Facebook evolves into an attack tool for criminals

• Tags:
• Privacy,
• Party,
• Identity,
• Verisign

Liam Tung ZDNet Australia

Published: 30 Jul 2007 08:18 BST

• 
• 
• 
• 
• 

As Facebook evolves from a University alumini network into an enterprise tool, VeriSign iDefense security experts are warning that the platform is turning into a prime attack vector for cybercriminals.

Ryan Olson, US-based analyst for VeriSign's iDefense malicious code operations, said that the thousands of new applications being developed for Facebook users, whilst enriching functionality, present a perfect channel for distributing malware.

"The potential is there and all the framework is there," said Olson.

Facebook founder Mark Zuckerberg said in June: "Rather than putting it in our terms of service that you promise not to breach our security and putting the onus on us, we are just going to open it up slowly over time."

"You use such developer applications at your own risk," Facebook states on its privacy statement.

While Facebook third-party developers are not party to the Facebook members' personal details, agreeing to install an application is ultimately a caveat emptor scenario.

Adding pressure to the rush to develop new applications for Facebook, PayPal is running a competition which closes on 24 August, offering developers cash prizes of up to AU$10,000 (£4,197) for winning applications.

Developers require users to agree to their own terms of service and privacy policies as a condition of using their applications. Given the tendency by users to gloss over lengthy condition statements, this opens the possibility for developers to extend rights beyond the standard agreements.

However, Olson and Rick Howard, director of intelligence at VeriSign, said a longer-term problem is users' openness with personal information on public forums.

"They seem to have no sense of privacy," said Howard. "We think it could go two ways: in the future they're either going to decide they're embarrassed by all the information they've put out there or they may decide it's just the way it is and it's ok to put information out there."

In a "thought experiment" the two conducted in the US before visiting Australia, Howard said they managed to acquire enough information on one young user to steal her identity.

"We pulled down one person's name — in this instance a female — and everything she put out there," said Howard.

"In 15 minutes of doing Google searches, we were able to collect enough information to steal her identity."

So what can users do to protect themselves in this candid new world?

"Best practice, really. Don't let information out like that," said Howard.

He said that the "intoxicatingly interesting" nature of social networking is inherently at odds with best practice.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed