Focuses on security awareness training for federal IT security programs. Share innovative ideas for integrating security concepts into your user base.
Security Awareness ISSUE
August 10, 2009 at 4:02 pm #77464
Interesting IMO story reinforcing the significance/importance of Security Training for ALL
White House backing could leave social media sites more vulnerable
By Jill R. Aitoro 08/07/2009
The Obama administration is right to embrace social media, but should do more to educate users on the risk of cyberattacks such as the one that shut down the messaging service Twitter on Thursday, according to security experts.
The administration's endorsement of social media could give the public a false sense of security, said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team.
"Everyone has this inherent trust for the president and his team's messages," he said. "They're going to click on the links and inevitably pollute systems."
The hackers who crashed Twitter and slowed the social networking site Facebook on Thursday launched a denial-of-service attack that bombarded Web sites with traffic in an effort to force them to shut down. At the same time, a new wave of a malicious computer worm began to send unique Twitter messages, or Tweets, that tricked Windows users into downloading malicious software from a Facebook look-alike page, according to the computer security portal Viruslist.com. A variant of the worm, known as Koobface, was behind attacks on Twitter in June and on Facebook multiple times in 2008.
Social media sites also are susceptible to spear phishing, in which hackers send targeted messages masquerading as notices from legitimate organizations or people, with the expectation that users will click on a link and launch malicious software or provide financial information; or SQL injections, which attack the database layer of a Web application by taking advantage of insecure code to execute unauthorized commands.
"The theory is that technology is a wonderful enabler," Kellermann said. "But to assume and presume the Internet is a secure environment is foolhardy. This is a hostile environment, and if you're going to push citizens to rely on that [environment] to get messages from you, there better be leadership in place to manage the risk."
According to Kellermann, the government must not only step up educational efforts, but also conduct more thorough assessments of cyber risks to identify and mitigate vulnerabilities. Federal chief information and chief technology officers are too focused on granting increased access to services and are not backing up chief information security officers, he added.
Federal agencies that use the sites to share information with constituents also risk becoming targets of hackers seeking to disrupt such communications. That was the scenario in Thursday's cyberattacks, said Max Kelly, chief security officer at Google, whose blog publishing tool was among the applications targeted. Kelly told CNET News that the goal of the attack was to silence a Georgian blogger with accounts on the social networking sites.
Amit Yoran, chairman and chief executive officer of security software company NetWitness and former director of the Homeland Security Department's national cybersecurity division, agreed that social media applications introduce vulnerabilities, but said the government must use collaborative Web 2.0 technologies to keep up with industry.
"Social media techniques add an additional path by which systems can be infected; they also allow attackers to much more accurately target victims using more aggressive methods," Yoran said. "[But] at the end of the day, systems are going to be compromised and polluted with or without social media. Banning them will not solve this dilemma, but only lull us into complacency."
White House spokesman Nick Shapiro noted in an e-mail to Nextgov that the Obama administration believes "social media networks are an important and powerful tool for communicating with the American people and the rest of the world." He also said cybersecurity is a major priority for the president, pointing to the White House review of cybersecurity policies and programs, and Obama's promise to appoint a cybersecurity coordinator who will have direct access to the president. While the individual has yet to be named, Shapiro said a rigorous selection process is well under way.
"The use of social network services has become a normal business practice in the corporate world and government needs to follow this example," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "There are security concerns, but they can be dealt with and the productivity benefits justify the effort."
August 12, 2009 at 7:09 pm #77466
Jonathan D. AbolinsParticipant
FWIW, one bad habit that some social network sites are teaching is that it's "OK" when a social network sites asks for your Web mail account credentials so the social network site can help build up your network with invitations. LinkedIn and various other services do this. Although most of the services haven't abused the ID/password disclosure, there is a big opening for exploitation.
For example, a fake "let us expand your network by getting contacts from your GMail or Yahoo account" page could easily collect login credentials from users who learned to trust such options.
There may be ways to reduce the risks of disclosure. Already, one can forego such contacts collection options and manually enter the contact info. Eventually, it's possible for a method to be developed where one can export the contact info from one's email application, review and edit it, and import it into the social network sites without disclosing other accounts' credentials..
You must be logged in to reply to this topic.