Hackers and Social Networking: A Love Story
Trust is the nefarious hacker's currency, and the trust implied in communications sent on social networks has proven to be a bonanza for them. "On a social networking site like Facebook, there's an even higher level of perceived trust," said Cloud Computing Alliance's Wen Tseng. "You see [a friend's] picture next to the message or link they send you, and you think, 'This is my friend, OK, he wants me to check this out.'"
04/22/10 5:00 AM PT
When you work in the cybersecurity business, friends can make you their default -- read "unpaid" -- computer safety expert. Wen Tseng, research director for the Cloud Computing Alliance, really doesn't mind, however; it gives him a chance to confirm that scammers and hackers are increasingly relying on the friendship networks spreading through social media to do their damage to bank accounts and reputations.
"It's just a form of unscientific sampling, but this is starting to reach critical mass here," Tseng told TechNewsWorld. "Something is going on. Facebook accounts are increasingly getting hijacked. It's more effective than just an email alone. On a social networking site like Facebook, there's an even higher level of perceived trust. You see [a friend's] picture next to the message or link they send you, and you think, 'This is my friend, OK, he wants me to check this out.'"
However, that message or link can be reeking with malware that can turn a computer into the next zombie PC in a hacker's botnet. That was the modus operandi for a China-based computer espionage ring that, according to Toronto security researchers, used Twitter, Facebook, Google Groups and other Web 2.0 mainstays to manage a botnet that targeted government agencies in India and the office of the Dalai Lama.
Tseng, a CISSP (Certified Information Systems Security Professional) who has consulted for enterprises and small businesses, knows that it's not just consumers who face the dangers of social networks targeted by hackers. Businesses of all sizes are integrating more social media into their marketing, customer service and internal information plans, and they need to be aware of how best to balance the desire to have a more direct conversation with customers and colleagues, with the need to lock down systems and protect confidential information from prying eyes.
"That's the whole debate -- how much information do you put out there," Tseng said. "You want to have a public face, but how much do you make public without increasing your risk?" If a hacker sets up a Facebook fan page using your brand's identity and loads it up with links sending unsuspected users to malware and spyware-ridden websites, what's the ultimate damage to your company's reputation?
"Your Facebook information is a treasure trove of out-of-wallet information," he said.
Linking to Potential Harm
The link-shortening services themselves have been hijacked, as users look for ways to pass along stories, videos and other must-read items on Twitter and Facebook, according to Eric Skinner, chief technology officer for enterprise security firm Entrust. "For years we've been trying to educate people to pay attention to what you click on," Skinner told TechNewsWorld. "Clicking on links and trusting URLs with no idea where they go is definitely dangerous. This is a new attack vector in terms of getting malware deployed, linking to a bad site."
Companies and consumers need to investigate using Twitter clients that actually show you the link in a pop-up box before you click through. The social networking companies must invest more in protections for users, Skinner said, because of the desire by hackers to use a user's acquaintances against them. "It's classic social engineering -- trying to get you to open something. When it comes from friends, you're more inclined to trust it. Whether hacking a Gmail account or hacking Facebook accounts, that's absolutely to be expected."
Twitter should be credited for beta-testing expansion of its Verified Accounts services to include businesses and governmental agencies who could be subject to impersonation by black-hat hackers, Skinner said. "[Twitter] are starting to migrate that ability that they used to apply to celebrities to corporations to let them protect their brand reputation as a company." But the best defense right now is education and training for companies that might be using Twitter or Facebook for customer service and feedback. "When they're on Twitter, people tend to overshare -- 'My account number is XXX, can you help me out?' Corporations have to go out of their way to discouraging sharing that information or doing it on a private channel," Skinner said.
A Generational Shift
Any new technology will present security challenges as it is incorporated more into work and home life, said Gary McGraw, chief technology officer for security firm Cigital. Social networks are no exception, joining a long line of leaps in communications technologies that began with telephones and have included free email services accessed from work computers. Social media "is revolutionary in the sense that it allows people to connect with each other through a a new sort of network, so why should it be surprising that a new source of communications network would be used for nefarious purposes?"
Some companies, McGraw said, are working on technical solutions that would use the concept of "virtual machines" to quarantine malware infections on a network or system. However, in the meantime, best practices and common sense can help people and companies from becoming victims of social engineering on social networks.
"Generally speaking, it looks like HR (human resources department) is all for the social networking thing, and so they're kind of pushing for the networking -- using LinkedIn and Twitter and outreach communications without thinking through the implications of it all," McGraw said. "So stepping back and thinking, 'What's the downside' is always a good idea. Just because you can do something doesn't mean you should."