Facebook's (futile) malware exorcism - can social networks fight back?

Facebook's (futile) malware exorcism - can social networks fight back?

Summary: Until the masses are educated (perhaps through a Social Networking Security Consortium), the social networks will continue to fight an uphill battle to protect themselves and their users.


In the wake of two recent worm attacks on Facebook, the popular social networking site responded last night with a statement about its security practices. Regarding the attacks, Max Kelly, head of security at Facebook, wrote this in a blog post:

...we spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We've identified and blocked the ability to link to the malicious websites from anywhere on Facebook.

Have they now? Kelly writes that he and his team are soon headed to Defcon 16 this weekend in Las Vegas to learn how to make the site safer. Perhaps he and his team plan to attend "Satan Is On My Friends List" about securing social networks. But, really, is there a solution for Facebook waiting at Defcon? Probably not, and here's why:

  • Making a social network secure is darn near impossible. As fast as Facebook (or any other social network) blocks those known malicious site hackers will come up with new ones. There's no "patch" or "fix" for these issues.
  • Why? The major flaw with social networks comes down to user awareness and user responsibility. Kelly correctly states that many people use the Internet without any knowledge of security threats posed by hackers. Which makes these users...
  • ...primary targets for online social engineering scams, similar to what was presented with the "Court Jester" malware attack. If users are unaware as to the threats presented by clicking on outside links, they are easily going to be spoofed. Facebook cannot keep its users from clicking off the site and downloading files.

"If a site allows any kind of links at all, then what a user does after they follow that link is really out of control of the social networking site," said Wesley McGrew, who operates McGrew Security. "They can keep blocking the links to malicious sites as they pop up and they can try to educate their user base but that's about it. Facebook is likely at the mercy of the security of each user's home computer."

If a user's home PC gets owned, the malware can navigate the social network much in the same way that a legitimate user can. That could be tough for the Facebook security team to detect as the malware would have similar attributes to the user. While attacks on Facebook applications are not new the hackers' ability to penetrate the Facebook wall is a big deal -- and it's these types of attacks that had a terribly negative effect on MySpace's perceived viability when its pages began to get compromised on a regular basis.

Next: What should social networks do? -->

"As a security geek, you can observe the malware's behavior and maybe figure out how it differs from a legit user and block it, but that's an arms race that'll get tougher and tougher," McGrew said. "A lot of this falls on the individual's responsibility. This same kind of worm could happen with any site that allows people to link off to other sites, which is a pretty core feature for any social networking hub."

The same not-so-tech-savvy users who get fooled by these types of hacker traps are the same ones who are going to put the blame on Facebook for not protecting them. This will compromise user trust. To Facebook's credit, part of the blog post does aim to educate these types of users by listing some steps they can take to protect themselves and better communicate suspicious activity to the security team.

But the site -- and other social networks -- needs to do more. Rather than just passively post security notices to the blog, proactively send these notes to all users. Perhaps host some Webinars that teach its users about how to safely navigate around the site. Produce research beyond the blogs. Be more open about the vulnerabilities and acknowledge them when they occur (without providing exploitable details, of course). Maybe Facebook should take the lead and develop a "Secure Social Network Consortium" and partner with other sites and even security companies to boost user awareness.

In the meantime, Facebook can spend some time at Defcon (maybe view how attacks are carried out or recruit folks with an adversarial mindset) and learn how they can improve their own application security, protect against cross-site scripting, request forgery, and so on. But user education needs to come first.

Topics: Networking, Browser, Collaboration, Malware, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Banks have this problem

    User gets phished or malwared and then goes onto Internet banking and gets ripped off... then who's fault is it? The user? Probably, but that is just driving them away from the online banking. So banks are tackling this problem themselves. Educating the user has failed so far. So why would we expect Facebook users to be educated? Heck, the stakes are lower and Facebook's pockets are lot shallower than a large bank.

    Nope, there's a way to do this... but it involves real-time profiling of the user's clickstream and engaging additional controls for high-risk actions. Updating your blog, probably okay. Adding external links, sending a lot of messages, adding a lot of friends... time to increase the incline of the treadmill with a CAPTCHA or something. Not a total solution, cuz nothing ever is... but it shoves more work back at the bad guys. And that's always fun.
    • Learning the hard way

      the same as children touching something very hot even when they've been told to be careful.

      It's the only way that they'll earn.
      • RE: Facebook's (futile) malware exorcism - can social networks fight back?

        @fr0thy2 Thank you so much~!~! ^O^ <a href="http://www.replicawatchesbest.org">replica watches</a> <a href="http://www.replicawatchesbest.org">imitation rolex watches</a> <a href="http://www.replicawatchesbest.org">omega replica watches</a>
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    This was helpful information; I'm trying to learn more about the risks of social network sites.

    I don't know if this was intentional, but ironically one of the links in this article was to "Myspace" instead of to "Facebook". Just another reminder that links can be to any site and not what you necessarily expected (although the link does say "Myspace").
    Bob C User
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    I think that social networks can fight back but the solution to online hacking on social networks need to be a more organic one. Educational and technological measures are very much indispensable. But they need to be backed by regulatory measures (e.g. sanctions against the hackers including being blacklisted, withdrawal of access to such sites/internet) to be effective. For more on this, please consult the blog entitled 'Worms, Trojans and Malwares: A Bad Case of Indigestion' on http://cyberpanda-cyberpanda.blogspot.com/
  • RE: Facebook's (futile) malware exorcism

    Perhaps I'm missing something, but isn't this strongly analogous to the existing antivirus war (of course that situation isn't fully satisfactory-- but it does allow email to work)?

    Somebody invents malware and starts one or many websites to spread it. Those websites get linked into the Social Network. Users that click on those links get infected. On track so far?

    Then, why can't some entity like the antivirus companies detect these sites on the web? Then feed the offending URL's to a link-screener at the Social Network, which disables the links.

    Or, if the Social Networks want to do this themselves, why can't they test links as they are posted and identify the bad ones (like Google is doing?)?

    The numbers don't seem all that different. Spurious sites and exploits are not more common than email exploits are they? And not harder to detect? And not hidden in any larger a haystack?

    To me it looks expensive but doable. What do you think?

    Meanwhile, why can't something more direct be done about the exploiters? Surely the billions they cost society constitute a major crime? And larger numbers of them could be caught and prosecuted? Maybe the UN needs an organization analogous to the FBI to handle international crime?
    • ps-

      ps- or, the anti-bad-link company could feed the info to a desktop browsing-screener on the user's own computer. This would put the economic bill on the user (who can at least afford something to combat the problem) and would also cover bad websites in any browsing context.
      • or

        The user can just check the links.
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    If people want an "open" internet- want to have the freedom to add links and to alter their site as they see fit- then they have to accept the responsibility and risks that come with it. It's simply not possible to "hand-hold" the millions of people online so that they don't click on something they ought not to.

    If you want to be safe online, educate yourself about it. Keep up-tp-date antivirus and spyware running and, for pete sake, use a healthy dose of scepticism before clicking and downloading anything. In the end, it's all up to the end user.

  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    Facebook can do a screening of outgoing links and check against a known database and warn the user accordingly.
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    They could test every link, but just testing once before a link is allowed wouldn't be enough - scammers could add malware content to a page after the link was approved. Testing all links regularly would be necessary, and it would get very expensive.
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    What Facebook and other social networks can do is avoid to leave holes in their security so that content may be added without tracing the identity of the person that adds the malicious link.
    It is the concept of trust: if a person adds malicious content, he or she should know that can be banned from community or punished. As the life, if someone does something wrong police will catch him (at least if the knows who is he).
  • Security is key

    As a businessperson, this makes a very good case for blocking facebook from the workplace.

    As a techie, it also makes me glad I use Firefox, as the exploit here gets neutralized by non-Microsoft browsers like it and Safari.
  • RE: Facebook's (futile) malware exorcism - can social networks fight back?

    You could just deny any invitations to join a group or cause that involves the use of any third-party application.