Social Networks Fight Back

Distributed denial-of-service (DDoS) attacks, spam, the Koobface virus, and worms: These high-profile threats to social networks have pressured major social networking companies to ratchet up their security during the past year.

Social networks have traditionally received a bad rap when it comes to security, but both MySpace and Facebook say they are working diligently to better protect their members and assist law enforcement in catching the bad guys.

The security of social networks attracted widespread attention with the recent DDoS attack that took down Twitter for hours and hobbled Facebook and LiveJournal, catching users and the social networks by surprise. The attack caused major service disruptions and came amid new research showing that cybercriminals increasingly are going after users on social networks, exploiting the trust relationship that goes with the territory there.

But hacks against social networks are nothing new, says Hemanshu Nigam, chief security officer for MySpace. "I found it interesting that, in general, the perception was that this was a new thing happening -- attacks taking place [on social networks]," Nigam says. "We've been focusing on [preventing attacks] since day one."

MySpace, one of the first big social networks to take off a few years ago, was hit with one of the first and biggest hacks: the Samy worm in 2006, which basically added more than 1 million "friends" to "Samy's" list in a couple of hours. Facebook and Twitter have recently been hit with attacks as their popularity and social network populations have grown, as well. And all the while, security experts and privacy proponents have called for these major social networks to improve security and user education on their sites. (Twitter did not respond to media requests for an interview for this article).

The most dangerous threats to social networks and their members are not DDoSes or Koobface, however, but the third-party applications they allow onto their sites, security experts say. Social networks, such as Twitter, MySpace, and Facebook, offer APIs for developers to write widgets and other tools and features for their sites.

"I know MySpace and Facebook have been increasing their protections. However, the same place they were vulnerable before keeps popping up, and that's in the third-party application space," says researcher Nathan Hamiel, who has conducted several social networking hacks with researcher Shawn Moyer at Black Hat and Defcon.

Other security experts agree. Third-party social networking applications are the focus of a researcher known as "theharmonyguy," who is posting major bugs in Facebook applications daily this month. He's focusing on cross-site scripting (XSS) flaws he discovered in various third-party Facebook, including some in Facebook's top 10 most popular applications.

Theharmonyguy says it's not just an application problem, but a Facebook API problem, as well. "They are giving the application developer full access to the [user's] profile," he says. He says Facebook isn't fully vetting third-party apps for bugs or other security issues, either.

Facebook, meanwhile, says it's helping theharmonyguy alert the third-party developers of vulnerabilities he finds in their apps. "We encourage people to use caution when authorizing third-party apps and only authorize those that they trust. We also have a team here that investigates applications that are reported for misusing data or otherwise violating our platform guidelines," a Facebook spokesperson says.

MySpace's Nigam says MySpace runs vulnerability scans and tests of each third-party application before it goes live. "We're doing the work for them," he says. "We put solid security in place and run tests against [the third-party applications] and make sure there's no exploitable code, no malformed HTMLs in there."

Nigam says third-party developers for MySpace undergo a vetting process that includes not only the security of their apps, but also the safety, policy, and the application writer is also under review before any app goes live. "We knew as soon as we allowed third-party applications to enter the site that at some point, people would find ways to exploit that process," he says. "So we spent a considerable amount of time planning for exactly that."

And if there are any problems with the application, MySpace can drop and purge it quickly from the site, he says. "We're pretty vigilant when it comes to protecting our users from a bad application," he says. But Hamiel says social networking firms are conflicted about cracking down on securing their APIs for competitive reasons. "The main draw is functionality," he says. "They don't want to lose any market share to competitors. So they are probably going to be a bit gun-shy about who they turn away from developing apps."

MySpace has also turned outside for some of its security. Earlier this year, the social network began rolling out Cloudmark's Authority service, which detects and filters spam and harmful content in MySpace messages and posts.

"MySpace is different -- most other social networks aren't deploying third-party commercial security services. Others are using their own technology to do it and have developed [the tools] inside the social network," says Jamie de Guerre, chief technology officer at Cloudmark.

De Guerre says the Cloudmark service scans inside MySpace, and then Cloudmark works with MySpace to add elements to the user interface to help report any malicious activity. It also detects suspicious activity, such as a profile making lots of friend requests but not being requested by other users. "Any spam or abuse [reports] come back to our threat network, and we use that data for email or mobile operators to automatically discover new threats quickly," he says.

MySpace's Nigam says Cloudmark's service augments its in-house security measures, such as its homegrown Bloodhound tool that identifies imposter profiles used for spamming purposes, and Watchdogs, a set of tools that track spam content and block or remove it. He says MySpace takes a holistic approach to security.

"We added them to the arsenal of things we're doing to stop bad guys from hurting our users," Nigam says. "Cloudmark's [service] didn't replace anything. We added it to what we're already doing."

MySpace has also stepped up education and awareness among its users, he says, as well as forged partnerships with Microsoft and the Anti-Phishing Working Group to help report and quell phishing attacks. It also hired law enforcement specialists to help with civil lawsuits and criminal reporting of malicious activity spotted on MySpace.

"You have your head in the sand if you don't realize at the end of the day, even with the greatest technology and education, there are going to be times when something bad is going to happen," says Nigam, who is a former federal prosecutor.

Facebook, meanwhile, handles its security operations and development in-house. It filters malicious URLs and keeps a "greylist" of URLs that haven't yet been verified, according to Facebook's spokesperson. "If a user clicks on one of these, we show an interstitial page with a warning letting the person know that he or she is leaving Facebook and should be careful," he says.

The social network also has built its own automated systems to detect Facebook accounts that are likely to be malicious or compromised, such as those that contain messages with malicious links. "Because Facebook is a closed system, we have a tremendous advantage over email. That is, once we detect a phony message, we can delete that message in all inboxes across the site," the Facebook spokesperson says.

And Facebook has been able to slow Koobface infections, he reports. "On the malware front, we've mostly been fighting...Koobface. We've worked with Microsoft to push a solution to Koobface on user machines through Windows Update. By all accounts, our continuing security measures on Facebook combined with Microsoft's measures at the operating system level have been very effective in slowing the spread of the virus," he says. Facebook has slowed the spread of Koobface "to a crawl" with its partnership with Microsoft, he says.

Meanwhile, the weakest links for MySpace and Facebook lay in their third-party applications and in the users of the social networks themselves, experts say. While it's unclear just what more they will do -- either locking down elements of their APIs or more aggressively vetting third-party applications -- the careless or clueless user is still their biggest challenge.

And the social networks are well aware of that: "To combat threats, we need users' help, too," Facebook's spokesperson says. Says MySpace's Nigam: "It's their behavior you want to change. We want them to approach the Net in much the same way they approach their live in the physical world" when it comes to security, he says.

While there are ways to beef up defenses to DDoS attacks, there's no way to really stop them. "There is always a DDoS threat with anything, social networks or not," Hamiel says. "DDoS attacks can't be completely stopped. They can only be mitigated."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.