RSS Alerts

Related Links

Related Stories

  • Conficker and Facebook / Twitter attacks dominate Q1 email threats
    The Conficker worm and attackers’ social engineering techniques exploiting users on Facebook, Myspace and Twitter, dominated the email threats in the first quarter (Q1) of 2009, according to identity-based unified threat management (UTM) solutions provider Cyberoam and its Israeli messaging and web security partner Commtouch.
  • Tony Blair's hacked Facebook profile contains a serious message
    Politics aside, the recent hack of Tony Blair’s Faith Foundation Facebook page reveals a serious problem with the application used in the page’s creation, says application vulnerability specialist, Fortify Software.
  • Facebook moves to save face on T&Cs
    Social networking giant Facebook has back-tracked on a controversial decision to retain users' information, even when they close their accounts.
  • Facebook backs down on owning rights to users' info
    Facebook has backed down from a controversial change in its terms which gave it rights to its users' information.
  • Satan is on my Friends List
    ID theft via social networking sites is all media hype according to Shawn Moyer and Nathan Hamiel. In their session on social networking at Black Hat, Las Vegas, the duo insisted that ID theft via social networking sites is not a problem.
  • Social Network For Hackers Launched
    A computer security consultancy has set up a social network for hackers, called House of Hackers.
  • Facebook applications exposed as security risk
    Speculation on the security of social networking has increased amid reports that applications on Facebook are capable of collecting personal information.
  • Facebook photos exposed
    A security lapse on Facebook has made large libraries of private photographs, including one of Paris Hilton, available for all users to access. Exploiting a recent upgrade to the networking site’s privacy settings, a Canadian hacker was able to view pictures that were intended as private.

News

Kaspersky researcher criticizes Facebook developer policy

29 May 2009

Malware attacks are becoming more targeted and more focused on social networks, according to a researcher at Kaspersky, who slammed Facebook for problems with its application certification process.

Stefan Tanase, a researcher at the Moscow-based anti-malware company, gave a webinar on malware in social networks during the same week that the Vatican launched a website targeting followers on using such services. Attacks generally exploit a mixture of technical vulnerabilities and human gullibility, he said.

"Underneath this eye candy, there are new attack vectors emerging that enable the bad guys to find their way into the computers that we use," he said, citing videos that point to malicious links on YouTube as an example. He pointed to Twitter, LinkedIn, and Digg comments as other fertile breeding grounds for attacks that point users to malicious websites and then deliver malware to their machines.

"They have scripts that are trying to guess what operating system a specific system is using, and trying to target their attacks," he said. "They also use geographical IP locations, so that they can target their stories more effectively, all over the world."

The company had found 43 000 malware samples related to social networks at the end of last year, Tanase said. "More than half of this number were received only in 2008." In 2007, half that number were found. "We can easily see that the growth rate is exponential," he added.

10% of malware attacks succeed when spreading through social networks, compared to 1% when spreading through email, he said, citing research published by the company earlier this year.

"It's one thing to get a link from someone you don't know as part of a random spam message, compared to getting a targeted message from someone that you know in real life, and that you trust," he warned.

Facebook announced its certified application program for developers this month. "What the developers had to do was pay a $375 fee to get their applications certified, but that fee is pretty big for normal developers, and it has to be renewed each year," said Tanase, adding that there are currently 52 000 applications on Facebook.

Bugs have been discovered in the Facebook system that stopped certified applications showing up, he warned. "I worry about how many applications will be verified under these conditions."

He also warned users to consider the applications that they run on their machines, advising them to use application vulnerability scans, and to use proper licenses to enable the software to be updated. Of the critical vulnerabilities in applications found in 2008, 18 can lead to full system access, according to Kaspersky data. This was the leading vulnerability by far. Exposure of sensitive data was the next most prevalent, with six vulnerabilities.

 

This article is featured in:
Application Security Internet and Network Security Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water