Guest editorial by Steve Manzuik
Lately there has been a lot of attention given to various privacy issues of social networking sites. Whether it is Google's Buzz automatically adding anyone you have ever emailed to your follow list or the multitude of Facebook privacy concerns, it seems that all of a sudden the world is now worried about their privacy on the Internet. While I can understand why some users wish to have their privacy, I do chuckle a bit inside when I hear people complain that they wish to have privacy on an open and public network.
While this blog post will not be specifically about privacy I do want to state that expecting privacy on the Internet is a bit misguided as no one has ever had privacy on the Internet ever. Unless you are encrypting every little packet sent from your system, it has been read somewhere by someone for whom it was not intended. Users are failing to make the connection between acceptable behaviors in the real world vs. acceptable behavior on the Internet. If you want something to be private you wouldn't yell it out in a crowded shopping mall, so perhaps you shouldn't post it on a social networking site. Privacy issues aside, the real topics that interest me when it comes to social networking on the Internet is the various ways that social networking tools become attack platforms. During the recent privacy debates Mark Zuckerberg, founder of Facebook, was quoted in the Washington Post stating the following:
"Facebook has been growing quickly. It has become a community of more than 400 million people in just a few years. It's a challenge to keep that many people satisfied over time, so we move quickly to serve that community with new ways to connect with the social Web and each other. Sometimes we move too fast."
If you put yourself into the mindset of an attacker, does 400 million targets all centralized on one fast and ever-changing web application not sound like a great place to play? Attacks via the Internet are nothing new, but over the last five years we have seen the intent behind attacks shift from mostly harmless annoyances to actual well-planned business models that give an attacker the ability to create an income from successful compromises. Be that income from rented-out botnet cycles, from spam, theft of corporate secrets, or even the outright stealing of bank funds, today an attacker has the ability to make some real money. Combine this ability with 400 million targets who are mostly non-technical and running ineffective host-based security solutions, and you have a breeding ground for malicious behavior. Or, as my grandma likes to call it: "that Facespace thing on the Internet".
Without getting too platform or site specific - because let's face it, these days it really doesn't matter what operating system or browser you use - let's look at some of the ways that your grandma will get abused via social networking. I did some very fast brainstorming via email with some very smart colleagues and friends and we came up with some attack scenarios that are all possible today. I won't credit each person but you know who you are, so thank you for your input.
Attack Scenario 1: Malicious add content The very core of most social network sites' "business plan" is to generate revenue via advertising content. This is achieved via partnership deals with the various online advertisers as well as, in some cases, the ability for general users to purchase ad-space that appear in a targeted fashion. Leveraging this model has actually been done before with much success. I am sure that there are multiple ways that this can be achieved. The two that pop in to my head immediately are 1) generating an ad that will entice users to click, and therefore be served malicious content or depending on how much html and java -fu you are allowed to use in an ad, or 2) have the ad itself contain malicious content. This type of attack is actually very simple and in my opinion would probably have a high rate of success. Remember, your anti-virus and other host-based security products are only protecting you from the threats they know about - meaning anything you throw together will have success until the security vendors collect their samples and write their signatures for it.
Attack Scenario 2: Spyware infested applications I won't get in to the debate over what is and what is not considered spyware. Social networking sites like Facebook have shown us that even if you are a shady scam artist, users are willing to install your application so they can grow virtual crops, manage fish farms, or pretend to be a mobster. Why not take this to the very next level and place spyware or other potentially harmful and malicious content in to your games? A smart attacker could easily come up with an application that the masses want only to then leverage that popularity to do evil.
Attack Scenario 3: Targeted attacks This is probably the more interesting attack scenario, mostly because an attacker can leverage this to compromise those of us who feel that we are too careful to become victims. Social networks have been great for people to reconnect with old friends and maintain those connections. The very nature of a social network is the fact that your connections, and even some conversations are public, a savvy attacker could easily leverage this information to attack those who feel they are safe. For example, if someone wanted to compromise my systems, I would hope that they would not have a lot of success by attacking me directly.
That said, they could target someone close to me who may not be as diligent with their online security. Once that target is compromised, a targeted attack via their social network would have a higher chance of success - because who would suspect someone close to them as an attack source? An alternative scenario could also be to compromise someone in the target's social network who is known to occasionally roam on to the target's private network. A back door installed via a social network attack could work wonders as a launching point for an attack once that system is connected to the right network. The example used here is based on a targeted personal attack - but would this not also work very well to gain access to an internal corporate network as well? We all love to share who we work for via our social networks.
Scenario 4: Virtual gets real world It seems that between various status updates, services like Gowalla or Foursquare, and the ability to instantly upload a photo to the web complete with geo-tagging information, that we are able to know where everyone in our social network is, physically, at all times. In many cases a lot of this information is public and viewable by anyone. How long until petty thieves begin to leverage this information to determine what homes are empty and easy targets for robbery?
The previous scenarios are only the tip of the iceberg when it comes to ways that an attacker can leverage the social networks themselves to conduct attacks. None of these scenarios are really new, each of them have already been used in a successful attack. Of course, I have not gone in to how one can protect themselves from these sorts of things. The frightening reality is that today's security mechanisms are not sufficient enough to protect us against today's attack vectors. The software industry has done a great job dealing with the messes of the past, but they have not adjusted or moved fast enough to address what is currently going on and what will happen in the future. No, this is not me saying that we should not run any host-based protection products as they are better than nothing.
The reality today is that we as end users of various social networking services are really at the mercy of the service providers. With the shift in cloud computing and the ability for everyone to share everything online instantly we are placing a ton of trust in the hands of a few providers to protect us. The Facebooks, Twitters, and Foursquares of the world owe it to their end users to be more diligent and perhaps provide a little more scrutiny to the services they offer.
Hopefully startups like Immunet continue to pop up and introduce interesting and hopefully more effective ways to protect end users from attackers and, sadly enough, from themselves.
Steve Manzuik is currently an independent security consultant working as a Program Manager for Microsoft’s Vulnerability Research program (MSVR). With almost 20 years of IT and IT Security experience Steve managed the infamous eEye Research Team and has held positions at Juniper Networks, Ernst & Young and IBM Global Services. When he isn’t on the ice playing hockey, Steve is an occasional blogger at http://hellnbak.wordpress.com and has presented at major security conferences such as Black Hat, Defcon, AusCERT, and PacSec.