IT securitySocial networking sites are target-rich opportunity for hackers

There is a new traget for malicious software, identity thieves, and online mischief-makers: social networking sites such as Facebook, MySpace, and LinkedIn. The Washington Post’s Brian Krebs writes that some of the talks given last week at Black Hat would probably make most people want to avoid the sites altogether, but it turns out that staying off these networks may not be the safest option, either.

The biggest danger from social networking sites is that they embed powerful features that most subscribers will never use, such as digital image or media files with the ability to download content from third-party Web sites, said Shawn Moyer, chief information-security officer at Agura Digital Security, a Web and network security firm. Moyer and Nathan Hamiel, senior consultant for Idea Information Security, gave a presentation Thursday called “Satan is on My Friends List,” in which they demonstrated the many ways that user-created applications popular on MySpace could be used to hijack and lock out accounts, or trick the user into installing malicious software. Even if one does not create a page for oneself on one of these social network sites, other may do so: With the permission of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum’s behalf, including a photo of him and bits from his résumé to make the profile look legit. In less than twenty-four hours, more than fifty people had joined his LinkedIn network. Among those taken in by the stunt was Ranum’s sister. “Even if you just put some basic information out there that’s easy to find, you’re kind of controlling your privacy that way,” Hamiel said.

In another presentation at Black Hat, two researchers presented various ways to create mischief using Google Gadgets, free programs such as calendars or photo feeds that people can add to their personalized Google home pages. The trouble is that anyone can create gadgets and make them available for download on Google’s site. These gadgets can include arbitrary JavaScript commands and other powerful programming features that expose the user’s system and network to a laundry list of nasty attacks, from phishing to data poisoning and data theft to Web site defacement and surreptitious internal network scanning. “How do you know it’s a legitimate gadget?” asked Robert “RSnake” Hansen, chief executive of SecTheory, a security consultancy. “There’s no moderation. There’s no way to guarantee it won’t turn bad.”

In a statement given to the Associated Press, Google said that it scans all gadgets regularly for malicious code, and in the “very rare” instance one is found, it’s immediately blacklisted.