It seems like every time I open my email these days, someone wants to be my friend on MySpace.
Or add me to their network on LinkedIn. Or to check out their vacation photos on Flickr or Photobucket. Social networking sites like these and others such as YouTube, Friendster, and Twitter are exploding all over the Internet, using the magic of Web 2.0 technology to turn everyone from teenagers to grandparents into instant publishers of content.
As a security expert, that makes me very nervous.
Theres no question that Web 2.0 applications have made the Internet a much richer place by allowing individuals to connect and share personal and professional information in a way never before possible. A recent survey by the Pew Internet and American Life Project claims that more than 55 percent of teenagers in the United States visit social networking sites. Facebook reports more than 45 million active users around the world, and MySpace has more than 200 million. In May Facebook invited independent developers to build new applications for its platform and was inundated with submissions from all over the world. Within a month the company added a couple thousand applications to the site.
Social networking sites are fun, some might say even a bit addictive. But they can be a hotbed for social engineering attacks. Beyond the raft of phishing attacks associated with Web 2.0 sites, enough malicious code has surfaced to merit a discussion on the security, or lack thereof, in place to protect the millions of users around the world who cant seem to live without their daily visit to one (or several) of these sites.
No harm, no foul?
History has shown that typically the first hackers of any emerging technology arent out to hurt anyone. They tend to develop what are called proof-of-concept attacks, which do little more than prove that the technology in question is vulnerable. But that doesnt mean these attacks dont inflict damage in other ways, particularly to a site or companys reputation.
Following are some examples of early attacks on high-profile Web 2.0-enabled sites:
- In 2005 the eponymous Samy worm infected more than a million MySpace user profiles in a matter of hours.
Impact: Bad publicity, template for other threats that came afterwards, nuisance for infected users
- In 2006 Linden Labs virtual world Second Life suffered from "grey goo," a viral attack that had real-world impact.
Impact: denial of service, unreliable account information, bad publicity, nuisance for user base
- In 2006 an entry on the German edition of Wikipedia was altered to contain false information about a supposedly new version of the infamous Blaster worm, along with a fake link to a fix that in reality pointed to malware designed to infect Windows PCs.
Impact: Violation of user trust, malware installed on each victims system
- In March 2007 U.S. Senator John McCains MySpace page was hacked, and his position on the controversial issue of gay marriage was changed. Newsvine co-founder Mike Davidson claimed credit for the attack, which he called a prank, at http://mike.newsvine.com/_news/2007/03/26/633799-hacking-john-mccain
Impact: Damage to reputation/credibility
The next wave
While proof-of-concept attacks traditionally arent designed with criminal intent, they open the door to a second wave of hackers looking to scam innocent users. Cyber criminals are already effectively scraping information from social networking sites to develop personalized phishing and spam attacks, but to date few large-scale attacks have come to light. That doesnt mean that were not getting there. I hate to be the bearer of bad news, but in all likelihood the largest attacks on social networking sites have yet to come.
The search for balance
Web 2.0 technology is still in its adolescence, and as a result the social networking industry is struggling to find a balance between providing functionality that encourages well-intentioned users to provide their own content, and protecting the rest of the world from users who have a different agenda. Some sites do have measures in place to protect their users (e.g. origin policies and privacy settings), but a lot of people simply ignore them, often without even realizing it."
Until the industry strikes this balance with conviction, users must be aware of the potential dangers in visiting social networking sites. Let me clarify?Im not saying dont enjoy these sites. Im saying be a bit skeptical, and use common sense when you visit them. Dont give out your home address and phone number when you register, and dont reveal too much personal information. When choosing a site password, its best not to reuse an existing one, especially your email passwordjust in case. (You could go to the extreme and disable cookies and scripts in your browser, but most social networking sites wont function without them.) McAfee CEO Dave DeWalt recently addressed social networking sites in a blog entry about cyber safety at http://siblog.mcafee.com/?p=186, and while his comments address the safety of children, many of his suggestions apply to people of any age.
A new frontier
The social networking landscape is literally unfolding before our eyes, and its exciting to watch it happen. But until proven checks and balances are in place to make sure that the content people are uploading and downloading is safe, its the virtual Wild West out there. We need to be careful, and that means vigilance. From the eyes of this security researcher, erring on the side of caution is always a good rule of thumb. And if finding a balance between functionality in social networking and security means reducing some of the functionality, I think thats a worthwhile tradeoff.