12

Social Networking and The OPSEC Threat II

Embed Size (px)

DESCRIPTION

Social Networking and The OPSEC Threat II. Social Networking and The OPSEC Threat. Soldiers were recently given permission to access on-line social network sites via their government computers:. INFORMATION WEEK, 12 Jun 09 – - PowerPoint PPT Presentation

Citation preview

Page 1: Social Networking and The OPSEC Threat II
Page 2: Social Networking and The OPSEC Threat II

INFORMATION WEEK, 12 Jun 09 –

“There's long been a military-wide ban on access to a number of specific social media sites, and while that still stands, some soldiers will now be able to access other social media sites that had inadvertently gotten caught in the same ban despite not being on the official banned list. Last month, the 93rd Signal Brigade of the 7th Signal Command, which oversees the Army's communications networks inside the United States, published an operations order that officially allows soldiers to access Facebook, Delicious, Flickr, Twitter, Vimeo, and Web-based e-mail (e.g., G-mail, Hotmail, etc) within the contiguous United States.

Sites placed on a block list by superseding order of the Joint Task Force-Global Network Operations remain on the list, including YouTube, MySpace, Photobucket, and Pandora, while the 93rd Signal Brigade remains silent on a few other sites like FriendFeed, Digg, and StumbleUpon. Exemptions for these sites and others have to go through a formal process, beginning with the submission of a request for information to the 93rd Signal Brigade.”

Soldiers were recently given permission to access on-line social network sites via their government computers:

Page 3: Social Networking and The OPSEC Threat II

What are social networking sites? *

Social networking sites, sometimes referred to as “friend-of-a-friend” sites, build upon the concept of traditional social networks where you are connected to new people through people you already know.

The purpose of some sites may be purely social, all owing users to establish friendships, while others may focus on establishing business connections.

Although the features of social networking sites differ, they allow users to provide information about themselves and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users.

* Mindi McDowell, US-CERT

Page 4: Social Networking and The OPSEC Threat II

What security implications do these sites present? *

Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information. When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person, because:

the internet provides a sense of anonymitythe lack of physical interaction provides a false sense of security(social network) users tailor the info for their friends to read, forgetting

that other may see it, toothey want to offer insights to impress potential friends or associates

While the majority of people using these sites do not pose a threat, malicious people are drawn to them because of the accessibility and amount of (personal) information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you.

Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

* Mindi McDowell, US-CERT

Page 5: Social Networking and The OPSEC Threat II

10 Social Networking Security Trends To Watch

MySpace. Facebook. LinkedIn. Orkut. Who doesn't have a profile on at least one of these sites these days? The explosion of social networking has reinvented communication as we know it, creating new opportunities to develop friendships, romances and business contacts all over the world -- a fact which has not gone unnoticed by the malware authors and organized crime.

"Things are happening at such a rapid rate, it's hard to slow that momentum," said Dan Hubbard, senior director, security and technology research, for Websense. "And because they're investing so much money in it, it's very difficult to insert security into that paradigm."

"The attackers understand that this is going on and are gravitating toward that," he added. In a Web 2.0 world, social networking can turn into a security nightmare when hackers exploit users and steal information for profit. As a result, businesses and individuals alike will have to strike a balance, and find new ways to achieve their objectives while staying safe on the Internet.

Page 6: Social Networking and The OPSEC Threat II

1. Spam, Spam And More SpamLike the Nigerian bank scam, this one is not going away any time soon.

Spammers that are getting the door slammed in their faces with e-mail spam filters now have found new ways to access users with social networking sites, especially in the workplace. Experts say that spam is more profitable than ever.

2. Third Party ThreatsIt's no secret that as applications acquire more functionality, the more susceptible they are to security threats. As social networking sites encourage users to build add-ons for their network, users will be opening themselves up to exploits from vulnerabilities in third-party applications. Consequently, users will increasingly be subjected to things like buffer overflow vulnerabilities in image uploaders, which are typically hosted by third parties.

3. Surprise, You've Got SpywarePerhaps nothing is more ironic than pesky banner ads claiming that your site is hosting every kind of virus known to man and then offering to clean it up -- for a small fee of course. As more social networking users increasingly fear malware on their computers, they become bigger targets for these kinds of pop-up adware, tricking them to download fake anti-virus cleaners which are benign at best and destructive at worst. The irony of course is that this kind of adware is doing the very things that they're trying to prevent.

BUT, here's a look at some of the things experts say we can expect to see more of in the world of Web 2.0 social networking.

Page 7: Social Networking and The OPSEC Threat II

Things experts say we can expect to see more of in the world of Web 2.0 social networking, cont.

4. It's A WormIt's social networking at its finest. Experts say social networking users can expect more threats to travel virally -- what infects one person will then infect everyone on his or her friends list.

One recent example was the Orkut worm, in which a prankster spread a spammy message to almost 400,000 Brazilians with profiles on the site. However, experts say that other rapid, self-replicating viruses will likely be more malicious, designed to steal or delete users' personal information like date of birth and passwords. That data can then be sold in numerous black market economies or used to acquire credit card and bank information. Often the same login credentials used on Facebook and MySpace are also used to access banking and other sensitive accounts.

5. ‘Poking' Holes in XXS FlawsIn a recent attack, millions of Facebook users were left exposed to a cross site scripting vulnerability affecting the user interface of the site's Job page. Among other things, the vulnerability gave the attackers the ability to install malicious software as well as trick users into handing over their credentials through fake logins. The social networking site plugged the hole May 23.

Page 8: Social Networking and The OPSEC Threat II

Things experts say we can expect to see more of in the world of Web 2.0 social networking, cont.

6. Flash Attacks. It's the beauty of Web 2.0. There are more attacks on Flash now than ever before. Applications such as Adobe Air and Microsoft Silverlight, which allow the browser to be used in a more effective way, also increase the attack surface.

Naturally, the prolific use of Flash is one of the evolutions that make Facebook and MySpace so lucrative to attackers. As anyone with a profile knows, these technologies are extremely pervasive, as well as fun, when doing social networking. Unfortunately, a recent exploit in Adobe Flash has become a huge security threat. Experts say that so far hundreds of thousands of Websites have been compromised, including thousands of networking site pages, as the result of the Flash exploit loose in the wild.

7. Phishing For FriendsAs companies restrict access to social networking sites, the individual user will become the victim of highly targeted and personalized spearphishing attacks. These attacks could come in the form of spoofed pages. Or simply by an unknown user inviting someone to join their friend network.

It won't be hard. After all, a lot of your information, from where you spent your last vacation to your childhood pet, is probably already somewhere on your profile. Plus, experts say that users are often more willing to click on unknown links or surrender personal information because they're on a trusted medium that encourages the unrestricted sharing of info.

Page 9: Social Networking and The OPSEC Threat II

Things experts say we can expect to see more of in the world of Web 2.0 social networking, cont.

8. There's A MySpace Clause In The Company Handbook

With increased mobility, companies are also moving to become more flexible regarding users' rights to access their social networking pages (as the Army has now done).

This creates problems when it opens up completely new threat vectors.

9. Linked Out. When one door closes another opens.

This tried and true adage has never rung more true than with social networking. Attackers frustrated by their inability to enter corporate networks because of sophisticated controls, now have a whole new point of entry with LinkedIn, which allows them to access personal professional information and spoof employee profiles.

Page 10: Social Networking and The OPSEC Threat II

Things experts say we can expect to see more of in the world of Web 2.0 social networking, cont.

10. All About The MoneyReflecting current cyber crime trends, experts say that attacks on social networking sites will increasingly become more financially driven.

Until recently, attacks like the Sammy worm on Facebook simply shut down sites and impeded traffic. However, soon similar attacks will wreak havoc on users' bank accounts as attacks become more complex and organized. This also means that sites like Facebook -- which touts a more professional, white-collar user base, as well as professional networking sites like LinkedIn, will increasingly become targets for organized crime.

"The types of attacks we've already seen, we'll see more of. They'll be better targeted toward monetization," said Brian Chess, founder and chief scientist for Fortify Software. "Along those same lines, having all of your information all there on a site that isn't controlled by users and whose security practices aren't paramount, isn't always the best deal.

While experts say that they can't predict the future, it's likely that social networking sites like MySpace and Facebook will start taking more responsibility regarding their security practices -- especially if users significantly change their behavior or avoid logging on altogether.

Page 11: Social Networking and The OPSEC Threat II

HOW MUCH OF YOUR PERSONAL INFORMATION ARE YOU OR YOUR FAMILY WILLING TO COMPROMISE?

Page 12: Social Networking and The OPSEC Threat II

the latest educational information and ways to protect yourself from the latest scams can be found at

http://www.ftc.gov/bcp/consumer.shtm

If you become a victim of a phishing incident, forward the phishing e-mail to

www.IFCCFBI.gov, or [email protected]

If you are an Army employee, you can also protect your home computer by downloading free antivirus and firewall software from the Army Computer Emergency Response Team at

https://www.acert.1stiocmd.army.mil/Antivirus/Home_Use.htm