Saturday, January 10, 2009

Facebook, the new social disease

Accompanying the announcement that more than 150 million people are active on Facebook last week (and even more depressing, that half of them login daily) are a new series of security and legal issues surrounding its use. When exactly is your account compromised by a piece of software that may not be acting in your best interests? Or could it be something that is more sinister, or just human error?

Don't you pine for those simple days when the line between software and malware was pretty easy to delineate? Consider these news items:

Last week, Facebook sued the Brazilian site Power.com, claiming that its automated login process violated their terms of service. According to the LA Times, Power has agreed to use Facebook Connect, but the suit brings up all sorts of issues that aren't so clear cut: is Power providing a service for its users, by consolidating several social networking logins? Or is it doing something that it shouldn't, by storing these credentials? How is that different from any number of sites that allow me to cross-post messages to different video or blog sites?
http://latimesblogs.latimes.com/technology/2009/01/lawsuit-shows-h.html

Last December, we saw the Koobface trojan that spreads through social network news feed messages, prompting users to download what they think is an update to the Adobe Flash player but is really malware:
http://www.avertlabs.com/research/blog/index.php/2008/12/03/koobface-remains-active-on-facebook/

This was similar to a Brazilain-based attack that plagued Twitter last summer:
http://www.viruslist.com/en/weblog?weblogid=208187551

Earlier last fall over in Russia, we saw email/SMS pitches for people to download a Java applet to their cell phones that was spread via the Russian social network Vkontakte. Once on their phones, the app would automatically text several premium numbers that would be charged back to the user:
http://www.viruslist.com/en/weblog?weblogid=208187582

The trouble is that as these attacks proliferate, it gets harder to differentiate them with legit situations where people are just making dumb mistakes. Consider the situation where a new social networking user doesn't understand the very optional step when he or she signs up and is asked whether or not to send email invitations to their entire address book. In just a few seconds, a simple task of joining the network has turned into an annoying one sending out hundreds of unwanted emails. Sometimes this step isn't explained well in the sign-up process, or sometimes people aren't paying attention. Either way, it isn't malevolent; it is just a stupid user error.

Or take instant messaging, which seems so quaint now that there are lots of other networks out there. Yes, there are malware programs that propagate through IM, and there are security products that protect IM networks too. But nothing can stop human stupidity in how these IM networks are used, particularly if you store your IM login credentials on a family computer that is shared by several people. One of my colleagues has been having IM conversations with the wrong people – some that have gone on for ten or 15 minutes, before he realized he was talking to the intended's spouse or kids. Why anyone leave his or her IM account wide open in this way is hard to understand. But it points out that just because someone is signed into IM, doesn't mean that they are there. Remember, on the Internet no one knows that your dog hasn't logged instead of you.

Then there are sites like omgxd.com that use your login information for IM networks, supposedly to make it easier to connect but in reality spam all of your contacts on your buddy list. Heyxd.com is another one. I have tried to find out whether these two sites are legit or have some sinister purpose. I can't really tell, but I would recommend steering clear of both of them.

So the next time you get an email or IM or text message asking you to download a greeting card, update your Flash player, or do something else, take a moment to stop and think whether this is a request that you should just hit the delete key and move on. You don't need to be the latest victim of a new social networking disease.

No comments:

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.