Unfortunately, the success of microblogging sites like Twitter relies on the same elements of human nature as social engineering attacks, particularly a natural desire and willingness to share and engage with those we trust.
Most people have learned not to open attachments or links in emails from people they don't know. Yet because Twitter is seen as a friendly, group-based service, many will not hesitate to click on a shortened Twitter link, having no clue as to where it will take them.
This natural trust makes Twitter an attractive approach for a malicious user, who can use the service to initiate attacks ranging from phishing scams to malware installs. A variant of the Koobface malware, for example, sends bogus messages, or tweets, when the infected user logs into Twitter. The tweets direct recipients to a malicious website where they're prompted to download an update of the Adobe Flash player, which is, in fact, malware. URL-shortening services used in tweets also add other attack vectors, with additional DNS lookups
Part of Twitter's appeal and convenience is its ease of accessibility, but the trade-off is security. Organizations need to appreciate that free online services aren't necessarily going to provide a standard of security that matches that of their own systems. Remember there's no Twitter service-level agreement should things go wrong. A blanket ban on using Twitter, however, is probably impractical even in industries such as banking or medicine. Sure, not every employee needs access, but those in marketing or human resources just may -- even U.K. government departments have been urged to make more use of the microblogging tool.
The key to reducing the risks of Twittering is a sensible usage policy implemented through technology and training. The best way of ensuring the success of such an approach is to agree on an acceptable usage policy with your employees and then strictly enforce it. Employees are far less likely to try to circumvent any restrictions if they understand the logic behind them and have been involved in developing the overall corporate Twitter policy. Also, they will have no excuse for not knowing what they can and can't say and do when using Twitter. Web monitoring tools such as Websense Inc.'s Web Security Gateway or McAfee Inc.'s Secure Web Gateway should be deployed to enforce the policy and ensure breaches are detectable so that disciplinary steps can be taken.
The defensive technologies that can be used to defray Twitter-based attacks obviously include traditional antimalware scanning to detect and hopefully prevent infections. Firewall rules should also control who has access and at what times, as dictated by the corporate Twitter policy. Consider the use of network access control (NAC) to vet systems before they are allowed onto the corporate network. Link checking or site filtering that weeds out known malware pages should also be considered. I recommend looking at OpenDNS, the free content-filtering service, as a way to block undesirable content and prevent network users from visiting phishing websites. If your organization uses Firefox, the Bit.ly URL-shortening service provides a Firefox plug-in that allows users to see where short URLs link to, including site page titles.
The challenge for the enterprise is to protect against attacks that come through social networks without losing the potential benefits derived from using them.
Any organization that fails to outline and implement the infrastructure and resources needed to enforce safe and sensible usage of Twitter among employees is opening itself up too many attack vectors to warrant Twitter's use. Enterprises that don't work to control the use of Twitter and give employees unfettered access are certainly putting their systems and data at risk.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in September 2009