Social networking can cause problems in the workplace, but there are solutions

• Article 19 of 33
• SC Magazine, December 2009
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

Axten adds: “We also block malicious links from being shared and work with third parties to get phishing and malware sites added to browser blacklists or taken down completely.”

The company is also working with others: it collaborated with Microsoft to push a solution to the Koobface virus to users through Windows Update. “Most of these defences are invisible to users, and while malicious actors are constantly attacking the site, what you see is actually a very small percentage of what's attempted.” Facebook has dedicated security and legal teams to investigate spam, phishing, and malware campaigns. In October, it won $711 million in a suit against spammer Sanford ‘Spamford' Wallace.

When a security issue involving an application is reported, Facebook notifies the developers and works with them to get it fixed. Depending on the severity of the issue and the responsiveness of the developer, Facebook may also remove the app's access to the site until the issue is resolved.

Most security companies agree Facebook and others are making reasonable efforts to combat attacks and to respond quickly to weaknesses. Muktadir Khan, European sales engineer at Sunbelt Software, says most threats coming through Web 2.0 are links to other, compromised sites. URL shorteners such as bit.ly obscure the nature of these sites, and Facebook et al should be encouraged to resolve these – or prevent postings.

How cybercriminals take advantage of web 2.0...
Although many ISPs regard Facebook, Twitter et al as inherently dangerous, there have been very few vulnerabilities found in the sites themselves. Instead, Web 2.0 sites are generally used by scammers to find out information or to direct the unwary to sites that do have problems.

“People are sharing information that's sensitive and private,” says Candid Wueest, senior security researcher at Symantec. Although this information can be restricted, Facebook applications, for example, ask for access to all personal information before they can be installed. An application that's harmless in and of itself could be a Trojan Horse for a social engineer's data mining operation.

Some people also put up information in their Facebook statuses or on Twitter that seems harmless but gives attackers vital information. “If someone says they're off on a firewall course by vendor X, you know what brand of firewall they have,” said Wueest. An RSA researcher scoured LinkedIn and correlated when people updated profiles to problems with particular companies.

Malware is more likely to come from other sites than from the likes of Facebook and Twitter, which have so far proved remarkably secure. Scammers now try to propagate links throughout the Web 2.0 world that lead to infected sites. The most famous attack via Facebook so far, Koobface, sent messages from PCs infected with the worm to anyone who was friends on Facebook with the owner of the PC. This message claimed to link to a video, which would pretend to require an update to Adobe's Flash Player. If the user clicked to download it, their machine would be infected with Koobface. Koobface variants have propagated through MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.

While Facebook and MySpace will let people know when they are leaving the site, this won't stop people from clicking the links. The arrival of Twitter with its 140-character limit has made things worse, since URL shortening services such as tinyurl.com and bit.ly have become popular, and users are now used to clicking on links they don't recognise. As a result, most organisations don't allow Twitter apps on corporate desktops.

...and how corporates get flexible but stay secure
It seems everyone wants an iPhone. If not, they want a netbook, either from Tesco or free with a contract for a 3G dongle from a mobile phone company. Once they experience the internet everywhere, people tend to want that flexibility in their working life as well. How best to give it to them, while remaining secure?

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages