I was discussing social networking sites with a friend the other day and a slip of my tongue revealed the strongest weakness of these sites, I called them social engineering sites. I know, I know, yet another SE article. Not so, I’m going to discuss the growing trend of social networking and the inherent weaknesses found in them.

Everyone always hears what “they” say about them, social networking sites are dangerous, they are vulnerable, people can hack your computer through them, viruses spread through them, etc. Immediately, the site in question gets smeared. Interestingly, to me anyway, is it doesn’t seem to slow the acceptance and use of these sites at all. New contenders spring up out of no where, exploding onto the scene like the first time you see Jaws break the surface. There is no question, Web 2.0 (I really dislike buzz words, especially that one for some reason) has radically changed the Internet.

That being said, what makes these sites more vulnerable than any other site you visit? Nothing, really. At least at their core. The only thing that really makes them more vulnerable is the fact that so many people use them they become highly prized targets. I said at their core though. That’s where things get tricky. Most of these sites are not really all that bad when standing alone. This is where Web 2.0 and mashable buzz words start reeking havoc. At it’s core, most of the sites are not bad, but opening up an API to allow extensions, or applications to be installed on the profile starts to become a problem. Some sites that offer too much control to the user (hi MySpace) also present problems. If nothing else, giving novices access to design their own completely tasteless site to look like some horrid thing from the early 90′s is just plain wrong. More often than not, I come across profiles that don’t even load right, at least I hope they don’t. I’d hate to think someone intentionally wanted their profile to scroll a mile to the right to see the second column of the page. At least it appears we are trending away from this, first FaceBook restricted users to a basic template so all profiles are uniform, and now twitter doesn’t allow a user much of anything other than basic update functionality and a hand full of backgrounds from which to choose.

Don’t believe me? Look at twitpwn.com and the Month of Twitter Bugs going on over there. we are at day 8 and so far, all the vulnerabilities are from vendors using the API and messing things up. This isn’t to say Twitter is not without it’s problems, but the trend of mashable applications integrating with a wide variety of other applications far outweighs the problems a single source may have. This is only natural.

So let’s move forward in terms of what are some of the most dangerous aspects and weaknesses of social engineering, I mean networking, sites.

CLASSIC SOCIAL ENGINEERING PITFALLS

Let’s start here. How many people put a little too much data on their profile? How many of those people expose that profile to the general public, not just their friends. How many of those friends online are actually, you know, friends? Is it easy to find what high school you attended (hello FaceBook)? Do you use the “What high school did you attend?” security question for your login to your bank? Really? So I can easily obtain most of those so called personal security questions just from browsing your profile(s)? Hmm, not too good.

Other problems may come of you tweeting too much information about your company. Having problems with a firewall? Planning a large roll out of network gear? Did you just tell the world there is a major shift in the topology of your network and it may be down, disrupted, and certainly may not be looked at as closely during the event? Tsk tsk. Revealing insider deals that could effect stock? Oops!

Have you been partying and posted pictures of you drinking heavily and acting less than professional? That could effect your current employment severely. It could hurt your employer’s relations with it’s clients. It could hurt your future employment when you get canned for it and the prospective employer finds it. If you’re going to stand a chance of being found by an employer or if you are mixing personal and business data on a profile, remember to keep it clean and that anyone can see it.

Knee-jerk comments are very difficult. People explode and in a fit of rage, post a status update, or tweet something. No amount of wishing is going to put the genie back in the bottle. This “new media” is incredibly dangerous when it comes to blurting things out. If they say friends don’t let friends drunk dial, how much worse is it to tweet drunk?

I’ll close this section with one more idea. I can’t tell you how many of my friends post messages on FaceBook regarding their upcoming vacation, post what they are currently doing on vacation, and finally let us know when they are coming home. While I enjoy seeing pictures of you all enjoying yourselves in Hawaii while I sit suffering the oppressive heat of Louisiana, those pictures can wait until you come back.

This is only worsened by accepting anyone who wants to be your friend. I know it’s hard to ask for proof you know someone and you don’t want to be rude and not reciprocate a follow on Twitter, but please consider what you are saying and whom you are saying it too. Even if you personally know and trust everyone in your friend list, maybe it’s a bad idea to say it anyway. After all, do you know all their friends? How many times have you seen a picture of a friend posted on FaceBook, went to comment, and then realized you couldn’t because it was on someone else’s profile who is not your friend. Comments spread people. Loose fingers sink much more than the ship, much much faster.

Passw0rds, P@ssw0rds, P@$$words

With all the sites nowadays you have to login to, that’s a lot of passwords to remember. Are you using the same password for all your social networking sites? Come on, admit it. Do all those sites use encryption, or are you sending your credentials in clear text? In other words, do you see https instead of http in te address bar? Look at myspace.com next time you log in and tell me what you see. If you are using the same password at all these sites, and one of them gets compromised by either an attack against the site itself dumping all the account data, or something that attacked you, there is considerable damage to be had. Now you stand the risk of disinformation and malware being sent out from all your accounts without your knowledge. Do you use the same password to bank with? Tell me you don’t! Please!

This brings us to the next major section of the article. Actual attack vectors on these sites. We need to look at client side attacks, vulnerable “applications,” and worms. It all comes back to the user. The term “click happy” I think aptly defines our society. Especially on these sites. My friend posted it, so it must be safe for me to click that link right? Really? Maybe he thought that too before getting hacked by Mary, who thought that of Tom, who thought that of Steve, who said Jan would never mess with him and then… well… Jan was just plain stupid. It happens. We all know it. Someone at the office always invariably opens the email attachment excited to see the ecard they were sent. It doesn’t matter how often it happens. After that, it spreads as if coming from you. Don’t be so quick to click! Do I need to mention tinyurl and the likes? All the URL shortening are absolutely perfect for funneling malicious links to unwitting click happy victims.

Vulnerability Plugins

The growing mashable market allows for all sorts of disasters to be creep in. As I stated earlier, look no further that the Month of Twitter Bugs. Sites such as FaceBook and now myspace are allowing third parties to write applications that can be added to your profile. The more functionality applied to an application, the more likely vulnerabilities will be introduced. I grew up in a different time in the computer world apparently and I’m only in my mid-thirties. We were drilled with a few basic ideas in college, one of which was KISS. Keep It Simple, Stupid! What happened to that? Has it become Mashup Extremely Susceptible Systems? Sorry for my lack of creativity there. It’s certainly a MESS anyway.

Spyware, Worms, and Woes

People always hear these sites are dangerous, but don’t hear why. This informational gap is ripe for popup ads for spyware claiming to protect you. The same old tricks on any other websites, but now targeted to the perceived threats of social networking.

Just like you have heard a million times before with email, your friends list can be used to spread worms. Google‘s own social networking site Orkut had a worm problem that hit the news a while back. It’s really no different on these sites than on your email system. In fact, worms here are probably a little easier in that they will effect all users in as much as allowing it to spread if not directly affecting the user’s machine. Meaning, say I run linux and Thunderbird is my email client, well a worm hitting Windows and Outlook probably won’t mess up my system nor will it be able to use my contact list to spread. Not so in social networking contacts. The worm can still spread on the site, harvest your data there and move through your contacts list. In fact, it can do all that without even needing you to log on. I am quite stunned there haven’t been more.

Cross-Site Scripting (XSS)

Don’t ask me why it’s XSS, not CSS. CSS was taken already I suppose. Anyway, this is a common attack vector effecting all web applications. The major difference here is again, these attacks are coming from a perceived trusted source. Why would Billy try to steal my cookies? A simple injection onto a blog, or profile that then get’s replayed every time someone looks at it could be devastating.

Air Flashes in the Silverlight

I’ve saved the final frontier for last. Adobe Air, Flash, and Microsoft Silverlight are common technologies that increase the attack surface of any site. They are becoming increasingly popular. Naturally, the prolific use of Flash is one of the evolutions that make Facebook and MySpace so lucrative to attackers. As anyone with a profile knows, these technologies are extremely pervasive, as well as fun, when doing social networking. Unfortunately, a recent exploit in Adobe Flash has become a huge security threat. Experts say that so far hundreds of thousands of Websites have been compromised, including thousands of networking site pages, as the result of the Flash exploit loose in the wild. These technologies and there increasing use for their eye candy factor have naturally drawn the attention of attackers.

Conclusion

The main thing to realize is that regardless of the method of attack, you should always be aware that your profile can be exposed. Responsible disclosure of your personal and company data is crucial. Always assume that your data will be stolen and that the worse possible person to see it will eventually see it. If you think your boss will get mad if they read something, its probably best you not post it. If you wouldn’t invite that stranger into your home, you probably don’t want to invite him into your profile either. If you don’t put out a neon sign in your front lawn announcing you’re on vacation, you probably don’t want to put it on your profile either.

Go on, have fun on that vacation, we can wait to see the pictures.

Sleep well kiddies.

-Twisted