Facebook evolves into an attack tool for criminals

As Facebook continues to spread like wild-fire amongst consumers, and increasingly the enterprise as new applications support its use at work, VeriSign iDefense security experts believe Facebook apps are a prime vector for cyber-criminals.

As Facebook evolves from a University Alumina network into an enterprise tool, VeriSign iDefense security experts are warning that the platform is turning into a prime attack vector for cyber-criminals.

Ryan Olson, US-based analyst for VeriSign's iDefense malicious code operations, told ZDNet Australia that the thousands of new applications being developed for Facebook users, whilst enriching functionality, present a perfect channel for distributing malware.

"The potential is there and all the framework is there," said Olson.

Facebook founder Mark Zuckerberg said in June: "Rather than putting it in our terms of service that you promise not to breach our security and putting the onus on us. We are just going to open it up slowly over time."

"You use such developer applications at your own risk," Facebook states on its privacy statement.

While Facebook third-party developers are not party to the FaceBook member's personal details, agreeing to install an application is ultimately a caveat emptor scenario.

Adding pressure to the rush to develop new applications for Facebook PayPal is running a competition which closes on August 24, offering developers cash prizes up to AU$10,000 for winning applications.

Developers require users to agree to their own terms of service and privacy policies as a condition of using their applications. Given the tendency by users to gloss over lengthy condition statements, this opens the possibility for developers to extend rights beyond the standard agreements.

However, Olson and Rick Howard, director of intelligence at VeriSign, said a longer term problem is users openness with personal information on public forums.

"They seem to have no sense of privacy," said Howard. "We think it could go two ways: In the future they're either going to decide they're embarrassed by all the information they've put out there or they may decide it's just the way it is and it's ok to put information out there".

In a "thought experiment" the two conducted in the US before visiting Australia, Howard said they managed to acquire enough information on one young user to steal her identity.

"We pulled down one person's name -- in this instance a female -- and everything she put out there," said Howard.

"In 15 minutes of doing Google searches, we were able to collect enough information to steal her identity."

So what can users do to protect themselves in this candid new world?

"Best practice, really. Don't let information out like that," said Howard.

He said that the "intoxicatingly interesting" nature of social networking is inherently at odds with best practice.