Securing Social Networks, from Facebook to MySpace to LinkedIn

Security researchers Shawn Moyer and Nathan Hamiel are well-known for poking holes in myths surrounding security on social networking sites.

Their presentation Feb. 7 at ShmooCon 2009 in Washington, D.C., was no exception, as the two walked through examples of attacks and social engineering on sites such as MySpace and LinkedIn.

As I told Moyer afterward, it is easy to walk away from their presentations with the impression that social networks are hopelessly broken. But there are a number ways the average user, application developers and site owners can improve security.

Hamiel, senior security consultant with a company called Idea Integration, said that for starters social networking sites need better default privacy settings. When left to their own devices, the average user is probably not going to follow the most secure practices, he said. For example, many people don’t think about the security implications of allowing HTML in comments on MySpace, he explained.

“Most people don’t know [for example to] disable HTML in comments; they don’t understand the risk of that,” Hamiel said. “What I was finding on MySpace was a lot of bands and a lot of actors and actresses who have MySpace pages were disabling HTML comments, but it wasn’t because of any security threat. It was because of the fact that they didn’t like people putting huge images and messing up the layout of their MySpace page.”

The duo suggested solving some of these types of problems by tightening default privacy settings and educating users about possible threats, perhaps in the form of a little box that appears after log-in with some security tips.

“All of these sites by default share all of your profile information,” said Moyer, senior security consultant at FishNet Security. “Almost all of them have a default setting of nearly nothing in your profile is private, and most people don’t even know they have a settings page on their Facebook.”

Beyond that, another fundamental concern is the user’s ability to link to offsite content, which could potentially be malicious. From a security perspective, that should be a no-no, Hamiel said.

An equally problematic issue is the lack of identity verification on social networking sites, particularly ones that are used heavily for business purposes, such as LinkedIn.

“I can pick a name and call myself an employee of eWEEK, and it might take a month before someone [identifies] that,” Moyer said. “I don’t know how they [address] that. To me, I would think that the companies with over 100 employees or so would have some sort of process where they validate themselves.”

What it all comes down to, the researchers agreed, is a general lack of awareness.

“People aren’t aware of the threats that they face on social networks,” Hamiel said. “Ultimately, whose responsibility is that? Is it really the social network owner, or is the onus completely on the people? I think it’s pretty much 50-50.”