Facebook and MySpace: Walking the security-social networking line

Security--actually insecurity--is a very social thing. Get a cute malware infested email and forward it along to your contact list. See a site that's interesting--but is really just a phishing expedition--and you get hit with a virus/worm/rootkit. Social engineering makes the security world go around. So what do you do if you're Facebook or MySpace? You tell folks to be less social.

Good luck with that folks. Earlier this week, security firm Sophos warned Facebook users to be careful given there was a malicious video being spread around. Sophos wrote:

Messages left on Facebook users' walls are urging members to view a video (which pretends to be hosted on a Google website), but clicking on the link and visiting the webpage takes users to a site which urges them to download an executable to watch the movie.

Sophos detects the executable file as the Troj/Dloadr-BPL Trojan horse, which in turn downloads further malicious code (detected as Troj/Agent-HJX), and displays an innocent image of a court jester sticking his tongue out.

Here's what you would see:

I'm not sure why anyone would click on that slop, but I guess some people do. Before this latest incident it was an attack on MySpace and Facebook. And why not? Given the social engineering effects a malicious hacker could have a field day.

Also see: Web worms squirm through Facebook, MySpace

Facebook and MySpace are on the case, but they're really facing an uphill battle. These hacks just keep popping up. In a blog post, Facebook's security chief Max Kelly wrote:

Most people use the internet without being aware of the constant threat of hackers, spammers, and phishers. Due to the nature of the internet, and the nature of malicious software, most websites will at some point need to deal with patching a security hole. All good websites take these issues very seriously, since no one wants users to suffer. At Facebook, where people keep so much of their lives and information, we've built an amazing security team solely focused on making sure our users have a safe experience on the site.

The security team at Facebook is dedicated to investigating and auditing our own code for holes, as well as reaching out to people in an extended community to let us know if we've missed anything. If we get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, we check it out and fix it as quickly as possible. In fact, we appreciate it when help comes our way from the many security experts and organizations out there. That's why many of us are attending DEFCON this weekend. DEFCON is one of the largest and oldest running hacker conventions, held in Vegas. By going and learning from other people in the online security space, we make keeping people safe online a joint effort.

Even right now, as we're preparing to leave for DEFCON, we spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We've identified and blocked the ability to link to the malicious websites from anywhere on Facebook. Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware.

But the real fix is this: Be aware of your surroundings and don't be stupid (that means don't share passwords, report spam and make sure the site is legit). In other words, don't be so viral. It's a fine line and one social networking sites will have to walk repeatedly going forward.