Social Networks Present Big Security Headache

Much of what’s in the latest Symantec Internet Security Threat Report released today isn’t startling. You know -- over 6,000 new vulnerabilities were discovered last year, the number of zero-day vulnerabilities was unprecedented, and attack kits are getting smarter and nastier. No surprises there.

There are a couple of gems, however, that should make security professionals and end users alike sit up and pay attention.

Security administrators have long known that external threats are just one of the vectors they have to monitor. As the Symantec report points out, it’s user behavior you have to worry about more than ever before. Two targeted attacks (Stuxnet and Hydraq) “teach future attackers that the easiest vulnerability to exploit is our trust of friends and colleagues.”

Part of the problem -- clearly highlighted in the report -- is that people (read: your employees) aren’t careful about what they post on social network sites. “Whether the attacker is targeting a CEO or a member of the QA staff, the Internet and social networks provide rich research for tailoring an attack. By sneaking in among our friends, hackers can learn our interests, gain our trust, and convincingly masquerade as friends,” the report points out.

“Attackers are getting cleverer. They can read where you work, what your hobbies are, where you like to eat, and who are friends are. They use that information to devise special attacks that target you. You might not expect an invitation to a unknown bistro, but how about a message from your favorite restaurant?” warns Gerry Egan, director of Symantec Security and Response in a conversation with Enterprise Strategies last week.

Egan warns that “people just aren’t careful about the information they put online, and we have to get the word out that they need to be smarter about what they post.”

Mobile and social networks are increasingly points of exposure. “Attackers can set up accounts that look just like they’re your current friends. When you receive a request to join your network, users think, ‘I thought they were already a friend, but I guess not,’ and just as quickly add them to their inner circle. Now the attacker has access to all your sensitive data.

On the mobile side users are lax about downloading apps. Trojan apps look “just like legitimate apps, and users don’t think twice when they download and install them,” Egan explains, and we are starting to see a steady trickle of new Android Trojan apps in circulation

The report also notes that financial assets are no longer the only target of hackers. Intellectual property is becoming a popular target. It’s getting easier, given user behavior. “Hydraq would not have been successful without convincing users that the links and attachments they received in an email were from a trusted source.”

Another eye opener: shortened URLs are popular for distributing attacks -- such as links to malicious Web sites -- because they hide the actual destination. OK, I know this is the “Duh!” part. What surprised me was that during the three-month period studied, “two-thirds of malicious links in new feeds observed by Symantec used shortened URLs.” [emphasis added]

Remember that adage your elementary school teacher drilled into your head: when you get to a railroad crossing or street corner: Stop, Look, and Listen. Perhaps today’s teachers should train their young, tech-savvy charges to add IBM’s famous one-word directive to those words of wisdom: Stop, Look, Listen, and Think!

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 04/04/2011