Problem solve Get help with specific problems with your technologies, process and projects.

Does widget malware on social networking sites threaten enterprises?

Protecting enterprise networks from the malware on popular social networking sites is a complicated issue. Information security threats expert John Strand gives advice.

I have recently read about hackers using malicious widget malware on social networking sites, such as MySpace and Facebook. What threat does this represent to enterprises, and how can users defend against them?
The Secret Crush/My Admirer attacks on Facebook and the "Alicia Keys" attack on MySpace articulate how people will install an application in the hopes of finding love (Secret Crush) or would like to hear the music better via a new and improved codec (Alicia Keys).

The real question is how can we, as security professionals, protect our networks from these types of attacks? Many organizations like to have a policy for Web surfing that allows users to go to any site they want, provided that it is not on the blacklist of their outbound Internet-filtering device. Attacks like the Facebook and MySpace incidents will start pushing the bounds of these policies. There are two main reasons for this. First, the number of malicious sites is growing so quickly that Internet-filtering lists can't keep up. Second, visitors to a website don't just download content from that specific site; they pull content from a variety of different sites or locations. For example, at Facebook.com, it's possible to pull content from Forbes, Veoh (a video player), and even a voice over IP application, not to mention custom applications that users build themselves. You can be sure that security was not a priority in the development process of any of these content sources or applications.

These issues highlight not only security concerns of Facebook or MySpace, but also the security of all of the additional widgets that users have added. Also, keep in mind that these attack vectors are not limited to sites like Facebook or MySpace; they can occur on any site that allows users to upload dynamic content. Blogs, for example, have been heavily attacked via cross-site request forgery (XSRF).

Because of these concerns, enterprises should revisit their policies to address whether sites like these should be accessible from work. Many companies try to strike a balance and make their environments fun places to work, but there may be risks involved that are greater than your organization is willing to accept.

Let's also address the user education aspect of these types of attacks. Many security professionals shudder when they think about trying to educate users. However, if you choose to allow employees to visit these types of sites, user education is your first and last line of defense. So ensure the organization has a clear policy for users and that they are trained to abide by that policy. It will save the company a lot of time and trouble if they know that personal endeavors like finding new friends online or pursuing the promise of love should be explored from the privacy of their own homes, not from a work computer.

More information:

This was last published in July 2008

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.