley, he referred to this “shift in ownership” as perhaps the most important area IT security is grappling with right now. Security can no longer “control” data. The bottom line: Guard the intellectual property that is the lifeblood of the business as tightly as you can. Focus on reducing the risks of data leakage elsewhere.

It’s hard to gauge audience reaction. Perhaps those in attendance have never used Twitter and don’t understand its significance or usefulness as a communication tool. But others are finding it useful to share research and items of interest and its popularity can’t be ignored. The service has attracted 14 million US visitors according to Nielsen Online. It’s now valued at $1 billion. It’s clear that Twitter has found its niche.

As Whiteley points out there are security concerns. Users can click on malicious links hiding behind URL shorteners (though browser-based tools are available to avoid this malicious use.) Employees can post negative comments about their company or leak intellectual secrets (Employees can leak company data on blogs, wikis and forums as well. Shall ban them too?) Here’s another one to add to that list of concerns: According to security consultant Lenny Zeltser, employees could be leaking data in drops that collectively could be used by an attacker to figure out passwords, conduct social engineering attacks and ultimately gain access to corporate networks. Zeltser, who leads the security consulting practice for Savvis and is a faculty member at SANS Institute, said it’s easy for an attacker to collect information that appears harmless on Twitter, Facebook and other social networking platforms. And if it’s easy, it’s being done. You can count on it. (Listen to my interview with Zeltser in our June 10 edition of Security Wire Weekly on social networking threats.)

Perhaps the more appropriate response from senior-level security professionals is to get educated on these newer forms of communication and respond with the right mixture of education and policy for employees. (Sign up for a Twitter account and follow some of your employees.) It’s highly unlikely that employees can be blocked from using tools they find helpful to their productivity. After all, standing in the way of innovation is not the goal of security. Finding the appropriate level of policy and technology to reduce risks should be the end goal.

Cligs URL shortening flaw highlights social networking ills

Could flaws in social networks send the Internet spiraling out of control?

A flaw discovered in URL shortener Cligs (Cli.gs) last weekend demonstrates the fragility of the social networking ecosystem and how potentially dangerous it could be.

Cligs competes against TinyURL and Bit.ly, which dominate link shortening on Twitter. It is recognized as the 4th most used link shortener on Twitter. On Monday, Cligs acknowledged the flaw, calling it a security hole in Cligs’ editing functionality.

The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com. I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states.

Lucky for Cligs that whoever discovered the gaping hole only forwarded to a story on freedomblogging.com and not a porn website or attack webpage. According to the blog post 2.2 million URLs were affected.

Phishing attempts (Twishing), Tweetspam and even Twitter worms are being tracked by the major security vendors. Sammy Chu of Symantec Security Response today said the vendor has detected fake Twitter invitations that carry a mass-mailing and malicious worm. The messages appear as if they have been sent from a Twitter account.

This is all very close to spiraling out of control. Attackers are latching on to Twitter, MySpace, Facebook and others and using them to spread malware and harvest data. In a recent interview I had with security expert Lenny Zeltser, he said these short bursts of information – 180 characters on Twitter – alone doesn’t raise any eyebrows. But together with hundreds and in some cases thousands of other posts, the data could be used in a social engineering attack and could in fact harm businesses.

What can be done? To avoid being duped by malicious URL shortening links, Graham Cluley a security consultant with UK-based security vendor Sophos, who was the first to blog about the Clig hack, urges people to run a plug-in that will expand shortened URLs before they are clicked.

But we can’t rely on the public to take action. And they shouldn’t have to. It probably would be difficult for any group or association to take the lead on ensuring the security of social networks, but these organizations may benefit by joining forces in some sort of social network cabal to hash out standards around security and privacy issues.

The good news is that security researchers seem to be on top of the threats and the alarm is being sounded. But why is it taking a group of concerned security researchers and experts to get Google to better secure its Web applications? Who inside the search engine giant or any of these websites are weighing the risks and deciding to let the dice roll on security?

Unfortunately it may take catastrophic event to get any of the social media giants to take action. They owe it to their millions of users to take action and it may be the most prudent approach to ensuring their longevity on the Web.

Now go and listen to this interview with Lenny Zeltser on social networking woes:
http://cli.gs/bnLvDD