Sophos and Facebook argue about the extent of the malware threat on the social network.
Facebook is sparring with security firm Sophos over a threat report touching
on malware on social networks.
In a report
(pdf) on 2010, Sophos reported that a survey of
1,273 people in December 2010 found that 40 percent had been sent malware
via social networks, up from 36 percent in December 2009. Additionally, 43
percent admitted being sent phishing attacks, while 67 percent said they had
received spam. Both of these numbers were up from December 2009 as well, with
previous figures of 30 percent and 57 percent, respectively.
"This isn't just a problem for home users," noted Graham Cluley,
senior technology consultant at Sophos. "Many people check their social
networking accounts from the workplace, making the sites a potential vector for
attacks against businesses."
"There's no doubt that cybercriminals are showing a much higher level
of interest in the social networks than ever before, with Facebook
being the site
they are targeting the most," he added.
Though Facebook acknowledged the challenge posed by security threats, the
company took issue with the idea that the social
network is a malware minefield
. On the contrary, a Facebook
spokesperson told eWEEK
company's data shows that malware, spam and other attacks have decreased
in their effectiveness, and it is "much more important to measure
effectiveness than it is to measure volume."
"If your spam filter catches all the spam, does it matter that your
filter caught 10 percent more?" the spokesperson asked.
Facebook contends it has built more controls into the site to allow users to
limit the data that applications are allowed access to, providing a defense
against rogue applications by forcing disclosure and user consent to access.
The site also works to quickly sanction or remove applications found to be malicious,
the spokesperson said.
"We have a dedicated team that does robust review of all third-party
applications, using a risk-based approach," the spokesperson told eWEEK.
"That means that we first
look at velocity/number of users/types of data shared, and then we prioritize.
This ensures that the team is focused on addressing the biggest risks, rather
than just doing a cursory review at the time that an app is first launched."
Still, Sophos is not the only security company sounding the bell about
attacks on social networks. In November, researchers
reported that 22.4 percent of the users of its safego application
were exposed to malicious posts on Facebook.
"I see two possibilities," blogged Cluley. "Either Facebook
simply doesn't get security and privacy. Or it just (doesn't) care. I really
hope it's the former."
On Jan. 16, Cluley criticized Facebook for allowing applications to access
users' mobile phone numbers and address information, a decision the company
after privacy concerns were raised. Despite the
controversies regarding security, Facebook said it continues to educate
users through the Facebook Security Page, as well as the through the
remediation and education process users are put through if their account
is found to have been compromised. "We wholeheartedly agree that education and
awareness is the key to combating online security threats and that this issue
is something we need to tackle together as an industry," the Facebook
spokesperson said. "For our part, we have launched numerous education
initiatives and continue to invest heavily in developing complex and
innovative systems to protect the people who use Facebook."