Security researchers Nathan Hamiel and Shawn Moyer revisited a topic near and dear to their hearts at ShmooCon 2009 - security on social networks. Afterward, they spoke to eWEEK about some of the top changes that could make using sites like MySpace, Facebook and LinkedIn more secure.
Security researchers Shawn Moyer and Nathan Hamiel are well-known for poking
holes in myths surrounding security
on social networking sites
Their presentation Feb. 7 at ShmooCon 2009 in Washington,
D.C., was no exception, as the two walked
through examples of attacks and social engineering on sites such as
MySpace and LinkedIn.
As I told Moyer afterward, it is easy to walk away from their presentations
with the impression that social
networks are hopelessly broken
. But there are a number ways the average
user, application developers and site owners can improve security.
Hamiel, senior security consultant with a company called Idea Integration,
said that for starters social networking sites need better default privacy
settings. When left to their own devices, the average user is probably not
going to follow the most secure practices, he said. For example, many
people don't think about the security implications of allowing HTML in comments
on MySpace, he explained.
"Most people don't know [for example to] disable HTML in comments; they
don't understand the risk of that," Hamiel said. "What I was finding on MySpace
was a lot of bands and a lot of actors and actresses who have MySpace pages
were disabling HTML comments, but it wasn't because of any security threat. It
was because of the fact that they didn't like people putting huge images and
messing up the layout of their MySpace page."
The duo suggested solving some of these types of problems by tightening
default privacy settings and educating users about possible threats, perhaps in
the form of a little box that appears after log-in with some security
"All of these sites by default share all of your profile information," said
Moyer, senior security consultant at FishNet Security. "Almost all of them have
a default setting of nearly nothing in your profile is private, and most people
don't even know they have a settings page on their Facebook."
Beyond that, another fundamental concern is the user's ability to link to
offsite content, which could potentially be malicious. From a security
perspective, that should be a no-no, Hamiel said.
An equally problematic issue is the lack of identity verification on social
networking sites, particularly ones that are used heavily for business
purposes, such as LinkedIn.
"I can pick a name and call myself an employee of eWEEK, and it might
take a month before someone [identifies] that," Moyer said. "I don't
know how they [address] that. To me, I would think that the companies with over
100 employees or so would have some sort of process where they validate
What it all comes down to, the researchers agreed, is a general
lack of awareness.
"People aren't aware of the threats that they face on social networks,"
Hamiel said. "Ultimately, whose responsibility is that? Is it really the
social network owner, or is the onus completely on the people? I think it's
pretty much 50-50."