The risks are no different from social media based malware and hacks than from any other service on the Internet. Some characteristics that are more unique to social media however are:
- Distribution - how quickly attacks and malware can go viral (pun intended). As seen with the Twitter worms recently and the Facebook click-jack attacks these services are designed for sharing and dissemination of information. This makes them the ultimate carriers, a virtual viral superhighway
From an organization perspective there is a lot of pressure to not block social media sites primarily because so many execs and senior management use these services and the organization itself needs them for marketing and responding quickly to customers. So simply by being so good at what they do services like Twitter and Facebook have forced companies to increase their attack surface
Back to the future
Is this e-mail/spam all over again, only in a different form? What's changed since then? What hasn't?
It is the same as email spam in the sense that the main goal of the malware is still to distribute it's message to as many of your contacts as possible. By spoofing your identity like the Twitter re-tweet hack did it gains more legitimacy.
The monetization of malware and spam although has really lacked my innovation and that's why although social media has changed the distribution it has not done much to increase the actual risk. Sure Twitter spam is just as or more annoying than email spam but to really hurt you and make some money it is still limited to:
- Phishing and social engineering - i.e. you provide information such as your bank login
- Trojan - malware that either captures those details when you enter them or modifies things like the beneficiary
- Ransom - install some software like a fake antivirus and require you to pay to remove the fake viruses it finds
- Sucker - you to signup to marketing services to "get that free iPad"
- Identity theft or resale of personal info - most of the info you store on Facebook or Twitter is unlikely to fetch a good price on the black market, I mean even credit cards go for less that a $1 per number and that's if it has not been cancelled. It is such commodity good these days it is barely worth the effort, so in theory while the amount or personal info stored on social media services could make them an attractive target for malware writers unless you could harvest say a few 100 million users and good ones like celebrities the real risk for reward for these guys is probably quite small
So what can we do?
How do users of social media platforms like Twitter, Facebook et al protect themselves against increasingly sophisticated attacks?
To go from the specific to the more general good habits on the Internet include the firm favorites:
- Anti-malware - Do not skimp on a good anti malware tool or two, McAffee, Symantec, AVG etc
- Personal firewall
- Non windows OS - like os x or ubuntu is not a bad move both for your sanity and security, you do 95% of what you do on a browser anyway, why do you need Windows? If you do this you can proably skip the first two points
- A modern sandbox browser - that is auto updated for security e.g. Firefox 4 or Chrome or Chromium
- Patching - keeping your addons, extensions and pluggins patched up also
- Minimize attack surface - not running software with a massive attack surface and ubicutious like Adobe Flash or Reader or Microsoft Office. Use open source and other alternatives like Google documents, PDF creator, Openoffice or office.live.com
- Not clicking on anything that looks suspicious even from someone you know. You may miss that occasional Digg or Reddit post on lolcats but you will be better off for it in more ways than one
- Applying common sense - the iPad is the market leader and the only reason Apple can't sell more is that those dam kids at Foxcon can only do 20 hour days. Is anyone really going to give you one for free?
What could Twitter do?
It is easy to say have a secure development lifecycle but I imagine Twitter to be a place that would hire only coders and engineers who knew some security than us plebes that know something about process design or writing requirements, analyzing designs or drawing pretty pictures of threat models. They would also I assume have some agile development practices and do daily or weekly code pushes which makes it very hard to apply security requirements and design as opposed to the slower but more robust waterfall.
But there are still things they could do to improve security without slowing down too much:
- Security requirements - having a standard set of do's and dont's as overarching security requirements that are stuck on every developers desk such as thou shalt use the oAuth API and libraries, thou shall not write your own security function or thou shall not use blacklist as input validation
- Security libraries - use libraries like the Owasp Easpi to stop reinventing the wheel with security
- Checklist and cheatsheet - Have a basic security checklist that is ticked off as part of peer review of each unit of code or by the co-developer for a story
- Scan - invest in some automated security source code scanning software and application vulnerability scanning software that integrates with the developer IDE and run it as part of every build
- Regresion test - Have a security regression test pack and run it after every change
- Review - Have a security guy that understands code to review the daily and weekly code push pack. Make the dev leads for each area produce this pack and make sure it includes a short summary, whether it is impacting any security controls or has anything to do with user input
- Security push - For big changes e.g. the upcoming twitter site overhaul do a proper security push
- Pen test - Get an independent penetration test done every quarter and include the dev environment in the test. Any first or second year tester would have found that twitter xss and all this could have been avoided