Harden Facebook? Sure, but where to start?

* Ryan Naraine is traveling.

Guest editorial by Paul F. Roberts

You may have heard the news that everybody's favorite social network, Facebook, won a big legal settlement on Monday against spammers who were using the 100 million strong network to distribute what the Facebook blog describes as "sleazy messages" to its users.

That's good news and, superficially, at least, suggests that the folks at Facebook are taking seriously the potential for their huge network to be gamed by scammers, spammers and other n'er do wells. Unfortunately, winning a diamond-studded $873m judgement against a cubic zirconia kind of guy like plaintiff Adam Guerbuez and Atlantis Blue Capital doesn't even scratch the surface of the security question when it comes to Facebook. Indeed, from the perspective of enterprise IT, Facebook, LinkedIn, Yammer and countless other social networks have deposited a Pandora's Box of nastiness on the doorstep. The only thing surprising about networks like Facebook -- given their popularity and the opportunities for abuse -- is that we haven't seen more attacks against them. You can expect to. Soon.

[ SEE: Facebook refuses to fix obvious security flaw ]

So how does Facebook and other social networks make enterprises (and individuals) vulnerable to attack? There are a few main threat vectors:

Phishing and social engineering attacks are the most common types of attack leveled at Facebook and other social networking applications and are designed to harvest user names and passwords or other personal information.

Web based attacks: Facebook and other social networks are, of course, Web based applications. As such, they are vulnerable to many of the same Web based attacks as other sites. Banner ads, which are displayed on user profiles within network, might carry malicious code or direct those who click on them to drive by download or phishing Web sites. Facebook's own application relies on Javascript, Iframes and other vulnerable constructs for key features. Vulnerabilities will be discovered and exploited in those, as well.

Facebook-based malware. We've seen at least two examples of this in recent months. The first, dubbed “Koobface” by Kaspersky Lab and others, appeared in July and spread from compromised Facebook and MySpace accounts via Wall messages and user comments. The virus placed a malicious link to a Web based video as comments on a user's profile. When clicked, the virus would spam other Facebook users via the built-in messaging feature and open a video sharing site that prompted the user to download a new version of Flash player –actually a malicious downloader that would install a wide assortment of malware on the infected system. Another virus appeared in October, behaved in a similar fashion, but spread through Facebook messages rather than comment messages.

[ SEE: Demo Facebook app creates DoS botnet ]

So what's to be done? The easiest thing would be to block employee access to sprawling social networks like Facebook and MySpace altogether, or limit access to them on a “needs to know” basis. Any number of secure Web gateway products can do this, and many organizations already take this approach.

If, however, you want to “harden” your organization and employees against social-network borne attacks, here are some suggestions:

1. Virtualize it. Given the unknowability of platforms like MySpace and Facebook, the safest assumption that any enterprise IT shop can make is that, at some point, they will be attacked and successfully compromised – whether via Facebook, MySpace or some other source. With that in mind, running these high risk applications within a virtual container that can be discarded at the end of your sessions is one way to reduce exposure. The idea is that even malware that might be downloaded through a social-networking borne virus or social engineering attack will be torn down with the virtual container itself. As my esteemed colleague Rachel Chalmers notes in a forthcoming report on virtualization and security, the rising tide of vulnerabilities identified in VMware, Xen, Microsoft, Parallels and other virtualization products suggest that virtual instances of XP, Vista, Linux or OS X are no more or less secure than their physical counterparts. Relying on relying on virtualization, in and of itself, for security is not wise. But, given the dismal state of security on most consumer and enterprise desktops and laptops, virtualization does add a layer of abstraction and – in the end – is better than nothing.
2. Patch it. Virtualization or no, keeping your underlying operating system and applications (Web browser, Adobe reader, etc.) up to date with patches can prevent exploitation in the event of an attack.
3. Scan it. Make sure you have a decent HTTP scanning tool on board that can inspect Web traffic and spot suspicious content. These aren't foolproof, but they're better than nothing and can flag phishing sites and other Web borne malware.
4. Scale it back. Most users (me included) plunge willy nilly into Facebook and other social networks with little thought of security or privacy. Kevin Moker, a VP and Information Security Officer at Liberty Bank in New York recommends taking a slow turn through Facebook's Privacy Settings feature (Settings > Privacy Settings) , which offers granular controls for granting access to all manner of content on your profile: your contact and personal information, what other users can discover about you using Facebook's search feature, and what stories about you get posted to your profile and to those of friends who are following you. Err on the side of caution: keep your personal information to a minimum and don't even think about storing your credit card info in the fields provided.
5. Ask yourself: friend or foe? Everyone wants to sport a big social network, but given the trust that's extended to those in your network, users of Facebook, LinkedIn, MySpace and other social networks would be right to be far more discerning about who they allow into their network. Obviously, those who are complete strangers to you should be barred. Beyond that: consider what level of information you want visible to members of your network who you know – but not well. Limiting those friends to a trimmed down profile lessens your chance of having your vital information used against you in an attack.
6. Beware of applications. Facebook has tens of thousands of third party applications that can be used to extend the platform. The most popular of them like Drinks for Friends are used by upwards of a million people a month. But little is known about the security of these applications, some of which allow your friends to post active content like music and video to your profile. You can limit what profile information is accessible by applications through the Settings > Privacy Settings feature. However, applications that you authorize get access to whatever profile content they are programmed to draw upon. While Facebook's privacy rules stipulate that applications should adhere to the privacy settings you've established when broadcasting content from your profile, its not clear that every application complies with those rules, or that FB is auditing the huge population of apps for privacy violations.
7. NUI (networking under the influence) – just say “No.” Needless to say, reputation risk is yet another threat posed by social networks. This extends beyond your own personal and professional reputation to the image of your employer (not to mention spouse, kids, etc.) Stories abound of workers calling in sick after a late night bender, only to have bosses pass along Facebook photos of them doing keg stands the night before. Think twice, or thrice, about what images and thoughts you post and who might view it. Then just say “No.”

* Paul F. Roberts is a senior security analyst for enterprise security at The 451 Group. He has reported on security for The IDG News Service, eWEEK and InfoWorld.