Harden Facebook? Sure, but where to start?

Harden Facebook? Sure, but where to start?

Summary: * Ryan Naraine is traveling.Guest editorial by Paul F.

SHARE:

* Ryan Naraine is traveling.

Guest editorial by Paul F. Roberts

Paul F. Roberts -- Harden Facebook?  Yes, but where to start?You may have heard the news that everybody's favorite social network, Facebook, won a big legal settlement on Monday against spammers who were using the 100 million strong network to distribute what the Facebook blog describes as "sleazy messages" to its users.

That's good news and, superficially, at least, suggests that the folks at Facebook are taking seriously the potential for their huge network to be gamed by scammers, spammers and other n'er do wells. Unfortunately, winning a diamond-studded $873m judgement against a cubic zirconia kind of guy like plaintiff Adam Guerbuez and Atlantis Blue Capital doesn't even scratch the surface of the security question when it comes to Facebook. Indeed, from the perspective of enterprise IT, Facebook, LinkedIn, Yammer and countless other social networks have deposited a Pandora's Box of nastiness on the doorstep. The only thing surprising about networks like Facebook -- given their popularity and the opportunities for abuse -- is that we haven't seen more attacks against them. You can expect to. Soon.

[ SEE: Facebook refuses to fix obvious security flaw ]

So how does Facebook and other social networks make enterprises (and individuals) vulnerable to attack? There are a few main threat vectors:

Phishing and social engineering attacks are the most common types of attack leveled at Facebook and other social networking applications and are designed to harvest user names and passwords or other personal information.

Web based attacks: Facebook and other social networks are, of course, Web based applications. As such, they are vulnerable to many of the same Web based attacks as other sites. Banner ads, which are displayed on user profiles within network, might carry malicious code or direct those who click on them to drive by download or phishing Web sites. Facebook's own application relies on Javascript, Iframes and other vulnerable constructs for key features. Vulnerabilities will be discovered and exploited in those, as well.

Facebook-based malware. We've seen at least two examples of this in recent months. The first, dubbed “Koobface” by Kaspersky Lab and others, appeared in July and spread from compromised Facebook and MySpace accounts via Wall messages and user comments. The virus placed a malicious link to a Web based video as comments on a user's profile. When clicked, the virus would spam other Facebook users via the built-in messaging feature and open a video sharing site that prompted the user to download a new version of Flash player –actually a malicious downloader that would install a wide assortment of malware on the infected system. Another virus appeared in October, behaved in a similar fashion, but spread through Facebook messages rather than comment messages.

[ SEE: Demo Facebook app creates DoS botnet ]

So what's to be done? The easiest thing would be to block employee access to sprawling social networks like Facebook and MySpace altogether, or limit access to them on a “needs to know” basis. Any number of secure Web gateway products can do this, and many organizations already take this approach.

If, however, you want to “harden” your organization and employees against social-network borne attacks, here are some suggestions:

  1. Virtualize it. Given the unknowability of platforms like MySpace and Facebook, the safest assumption that any enterprise IT shop can make is that, at some point, they will be attacked and successfully compromised – whether via Facebook, MySpace or some other source. With that in mind, running these high risk applications within a virtual container that can be discarded at the end of your sessions is one way to reduce exposure. The idea is that even malware that might be downloaded through a social-networking borne virus or social engineering attack will be torn down with the virtual container itself. As my esteemed colleague Rachel Chalmers notes in a forthcoming report on virtualization and security, the rising tide of vulnerabilities identified in VMware, Xen, Microsoft, Parallels and other virtualization products suggest that virtual instances of XP, Vista, Linux or OS X are no more or less secure than their physical counterparts. Relying on relying on virtualization, in and of itself, for security is not wise. But, given the dismal state of security on most consumer and enterprise desktops and laptops, virtualization does add a layer of abstraction and – in the end – is better than nothing.
  2. Patch it. Virtualization or no, keeping your underlying operating system and applications (Web browser, Adobe reader, etc.) up to date with patches can prevent exploitation in the event of an attack.
  3. Scan it. Make sure you have a decent HTTP scanning tool on board that can inspect Web traffic and spot suspicious content. These aren't foolproof, but they're better than nothing and can flag phishing sites and other Web borne malware.
  4. Scale it back. Most users (me included) plunge willy nilly into Facebook and other social networks with little thought of security or privacy. Kevin Moker, a VP and Information Security Officer at Liberty Bank in New York recommends taking a slow turn through Facebook's Privacy Settings feature (Settings > Privacy Settings) , which offers granular controls for granting access to all manner of content on your profile: your contact and personal information, what other users can discover about you using Facebook's search feature, and what stories about you get posted to your profile and to those of friends who are following you. Err on the side of caution: keep your personal information to a minimum and don't even think about storing your credit card info in the fields provided.
  5. Ask yourself: friend or foe? Everyone wants to sport a big social network, but given the trust that's extended to those in your network, users of Facebook, LinkedIn, MySpace and other social networks would be right to be far more discerning about who they allow into their network. Obviously, those who are complete strangers to you should be barred. Beyond that: consider what level of information you want visible to members of your network who you know – but not well. Limiting those friends to a trimmed down profile lessens your chance of having your vital information used against you in an attack.
  6. Beware of applications. Facebook has tens of thousands of third party applications that can be used to extend the platform. The most popular of them like Drinks for Friends are used by upwards of a million people a month. But little is known about the security of these applications, some of which allow your friends to post active content like music and video to your profile. You can limit what profile information is accessible by applications through the Settings > Privacy Settings feature. However, applications that you authorize get access to whatever profile content they are programmed to draw upon. While Facebook's privacy rules stipulate that applications should adhere to the privacy settings you've established when broadcasting content from your profile, its not clear that every application complies with those rules, or that FB is auditing the huge population of apps for privacy violations.
  7. NUI (networking under the influence) – just say “No.” Needless to say, reputation risk is yet another threat posed by social networks. This extends beyond your own personal and professional reputation to the image of your employer (not to mention spouse, kids, etc.) Stories abound of workers calling in sick after a late night bender, only to have bosses pass along Facebook photos of them doing keg stands the night before. Think twice, or thrice, about what images and thoughts you post and who might view it. Then just say “No.”

* Paul F. Roberts is a senior security analyst for enterprise security at The 451 Group. He has reported on security for The IDG News Service, eWEEK and InfoWorld.

Topics: Apps, Collaboration, Networking, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Leave?

    I left Facebook because it started becoming too much like MySpace: anybody with two neurons to jam together can get on there and load their profile page with whatever they feel. That was the entire draw of it in the first place - the fact that the content was strictly controlled so you didn't have to sift through a page of useless crap to send someone a message.

    Every time I read stories like this, I remember what I'm not missing.
    jklein2
  • RE: Harden Facebook? Sure, but where to start?

    Paul,

    Excellent article. I think an important part about any social network is to just minimize the personal data we share to an absolute minimum. Facebook is an incredible tool and I have found so many old friends (who I vetted, of course) from high school and college.

    Great article.

    Kevin
    kmoker
  • RE: Harden Facebook? Sure, but where to start?

    Hi Paul-

    Great thoughts. The koobface worm and others like it will continue to spread. We are observing a global mess of worm distribution servers in the past week or so:
    http://blog.threatfire.com/2008/12/koobface-flashudpateexe-around-world.html

    The idea of digital certificates is a fantastic one, although even that system can be abused.
    http://blog.threatfire.com/2008/12/who-gave-these-guys-cert_02.html

    The security community, and facebook, needs to focus. The major problem that comes to light due to koobface is that users simply do not understand what executables to trust and what not to trust. A social network adds a layer of implicit trust that is understandable but a problem.
    Vendors (of browsers, operating systems, and third party plugins) need to implement a trust model that users can understand. Users just want it to work. And no, underused, high priced, sexy hardware and software is not the answer.
    The bulk of individuals falling for this stuff are fooled by socially engineered schemes that could easily be disrupted if users knew what to trust in the first place. Trust and identity needs to be clear, not buried multiple clicks and convuluted descriptions away.

    Of course, a behavioral based security solution is the easiest solution for end users to install, but the larger problem is that the infrastructure for trusted software must be implemented in a way that users can understand. Social networking is alive and well, and its underpinnings are totally misunderstood by its users.
    TF_kj
  • RE: Harden Facebook? Sure, but where to start?

    Facebook,walmart and riaa controls our country (usa)
    stevehabs
  • RE: Harden Facebook? Sure, but where to start?

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut