Social networking threats get tougher, says report

Wikis, blogs and social networks offer companies an array of communication channels, but new figures show that these Web 2.0 tools are a main target for hackers looking to spread malware.

Wikis, blogs, social networking sites and other Web 2.0 technologies offer companies an array of communication channels with customers, suppliers and staff. But Web 2.0 should also carry a government health warning.

Web 2.0 poses some obvious risks. For instance, employees who spend too much time socialising online are not productive, and those who share too many company secrets with their friends may be putting the company and themselves at risk.

But new figures also confirm that social networking sites, such as Twitter and Facebook, are increasingly being targeted by hackers as a means of spreading malware and also stealing information.

According to the Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report produced by Web security company Breach Security Inc., social networking sites were the most targeted vertical market in the first half of 2009, and accounted for 19% of hacking incidents. Last year, social networking threats were not significant enough to figure as a separate category.

The report also showed a 30% increase in Web attacks compared to the first half of 2008, reflecting the fact that hackers are increasingly turning their attention away from email-borne threats.

The new 'battleground for malware'

Popular social networking websites have become a new home for malicious code, according to a new report from security company Sophos Plc
"A lot of organisations are rushing to embrace Web 2.0 to help them communicate with employees, customers, third parties and suppliers. But there is a risk of data loss and of the attacks we are now seeing," said Nick Garlick, managing director of Nebulas Security Solutions Group, a London-based security, acceleration and virtualization company.

"All of these social networks are interlinked. People adopting these technologies will be hooked into the APIs of Twitter, Facebook and so on. If any of those sites become infected, then you can become vulnerable."

The recent series of distributed denial-of-service (DDoS) attacks against several social media sites, including Facebook and Twitter, underline the problem. The attacks were intended to hit a single Georgian blogger who had expressed anti-Russian views, but they affected millions of users. "It amazes me that one guy in Russia could bring down Twitter and have a global impact. He was just trying to take somebody's blog offline. Imagine what he could have done if he really wanted to do some damage," Garlick said.

Given the social networking threats, some companies take the view that the risk is too high. According to the July 2009 threat report from antimalware offerer Sophos Inc., around one third of all companies put a blanket ban on access to Facebook, Twitter and MySpace, and a slightly lower percentage (28.9%) even block LinkedIn. Some apply a partial ban, only allowing certain staff to use the sites, or limit when they can access them. Just under a half of companies apply no controls.

Most people, however, agree that Web 2.0 is the communications medium of the future and that companies will have to find ways to manage it. "The workforce is living in a different world to information security's view," said Mark Murtagh, technical director of security company Websense Inc. "Staff and employees are living in a communication-rich world, while IT is struggling to deliver a framework to the business to allow employees to communicate in a rich fashion, and to do it safely and securely."

As he said, today's new employees know about IT and expect to be able to use multiple technologies to communicate and collaborate. "They won't necessarily stick to email, they want to use rich Internet applications, IM, and communicate across different portals. IT security is still using old technologies to identify known bad stuff, as opposed to using policies, frameworks and technologies to let these employees use the new technologies," Murtagh said.

Control over use therefore has to become more granular and tied to policies. Rather than just banning or allowing access to a certain site, companies need to control what information goes out via Web 2.0, and also block any malware that may come in from infected URLs or attachments.

Monitoring of email communications has already become an established practice, especially in the U.S. A recent survey among medium to large U.S. corporations conducted by email security company Proofpoint Inc. found that nearly four out of 10 companies now employ staff to analyse the content of staff emails.

But doing that in the U.K. and the rest of Europe, where privacy laws are stricter, can be tricky. According to Morag Hutchison, an employment expert at law firm Pinsent Masons, if companies want to monitor communications, they need to spell out clearly their email and Internet policies to staff, including how much personal usage is allowed. Enforcement of the policy also has to be consistent and even-handed. "It should not just be applied to people the company wants to let go," she said.

But even if you can get the policies right, employing people to monitor staff communications is an uphill task in a Web 2.0 world, and it does not tackle the malware threat. Technology has to be part of the answer, coupled with security best practices.

"In 11% of the attacks mentioned in the WHID report, companies said they had no way of tracking where the attacks had come from. They were not keeping logs. These are fundamental things for security best practice," Garlick said.

He said until basic security best practices are adopted, companies would remain vulnerable to social networking threats. "We've known about the vulnerabilities in this report for years," he said. "SQL injection is the top threat, but authentication is number two. People are doing brute-force attacks on passwords and breaking into accounts that way. It comes back to the same old security best practices -- things such as strong authentication."

Garlick added that attacks like SQL injection and cross-site scripting should be easy to prevent with secure coding practices and readily available code analysis tools.

Once the basics are in place, Garlick strongly recommends the use of a Web application firewall to check for incoming malware. "It is important to ensure your own code is secure, of course, but you need a Web application firewall because with Web 2.0 you are connecting to other sites. You need to prevent data leakage, or people getting into your application."

So far, he said that only around 5% of companies that he talks to have a Web application firewall installed. But with Web 2.0 -- and the threats associated with it -- on the rise, that figure needs to increase.

Graham Cluley on social networks and spear phishing attacks:

Read more on Security policy and user awareness