8 Comments

Summary:

What makes social networks successful is precisely the thing that makes them vulnerable to hackers: Trusting and sharing with others, sometimes even strangers. Now that they’re under attack from worms and malware, operators are trying to patch security loopholes. But it’s hard to fix the DNA […]

What makes social networks successful is precisely the thing that makes them vulnerable to hackers: Trusting and sharing with others, sometimes even strangers. Now that they’re under attack from worms and malware, operators are trying to patch security loopholes. But it’s hard to fix the DNA without altering the nature of the organism.

Facebook, MySpace and Twitter have all come under attack in recent days. In Twitter’s case, hackers whose pages contained malware started following people; by checking out their profile, those followed were compromised. With Facebook, it was a worm that spread itself through profiles. “Most web sites will, at some point, need to deal with patching a security hole,” Facebook head of security Max Kelly noted on the site’s blog last night.

What if it’s a hole social sites can’t patch?

“Right now web platforms are going through the same learning experience…that binary software went through 15 years ago,” said Adam O’Donnell, director of emerging technologies for security firm Cloudmark. “Social networks are the new operating systems in the eyes of both attackers and end users.”

The trick is to get someone to look at infectious content in the first place. Once you do that, you can use fake codecs, browser vulnerabilities and other weaknesses to infect them. So attackers appeal to your curiosity: Everyone clings to the idea of an old schoolmate or long-lost lover, for example, so they check out profiles just in case.

It’s not just curiosity; vanity is also to blame. On Twitter, you want to know who’s following you; counting followers is like the microblogger version of counting yearbook signatures to see who’s popular. So you check out your followers’ profiles, and you’re infected. Now the malware can change your content online so you, in turn, become a tool for the attackers.

The problem is that curiosity and vanity are the basis of social networking. They drive the user count — and valuations — of these companies. Site operators want to capture as many users as they can, so they have to make it easy to approach people, to let us both befriend and follow strangers.

To properly address some of these security issues, social networking sites need to change not only the technology, but some of the fundamentals of their business. And you can’t easily patch a business model.

You’re subscribed! If you like, you can update your settings

  1. As John Biggs says -“at the risk of offending some of you”…

    http://www.techcrunch.com/2008/08/08/the-rise-and-fall-of-twitter/

    Worth the watch, certainly not a shoddy production, in fact very impressive. We are concerned about Ruby On Rails (RoR), as a robust and scalable way forward. The debate continues.

  2. It seems security and scalability are the topic of the day, many may also find the following of interest:

    http://www.techcrunch.com/2008/08/08/facebook-responds-to-security-issue-with-a-hope-and-a-prayer/

  3. Alistair – “The problem is that curiosity and vanity are the basis of social networking.” Great line!! – obvious, but often missed by most – but as you put it – in that reality lie the demons for the social nets.

  4. I think you need to add one more trait; voyeurism. Voyeurism drives social network.

  5. Alistair Croll Friday, August 8, 2008

    @Pavan K — thanks for the link. I think folks need to take the whole process very seriously. The problem is that social sites reinforce many of the vectors that are key to infection.

    It occurred to me in writing this that social networks and computer worms have something in common: Virality. So it’s no surprise that they work well together. But to stop viral spread of malware they need to curtail their own virality, which undermines their fundamental business model.

    @chad — yeah, voyeurism is what makes people view the infected content in the first place. ;-)

  6. @ Alistair – thank you for the comments. Plenty of food for thought.

    “To properly address some of these security issues, social networking sites need to change not only the technology, but some of the fundamentals of their business. And you can’t easily patch a business model.”

    Central to the problem is that these sites are inherently social, right? Even if a network came in from the perspective of a niche/professional network, or one that wanted to empower organisations/individuals, wouldn’t the viral nature of the net still encourage malware, whatever the fundamentals of their business? To curtail their virality would surely mean to restrict sustainability? Also:

    “The problem is that social sites reinforce many of the vectors that are key to infection.”

    This is particularly interesting. What do you see as those vectors which are key… ?

    I still say credit to Twitter for pushing the boundaries of the internet forward, let’s hope they do not become a martyr to their cause, and make use of that recent investment to retain their users. What is it Alistair, that causes them to be down every day? What did they do wrong to restrict their scalability?

  7. How to Hack Facebook: The Trick is Social Engineering! | Thoughtpick Blog Wednesday, December 9, 2009

    [...] private information on Facebook without our approval. It’s actually our own human nature: the trust of a friend’s name. Don't add just any person as a [...]

Comments have been disabled for this post