New website reveals social networks' security flaws
February 22, 2011
Internet security research firms have set up a new website designed to push social networking sites into practicing what they preach about Internet security. Most social networking sites such as Facebook, Twitter, LinkedIn, dating site eHarmony and a few more tell their members that their sites are secure when they aren't at all.
Socialnetworksecurity.org aims to publish specific details of security vulnerabilities on Web 2.0 sites such as Xing or Facebook. The site was set up last weekend by security researchers frustrated with a lack of response from sites about the many security issues they discovered.
The site manifesto explains:
In the past, the authors of this website have found many Internet security related issues on well known social networking plattforms and have tried to contact the responsible owners to provide detailed information on the found security issues.
Separately, an insecure script on Facebook creates a mechanism to make more convincing phishing attacks. That security flaw still remains live, Socialnetworksecurity.org warns.
The German-based team behind the site, who wish to remain anonymous, want to push vendors into becoming more responsible about security holes. As a first step they want Web 2.0 to establish a security-related contact form, and to allow submission of confidential security-related problems via encrypted email.
The security team also wants to warn users about possible issues on the sites they frequent. Socialnetworksecurity.org encourages users to submit information on Internet security issues they have encountered.
For example, the new security flaw that was discovered on Facebook in January is a new worm that spreads using a photo album chat message began proliferating across Facebook over the weekend. There's been many security flaws found in Facebook lately and this one adds to the feeling of insecurity that many Facebook users have been experiencing lately.
The photo lure is used to dupe potential users into downloading a malicious file, which appears in the guise of a photo viewing application. Victims are prompted to click a "View Photo" button.
Unsuspecting users who fell for the scam became infected by malware and viruses, dubbed Palevo-BB by Internet security firm Sophos. The malware attempts to generate a message to the victim's Facebook contacts, continuing the infection cycle and replicating itself to thousands of other infected machines.
Facebook responded by removing the malicious application from its system it said.
Similar social engineering trickery is more commonly used to dupe users into completing worthless surveys, possibly handing over personal details in the process or signing up to expensive text message services.
All kinds of useless survey scams have become almost a daily issue on Facebook for the past several months and the problem is rapidly getting worse.
For example, one survey scam lure making the rounds over the weekend falsely offered a news update of the death of famous rapper Tupac Shakur.
The use of social engineering trickery to spread malware instead of simply tricking users into filling out worthless surveys suggests that cybercrooks might be upping the ante. The latest Palevo-BB worm is not the first malware strain to use Facebook as an infection avenue. Other social networking sites have been hit as well.
The most horrendous social engineering network worm to date has been the infamous Koobface worm, a strain of malware and viruses used to deliver potential victims to scareware scam portals or carry out click fraud. Palevo-BB uses similar lures but is not as sophisticated in design as the earlier Koobface worm.
All social networking users are urged to use extreme caution in the light of these latest events, and the use of anti-virus and anti-malware software on all PCs and laptops is strongly recommended by all Internet security professionals, as well as the use of hardware firewalls.
In fact, a news release issued in December reveals that Facebook's latest site redesign will create even more security holes and expose more user information than the old site did.
Internet security firm Sophos cautions that, launched in beta earlier this week and due to be rolled out gradually over the coming weeks, the revamped website is designed in such a way as to encourage users to expose even more information about their daily lives to the dominant social networking site.
Security-wise, the site revamp is seen by most in the Internet community as a big step backwards. For example, the About Profile page encourages users to share experiences, discover common interests, and to highlight meaningful relationships.
That page will have the same effect of highlighting the closest relationships and keenest interest a user might have. Previously, this information would have probably been on a list, but not highlighted as especially important. Now it is, and it's a major concern, among others.
Sophos urges all Facebook users to reconsider just how much data about themselves they really wish to share using the new site, warning that it may not just be their closest friends and contacts who get access to the sensitive information but just about anybody.
You can link to the Internet Security web site as much as you like.