RSA: Social Networking Security Has Way to Go

From Koobface to spam to fake Facebook Fan pages, attacks targeting social networks are evolving to bring a new level of insecurity to an enterprise.

In his presentation Wednesday at the RSA Conference in San Francisco, Sophos Senior Technology Consultant Graham Cluley detailed some of the common types of attacks and what needs to be done about them.  The attacks spanned from instances of phishing to incidents involving assumed identities, such in one scam where someone created a fraudulent Facebook Fan page for Cluley himself.

"When you’ve got a big enough orchard, there’s going to be some bad apples,” he told the audience.

 The attacks work, of course, because people are more trusting of information that appears to be coming from people they know, he said. In a test, researchers created two Facebook profiles – one with a rubber duck as the profile picture and the other one with a cat – and sent out 100 friend requests to people in the same age group as the bogus account holders.

 What they found will probably be unsurprising to most security pros – more than 40 percent of the people requested accepted the invites from the fictitious accounts.

 “It was actually slightly worse with the cat…because we had people we hadn’t even approached decide to become friends with us, because they (saw) their other friends become friends with us,” Cluley said.

 Such tricks can be used to lure users into clicking on malicious links or other content as well. For that reason, social networks need to do a better job of scanning for malicious content, Cluley said. With more people using Facebook instead in place of regular e-mail, users need to get the same level of malware scanning that would expect from their webmail services, he said.

 “We need to the social networks to scan that kind of information…there’s too much relying on the users to report bad actors,” he said.

 Social networks have their work cut out for them. In a recent survey of 502 IT pros, Sophos found more than 33 percent had received malware through a social networking site.

 Facebook cut a deal with McAfee recently to add another layer of security for its users.  Last month, the companies announced a deal McAfee would offer the owners of compromised Facebook accounts a free remediation tool, and Facebook users were offered a complimentary six-month subscription of McAfee software.

 Noting that many businesses have chosen to ban social networks, Cluley suggested enterprises instead consider educating their employees about social engineering risks, as well as other best practices such as not using the same password for multiple sites.

 “Just remember – just because someone says they’re you’re friend, doesn’t mean they necessarily are,” he said.