Add to del.icio.us     Digg this

February 15, 2010

In general, most Internet security firms are concerned when a new social networking site looks like it's going to become the next big thing. Gerry Egan, vice president of product development at Symantec says "social site users already have too much information available from most of those sites and especially what lands into their email boxes, and inboxes right now are what's alarming us the most from a user's perspective."

Egan added that email spammers are always on the lookout for new ideas and new methods to send you spam and for them, social sites represent one of the very best ways and at a cost of zero. Without even knowing it, some sites even offer them tools to even assist them in their quest to promote their wares.

Take Buzz for example, Google's newest social networking application. The social site is already raising more and more concerns from security firms, mostly because of its worrisome default setting.

Google actually hopes to facilitate the adoption of its newest site by pre-establishing users' social networks with Gmail address books, read: millions of new e-mail addresses now available to potential spammers!

You see, Google's new Buzz social app actually seeds its own network with email addresses of contacts with whom the user appears to communicate the most... Not a very good idea unless you happen to like getting hundreds of spam emails every day of the week!

When a new user registers on Buzz, and if he or she accepts the site's default settings (which most do), that email list also becomes available to other Buzz users-- and to spammers as well!

"The site's default settings automatically provides a list of followers comprised of those you chat or email with," said Michael Sutton, vice president of security research at Z-Scaler, an Internet security company based in Sunnyvale, CA.

Make no mistake, the potential for spam IS a BIG problem and, worse, there appears to be no end in sight.

Today, e-mail spam has become increasingly problematic on social networks, Sutton added, and Google Buzz, if and when it reaches the same popularity as Facebook, Twitter or LinkedIn, there's a very good chance that it will likely be flooded with spam trying to sell you Viagra or the latest weight reducing pills.

Sutton added "everyone on your social network can easily visualize who you communicate with. Google claims it takes email addresses with whom you've recently had contact with, but we don't know exactly how the algorithm works for now, so just about anything is possible. And another thing we do know is that spammers are extremely good at figuring out new vehicles to spam on innocent, new victims. Once they discover a new channel, you can be very certain they will exploit it to its fullest."

Sutton said "the model we have been seeing lately is that someone posts a Twitter message that contains a link to a virus, some spam or simply just a page with malware code in it. The same thing can and likely will develop with Buzz. But so far, Google hasn't created any security issue with its new site because email addresses are so easy for spammers to get anyway. But this nevertheless certainly has the potential of creating more security and privacy issues than someone might think at first glance."

Worse, Sutton says it's almost routine for spam bots nowadays to break into servers and grab hundreds of thousands of e-mail addresses in one single visit. He also notes that getting email addresses from the "cloud" would be an extra step for a spammer that isn't necessary either."

Sean Sullivan, F-Secure advisor for North America says "emails can be easily collected in many ways today. Auto-generators work, for example. I get spammed a lot that way since my email address is a dictionary-based one, which isn't always recommended."

Some say Buzz is unlikely to attract generic bots or spammers, but it sure is possible for a spammer to be interested in using it to validate an email address, Mike Geide, senior security researcher at Zscaler, suggests.

He adds "as a spammer, one could create a network of Gmail accounts connected to Buzz and follow a large number of users or simply follow their own followers, etc. The spammer would then harvest user names for those being followed, and do its best to guess at their email address and start sending spam. Once a successful guess has occurred, the email address will then be exposed in the Buzz interface validating that the email address exists and is connected to that user."

Tom Helou, president of Authenware says "Buzz will likely be yet another vulnerable spot on the Web."

"In all the excitement to create the next Twitter or Facebook for Internet users, our analysis reveals that securing the information passed through these sites is next to impossible, at least for now. What results is a one-stop-shop for even beginner hackers or spammers to create an imitation identity and get access to some very, very sensitive and private information."

Add to del.icio.us     Digg this

Source: Symantec.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.