Top social networking websites present new 'battleground for malware'

Popular social networking websites have become a new home for malicious code, according to a new report from security company Sophos Plc.

Top social networking websites are becoming the new "battleground for malware," according to a new report from security company Sophos Plc.

As Sophos explains in its "Security threat report: July 2009 update," which covers the first six months of 2009, hackers are increasingly using sites such as MySpace, Facebook and Twitter to gather valuable information and launch phishing attacks.

In response, many organisations say they are blocking access to the sites from work systems, partly to prevent a loss of productivity, but also because of security fears.

"Social network sites need to take time to bolster security; otherwise the hackers and cybercriminals will take advantage of them in a big way," said Graham Cluley, a senior consultant at Sophos.

Cluley said the social networking websites need to "grow up," and he singled out Twitter for special criticism, saying: "You can set up a Twitter account without giving it an email address, so they have no way of sending you a confirmation email. Furthermore, if you want to run a dictionary attack against a Twitter account, the service allows you to try as many times as you like. Any sensible website would allow you three or four tries before blocking access. It is basic stuff."

The sites could also provide users with better feedback on the strength of their passwords, and help them create passwords that are more difficult to guess. "It would be terrific if more of these sites actually graded your password, and gave you an idea of how strong it is," he said. "They could block the use of dictionary words, for instance. Those things are relatively trivial for social networking sites to implement, but they haven't really grown up yet. Their businesses have grown so quickly that they are running before they can walk."

Cluley advised organisations not to ban use of the sites altogether, but rather to educate users about the dangers and to instil best practices. "Social networks are going to become key to the way some businesses work," he said. "Many companies now use the sites to reach out to their customers, and for recruitment. If you take the tools away from people, then they will not be as productive."

The Sophos report reveals that more than half of all organisations currently block access to social networking websites, primarily to prevent time-wasting. But security concerns are also growing, with 63% of system administrators admitting that they worry about employees sharing too much personal information via their social networking sites.

In other areas of security, Sophos also identified increasing dangers, and what it calls a "conveyor belt of crime," as Internet crime becomes more professionally organised.

Sophos notes that instead of simply looking for operating system and browser vulnerabilities, hackers are also exploring security holes in other widely used programs and tools such as Adobe Flash and PDFs.

"The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build Web attack pages incorporating booby-trapped code," the researchers said. "The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date."

In the wake of these attacks, Adobe has followed Microsoft's lead by instituting a regular patch update of its products on the second Tuesday of every third month. The first took place in June.

Graham Cluley, senior consultant at Sophos, reviews how social networking sites should be managed in an enterprise setting.

Read more on Security policy and user awareness