Experts hammer Web 2.0 security

Security experts fear that social networking sites like Facebook and LinkedIn provide both a delivery vehicle for malware and the info to create targeted attacks

Even as social networking darling Facebook prepares a version of its online networking application aimed specifically at enterprise users, legions of security experts are getting behind the idea that the sites represent a serious threat to businesses and other organizations.

From the ability of malware, adware, and spam distributors to use the sites as delivery vehicles for their latest work to the opportunity for cyber-criminals to craft extremely targeted attacks using information garnered from individual profiles posted on pages of Web 2.0 properties, social networking is rapidly becoming a serious pain point, researchers maintain.

Recent examples of malware and adware distribution schemes carried out on the existing services operated by Facebook and MySpace represent merely the tip of the iceberg, they said, with many attackers likely already hard at work creating new methods for duping users of the sites into exposing themselves and the companies that they work for.

"With traditional attacks it was mostly about short-term bets by the attackers, but use of social networking is giving criminals the ability to start running long cons on people through which they can play on people's sympathies to distribute malware or infiltrate an organization to hold data for ransom," said Michael Whitehurst, vice president of global support with Marshal, a maker of Web and e-mail filtering technologies.

"If used correctly social networking can be very effective. Being able to connect with people without going through all the traditional channels has a lot of benefit," he said. "But with the potential for data leakage or targeted attacks, companies are really going to need to police usage and actively scan content coming in and out of these applications."

Other experts pointed to a recent attack carried out over MySpace through which a page on the site was altered to look as if someone visiting the URL was being prompted by their PC to install a Windows update that would instead direct them to a malware-infected Web site once someone clicked on it.

The sheer number of pages being created on the sites also makes it nearly impossible for online social networking companies to chase down all the threats being delivered over their URLs.

Even eBay and PayPal, with their considerable financial resources and technical expertise, still struggle to shut down all the cross-site scripting attacks attempted across their domains. For growing companies in the social networking space, the same problems will only be amplified, experts maintain.

"There are more than 150 million active Web sites worldwide and MySpace has something like 200 million pages; that speaks to the challenge facing these companies to secure themselves and there's no way for any security vendor to crawl all those URLs and put them in a database to use white listing or blacklisting," said Dan Nadir, vice president of product strategy at ScanSafe, a provider of hosted security services.

"We're already seeing extremely complex, well-designed attacks on these sites where there is a lot of content modification aimed at tricking the end user, with people trying to put malware on their own pages or someone else's," he said. "Companies need to realize that it's not just about malware being on porn sites or free screensaver pages anymore. Social networking is where the activity is heading, and companies need to wake up and protect themselves."

According to a recent study published by Forrester Research -- based on interviews conducted with 150 IT professionals -- 96 percent of those questioned said that they see a significant value in adopting social networking and other so-called Web 2.0 sites, but fewer than 5 percent reported that they have taken any specific security measures to help protect users of the technologies.

Most observers maintain that despite the inherent security risks, companies shouldn't block employees from accessing social networking URLs and other Web 2.0 properties, such as legitimate multimedia file sharing sites. Doing so may only serve to frustrate workers and cut off potentially valuable business opportunities that could be garnered using the applications, they said.

However, IT departments must be prepared to ward off the many types of threats that will emerge from use of the sites, including malware and targeted spear-phishing schemes.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced," said Paul Henry, vice president of technology evangelism at network gateway maker Secure Computing.

"Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim," he said. "Most companies are barely providing sufficient protection in the context of Web 1.0."

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies