Security researchers at Black Hat laid bare some of the security risks users of social networking sites such as MySpace face as Sophos releases new information about an attack targeting Facebook.
LAS VEGAS-Sometimes our friends
aren't really our friends. Just ask security researchers Nathan Hamiel and
Hamiel, senior consultant for Idea Information Security, and Moyer, Agura
Digital Security's chief information security officer, teamed up before an
audience Aug. 7 at the Black Hat conference to lay bare some of
the security risks users of social networking sites face.
The attacks they discussed ran the gamut and included exploits that allowed
hackers to add friends to-as well as log legitimate users out of-compromised
MySpace accounts. The duo even created a phony profile on LinkedIn for fellow
security professional Marcus Ranum, chief security officer at Tenable Network
Security. Within a day, more than 50 people reportedly had fallen for the ruse
and joined the phony profile as "connections."
What the demonstration by Hamiel and Moyer showed is that personal data on
social networking sites can be manipulated by attackers. However,
their Black Hat presentation was far from the first time security pros
have put social
under the microscope. Also on Aug. 7, researchers at
Sophos published information about an attempt by hackers to infect
Facebook users by spreading messages with malicious links.
According to Sophos, messages are left on Facebook users' walls that urge them
to view a video that portends to be hosted on a Google Web site. Clicking on
the link leads users to a site that tries to entice them into downloading an
executable to watch the movie. The executable is the Troj/Dloadr-BPL
Trojan horse, which in turn downloads malicious code detected as Troj/Agent-HJX
and displays an image of a court jester poking out his tongue.
In addition, last week Kaspersky Lab detected two variants of a new worm,
Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.b, which attack MySpace
and Facebook, respectively.
As evidenced by the Black Hat talk, part of the problem is the high
level of trust people have in their social networks and the applications that
reside on them. With that in mind, a little social engineering can go a long
way to get users to run untrusted applications. And it's not just personal data
that can potentially be at risk.
"Companies need to make their own mind up as to whether they want to
allow their users to access Web sites like Facebook and MySpace during office
hours," Graham Cluley, senior technology consultant at Sophos, said in a
statement. "If workers are allowed to be given access to these sites then it's
vital that they do not put their personal and corporate data at risk, and are
protected from Web-based infections."