The middle of August was marked by several reports of Facebook security issues, all of them quite scandalous. Even though they didn’t cause any catastrophic consequences for the users, they should not be underestimated. They are another reason for talking about the safety (or hazards) of social media from the point of view of corporate network administrators.
Before discussing specific incidents, we have to note that the world’s largest social networks were originally designed for collaboration and information exchange within a fairly narrow selection of people (such as Facebook and Livejournal). Then, the growing resources reached the point when the scope of social media became almost identical to the scope of the whole Internet. A few years ago social networks were most likely a problem for commercial companies (employees spent too much of their working time on social networks so it was easier just to ban their use altogether). But, commercial companies have recently been trying to use the popular resources to promote their products and brands. This duality does not make the lives of system administrators any easier.
Chapter One. The weird lines on Zuckerberg’s wall
Unemployed Palestinian information security expert Ḱhalil Shreateh found a serious flaw in Facebook which allowed posting messages on the wall of any user of the social network, ignoring whatever limitations were enabled. He made several attempts to inform the support team of Facebook about the bug but eventually he had to post a message on the wall of Mark Zuckerberg so that the technical support would realize that they were dealing with a software error.
At that point, Shreateh’s account was blocked and later they restored his access to Facebook but refused to pay the promised fee of $4,000 for the found vulnerability, referring to Ḱhalil’s violation of the rules of the user agreement and of bug report registration.
Ḱhalil was thoroughly hurt and promised to sell information of a possible vulnerability on the black market next time. Given the popularity of Facebook, his supply would meet the highest demand ever.
How did it end? Facebook exuded odd inflexibility when dealing with an enthusiast who wanted to help, even though it was all over payment for the find. The story gained wide public attention – the worst publicity for Facebook, especially for benevolent enthusiasts and malicious hackers. Enthusiasts saw it as a sign that working with Facebook is worth nothing but social responsibility, and hackers got another reason to look for any serious breaches in Facebook and use it against the most popular social network in the world. Who will suffer in the end?
Surely, the users will.
Chapter Two. Mass disabled applications
In late August a great number of legitimate applications written by third-party developers for Facebook were disabled. In addition, the accounts of the developers were blocked.
On August 13, the official developers blog posted an explanation about why some applications for Facebook and developers’ accounts were suspended without warning.
“The Facebook Platform and our users are constantly under attack from malicious apps and we have many automated systems to protect the platform and our users. Occasionally we detect an attack that requires us to augment those automated systems. Specifically, we identify a malicious pattern, find all the apps that match that pattern, and then disable those apps. This normally results in thousands of malicious apps being disabled and improves our automated systems’ ability to detect similar attacks in the future,” wrote the author Eugene Zarakhovsky. According to him, on August 13th, they started with a broad pattern that correctly matched thousands of malicious apps but, unfortunately, also matched many high-quality apps – the system disabled a large number of legitimate third-party apps as malicious.
“When we detected this error, we immediately stopped the process and began work to restore access. The process took longer than expected because of the number of apps affected and bugs related to the restoration of app metadata,” Zarakhovsky wrote.
As a result, the technical support services of Facebook promised to revise their methods and technologies in order to minimize the possibility of similar incidents in the future.
“We understand that incidents like these are disruptive to your businesses, and we sincerely apologize for the inconvenience,” Zarakhovsky wrote.
There are lots of malicious applications written for Facebook. That is a well-known fact. And cybercriminals try to use the popularity of the network for their own purposes. Any popular service is bound to become a target for cybercriminals, the more people use the service, the more people want to use it to spread malware and other unpleasant items.
In the Hacker News’ thread a Facebook’s spokesman wrote that the number of false positives was 0.1%.
The “thousands of malicious applications” mentioned by the official blog are another reason for system administrators of corporate networks to be concerned of the risks that social networks pose to corporate data.
Getting to know the risks
Facebook is the most popular but just one of s multiple of social networks in the world.
The question of their safety for business in general and for IT departments in particular arose a long time ago and is still very urgent. How safe is it for employers to have their employees use social networks at work?
In early July, Kaspersky Lab’s expert Kirill Kruglov wrote that surveys in Europe and the United States showed that employees would spend up to 30% of their working time “on personal issues.” According to analysts it may cause millions of dollars of damage a year.
Companies quite often solve the problem radically by blocking access to social media from work. However that may not be the best way to bolster team spirit (and it may reduce productivity and motivation), and secondly, as I said above, more and more companies try – with whatever success – to use social networks to promote their own products and brands. That is, Facebook, LinkedIn, Google Plus, and other resources become part of the business processes; therefore, denying access to them cannot be considered an optimal solution to the problem.
The hazard/safety question of social networks is essentially divided into two aspects. The first one is associated with deficiencies of the platforms themselves, for example, gaps like the one Ḱhalil Shreateh found. They are not harmless because there might have been a malicious link in place of the respectful message about the problem if Shreateh had been less “socially responsible.”
Network attackers actively use social networks to send Nigerian scams and phishing emails as well as to steal personal data: last year LinkedIn officially acknowledged the leak of 6.5 million user passwords.
The second personal aspect seems more important. Social media users have recently developed a persistent habit of “parading their lives” by posting a lot of personal (even intimate) information about themselves and their activities. Sometimes it is not just personal but professional life, too.
The published information may seem perfectly innocent at first but a laborious and motivated cybercriminal can obtain enough data from disparate publications of the observed person to carry out a successful spearphishing attack against the colleagues of the employee. To lull their vigilance it often suffices to mention some details in the scam letter that seem to be known only to the employees of the attacked company. Digging this kind of data is available everywhere including office photographs or the last corporate picnic’s descriptions.
What is to be done?
The answers to this question are purely technical measures and tools of combating specific threats.
In case the company’s management believes that the damage caused by employees spending too much time on social networks cannot be endured any longer you can give the right to access social media, for example, to the marketing department only and block it for the rest of the staff. Our Kaspersky Endpoint Security solution allows restricting or blocking access to any resources at the level of security policies, allowlists and web traffic control functions, if necessary.
If the social media access is granted to all or some specific departments there is a particular response to every kind of threat.
Getting phishing emails via social media? Anti-phishing tools are deployed by default. Any malicious links to the resources organizing network attacks? Kaspersky Endpoint Security for Windows has integrated security functions against malware and network attacks. The additional layers of defense are provided by the application’s launch control system and the automatic anti-exploit protection.
If the company adopts the BYOD paradigm and employees stick to their own devices for work and personal use, the security policies have to be applied equally to personal and corporate devices. Our solutions provide that just by installing the client on the personal device of an employee.
Moreover, the employees should clearly understand that the corporate image is also built upon the things that the employees write about the company. Every single company decides what is acceptable for an employee to report about his or her work. However, users should at least grasp the consequences of accidental disclosure of sensitive corporate information in a social network’s posting or in a wrongly shared file in Dropbox or Google Drive, or even by a photo of the whiteboard in the conference room.
The attempts at teaching today’s social networks’ users to keep secrecy can hardly give any results but at least the employees had better be aware of the possible consequences of their actions in social media.