Social insecurity

Unprotected, hugely popular, built on trust… and ripe for exploitation: no wonder cyber criminals find social networks irresistible

“First,” says David Emm, a senior security researcher at Kaspersky Lab, “comes a good idea. Then that idea is developed and implemented. And only then, possibly, is security considered. Security is almost always retrofitted to a good idea.”

Social networking applications are a very, very good idea; and they are characterised by a lack of built-in security.

This makes them an attractive target for cyber criminals, one that is increased by two further characteristics.

First, criminals are attracted by large numbers: they like ponds with lots of fish – and social networks can be very large ponds indeed.

Cyber-crime victim: Aston Kutcher’s Twitter account was sidejacked

Secondly, almost all cyber-crime involves a degree of social engineering, of persuading people to do something they shouldn’t. By definition, our contacts in a social network are likely to be friends, family or colleagues. Trust is built into the networks – and we are more likely to do something suggested by someone we already trust.

These three elements, poor security, large size and relaxed nature, combine to make social networks an irresistible – and it has to be said, hugely successful – target for cyber criminals.

The first problem is that we simply provide too much information about ourselves and our business; and we make it available to too many people. This isn’t just a problem limited to kids who give away too many secrets and become susceptible to grooming and bullying – this is a problem that affects us all.

As business starts to use social media as a marketing channel, we start to add more and more information about ourselves and our company. Using this information, criminals can gather intelligence about companies and employees; even down to new employees that could potentially be manipulated.

We should not forget that social networks were used to gather the personal information that allowed Google staff to be socially engineered into allowing the malware on to their systems that came to be known as the Aurora attack – and spawned the whole new category known as APT: the advanced persistent threat.

We simply provide too much information about ourselves and our business. And we make it available to too many people

Other social network problems include threats such as ‘likejacking’, ‘sidejacking’ and hidden URLs. “Likejacking,” Emm explains, “is a social network variation on clickjacking – a technique that uses something apparently innocuous to redirect the user to a malicious web page.” With likejacking, the user is persuaded to click a false ‘Like’ button, which then does the surreptitious redirection.

Sidejacking is a problem not limited to social networking but prevalent where public WiFi can be used. If the traffic is not encrypted, nearby listening devices can be used to steal the session cookie that will allow the sidejacker to impersonate the victim.

This is exactly what happened to celebrity Ashton Kutcher earlier this year who effectively had his Twitter account sidejacked while at TED, the ideas-sharing conference. Twitter has since implemented an option that will automatically encrypt all of the user’s traffic: a perfect example of retrofitting.

Hidden URLs are shortened URLs, used extensively on Twitter so that any included link doesn’t take up too many of the allowed number of characters. One of the most popular URL shortening services is Bit.ly, although there are now many such services. The problem is that the shortened URL hides the true destination of the link and hackers use this to disguise the fact that you are really being sent to a malicious website. Pure clickjacking.

The most common element in social network (in) security is the trickery used to send you to a malicious website. If the security isn’t built into the network, you should consider retrofitting some of your own.

The first step is common sense, where you should use a variation on the Russian proverb: distrust, but verify – even if they’re your friends.

And the second is the use of some of the free security applications available, such as NoScript with the Firefox browser or SecureBrowsing from M86 Security for both Firefox and Internet Explorer. The latter is new. It uses M86’s analysis engines to check the content of linked pages. While you’re still reading the tweet, SecureBrowsing has visited and analysed the destination – and will tell you whether it’s safe to click.

“It gives you immediate feedback on the legitimacy of the shortened URL,” explains Bradley Anstis, M86’s vice-president of technical strategy.

“And the great thing is it performs real-time live analyses rather than simply checking against an historical list of bad URLs that could be incomplete or out of date.”

Kevin is a freelance writer and security blogger. He was the founder of ITsecurity.com.

Tags: , , ,