While they present a wonderful opportunity to meet people with similar interests, sites like MySpace, Facebook, and even LinkedIn can also cause trouble.
In his book Art of Deception, Kevin Mitnick, arguably one of the most notable criminal hackers in history, talks about how he used the phone, not the Internet, to con his way into various companies. Using social engineering, Mitnick was able to insert himself into the target company, often conveying up-to-the-minute information about managers and supervisors being on vacation in order for a subordinate to give him vital corporate information.
Today, penetration testers, professional gray-hat hackers who attempt to break into sponsoring companies, use these same social tricks to see whether employees will divulge key information. Often they do so the old-fashioned gumshoe way of walking into a branch office and somehow finagling the company phone book or organization chart out of some hapless employee.
Now, commercial spammers and phishers are starting to use social engineering. In what's known as spear-phishing, they can target an individual, sharing just enough personal information to earn their trust. But the individuals being spammed aren't always corporate execs, they include ordinary people. And the personal information the spammers are using can be harvested in just a few hours, just by scanning someone's Facebook or MySpace page.
Personal threats from social networks
I talked with Tod Beardsley, lead counterfraud engineer for TippingPoint, a provider of network-based intrusion prevention systems. TippingPoint monitors several Fortune 500 companies, but we talked about the growing influence of social networks in the corporate workplace. "I think the main threat that most people would associate with social networking is the threat of too much information," he said.
When you have these giant open sites that contain a lot of personal information or relationship information between people, it's suddenly a lot easier to replicate these Mitnick-style social engineering attacks with a lot less effort.
"The story with social networking is they ask you a bunch of questions about yourself and people will generally answer them. This includes things like name, age, where you live, and who your friends are. The threat comes from the fact that other people can harvest this information, and they can harvest it automatically." Beardsley said that Kevin Mitnick was able to reconstruct the organization chart in companies that he was targeting in order to insert himself into fake e-mail threads and more. "When you have these giant open sites that contain a lot of personal information or relationship information between people, it's suddenly a lot easier to replicate these Mitnick-style social engineering attacks with a lot less effort."
Companies do or do not allow it
So should companies allow access or not? Beardsley said the answer depends on corporate culture, how individual HR and IT departments feel about social networks. "Like instant messaging, people do this at work, and while they're at work they tend to be talking about work. So one of the problems that companies face now is: Are people populating their resumes with confidential information, information on a secret project they're working on -- stuff like that."
Beardsley said that high-tech companies, companies that are government contractors, and even the government itself should probably monitor what their employees post to these sites. "There is this issue with employees giving away too much about how they do their jobs, and what they do at their jobs, and what their backgrounds are in. That can make it fairly easy for a hacker to collect this information and figure out who's worth targeting and that sort of thing."
Malware vector
Aside from spreading information, social networks are becoming targets for malware. Just as corporate e-mail was used to spread Melissa and ILoveYou, social networks are becoming enormously popular with malware writers. "If the user is uploading something malicious like, say, the Sami worm," Beardsley said, "and if you run pretty much everything that you get from MySpace, you'll get hit. Not just you, but millions of other people." He continued, "If you have a browser zero-day, you know that as soon as you can get it onto MySpace, you will instantaneously get millions of people to follow it, and that's the Internet, the entire Internet.
"The thing is that every time there's a bug in a Web browser, usually one of the mitigating factors is that you should only visit Web sites you trust and that you know. Well, with this trust relationship that you may have with Facebook or MySpace or LinkedIn, or any of these networking sites -- that trust is not only with those particular corporate entities but all their users, all their advertisers, all the content-aggregating servers that they use, all of these guys inherit the supertrust that you have given these social networking sites."
Play video
There are currently no comments for this post.