Technology.am (Dec. 24, 2009) — Nowadays a lot of internet users are found spending most of their day on Facebook and Twitter, updating your statuses, checking out your friends tweets and feeds. All that sounds good and no problem at all, but have you ever thought and realized that quantity of information a user shares and the level of trust implied with the social networking sites, do cause particular security and privacy troubles.
A new study from Sophos found that Facebook users divulge a lot of personal information to new friends, counting ones they actually don’t even recognize or have never met. By means of fake profiles, Sophos sent out friend requests to 100 random Facebook users, and over 40 percent blindly acknowledged, giving the company admission to birth dates, e-mail addresses, phone number and addresses–private information strangers shouldn’t have.
The candidness of Twitter–anyone can tag along anyone else, and posts are indexed in search engines–makes it a paradise for spammers. Kaspersky says there are almost 500,000 fresh unique URLs that emerge in Twitter posts every day, and of those, anywhere between 100 and 1,000 are malware attacks.
Here’s a glance at some of the precise threats users of the sites face and what they can do about it.
Problems: Malware, account hijacking, phishing, and social engineering
The major malware risk is Koobface, (an anagram of Facebook), which is a worm that aims social networking sites and primarily affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends communication to other friends of the sufferer, tempting them to click on a link. The link redirects to a Web site where they are encouraged to download software apparently to watch a video. Nevertheless, there is no video; just malware that infects the system, blocks admission to security sites, and can be used to embezzle sensitive information from the computer, for example credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and share out bogus antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface currently can mechanically generate new profiles using infected machines, he said.
Facebook accounts are prone to be hijacked in numerous ways. A brute-force assault can be used to deduce passwords. Users can get trapped into phishing attacks by clicking on links in messages or e-mails supposedly coming from friends that redirect to a bogus Facebook log-in page. Or malware such as Koobface can embezzle passwords.
Social engineering is an enormous difficulty for social networks because the conviction that users have for messages and posts from friends can be without difficulty subjugated by scammers. Hijacked accounts are used to send all from spam touting weight loss plans to links that install malware and steal passwords to bogus crisis messages saying a friend is abandoned in another country and needs somebody to send money. Scammers are too sending e-mails that look similar to ones that come from Facebook and contain an attachment that contains a Trojan.
* Make use of antivirus and anti-malware software and constantly update it.
* Install security updates for operating system and other software.
* Utilize software like AVG Linkscanner or McAfee Site Adviser to guard against phishing and malware attacks.
* Become a fan of the Facebook Security page, which has posts associated to all kinds of security issues, tips, resources and other information.
* If a user feels that they have been infected with Koobface or other malware then reset your password and notify friends about this.
* Make use of an up-to-date browser that features an ant phishing black list, for example Firefox 3.0.10 or Internet Explorer 8.
* Be conscious while entering the password. Ensure that you are logging in from a genuine Facebook page with the Facebook.com domain.
* Be cautious of strange stories or offers that are too good to be true.
Twitter has lots of of the similar malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those troubles would be the same. Since users don’t supply much personal information to Twitter, and can even create accounts by all forged information, and because anybody can tag on anyone else, there aren’t the similar issues with privacy, either. But that makes life trouble-free for spammers.
Security does appear to be a troublesome thing with Twitter. The site has had numerous serious problems from employee accounts getting compromised. In January, somebody hacked into the Twitter internal network — perhaps by guessing the password — and gained right of entry to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 further high-profile Twitterers. In May, somebody broke into Twitter’s network and gained admission to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. And last week, the genuine account of a Twitter employee was used to take control of the site and redirect visitors to an external page displaying a banner for the “Iranian Cyber Army.”
Twitter users are vulnerable to getting their accounts hijacked, and the site has been under attack by click jacking pranks. In these social engineering attacks, users were encouraged to click on links that spread the original tweet to all of the Twitter user’s followers.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware related with them. Trend Micro has technology that monitors Twitter posts for malevolent URLs, plus looks for assault patterns in the posts, for example use of well-liked terms not directly lead people to malicious links.
Social networks are in addition vulnerable to other grave security problems that can hit any kind of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were uncovered by a SQL injection assault, according to security firm Imperva. Because the passwords are used on other associate sites to the social networking application maker, infringe jeopardized other accounts, like Gmail, Hotmail, and Yahoo.