Sophos: Social networking sites must improve security

by Steve Ragan - Jul 22 2009, 19:46

Security firm Sophos, in their latest Security Threat Report, says that recent trends all point to the same thing; criminals are targeting social networking sites. As social portals like Twitter, Facebook, MySpace, and LinkedIn have grown in popularity, so have the attacks on their users. In response to this, Sophos says these sites need to step-up security measures.

Sites like LinkedIn and Twitter, and to some extent Facebook, are gaining popularity in business because of the productivity value they can offer. Yet, at the same time, these sites can hold a treasure trove of information. According to research from Sophos, 63-percent of system administrators worry that employees are sharing too much information, be it personal or business related, via social networks.

“Evidence shows that their worry is justified. In June 2009, the personal information belonging to the incoming head of MI6 was exposed to the entire Facebook network, when his spouse allowed members of the ‘London’ network to view her profile,” the Sophos report mentions.

Sophos says that social networks can offer great benefits to businesses, but with that comes risk. They propose that there needs to be strong awareness training for users on these sites, so that personal and business information can remain protected. However, at the same time they say that the social portals themselves need to do more to protect their members. To back this claim, Sophos lists several recent attack vectors on social networking sites, from attacks as simple as Phishing to outright scams that cost one MySpace user $210,000 USD. Then there are the code based attacks, exploiting vectors like Cross-Site Scripting, such as the one seen on Twitter thanks to Mikeyy Mooney.

"What's needed is a period of introspection - for the big Web 2.0 companies to examine their systems and determine how, now they have gathered a huge number of members, they are going to protect them from virus writers, identity thieves, spammers and scammers," said Graham Cluley, senior technology consultant at Sophos. "The honeymoon period of these sites is over, and personally identifiable information is at risk as a result of by constant attacks that the websites are simply not mature enough to protect against."

The Security Threat Report also addresses Malware and Spam trends as well as existing attack vectors online such as SQL Injection. You can get the whole report here.

Around the Web