Social Media / Webmail / Smartphones: Networking with Risk

Number: IN11-001
Date: 05 April 2011

Purpose

The purpose of this Information Note is to raise awareness of some threats and vulnerabilities that have recently affected users of various social networking sites, webmail services and smartphones. These widely used communication technologies have taken on a significant role not only for individuals, but also for organizational communications and outreach initiatives. This document is aimed at providing organizations with an overview of some of the risks that are associated with using these technologies with the intent of promoting the use of applicable security best practices.

Assessment

Allowing the usage of social networking websites, webmail services and smartphones on a network is at the discretion of the network owner.  This Information Note is not intended as an authoritative stance on the use of these communication technologies but is intended to provide an overview of some of the threats and vulnerabilities that have recently been reported on these commonly used platforms. Specifically, this Information Note focuses on three related and complementary networking technologies: social networking websites, webmail, and smartphones.

Social Networking
-----------------

Social networking websites are technological platforms that facilitate the creation of virtual communities of interest and the rapid distribution of information among its members.  The concept and employment of social networking websites has been heralded as a building block for what is known as Web 2.0: the use of web-based applications to create and share information on a global level in a seamless manner. The consumers of social networking informational products are a combination of trusted contacts, open user groups and/or the general public. Some of the best known social networking platforms include Facebook, LinkedIn and Twitter.

The following is a list of recent threats and vulnerabilities which have affected common social networking website users. This threat environment is very dynamic and social networking sites are constantly working at improving security while malicious actors attempt to find new attack vectors.

Koobface: Before its command and control infrastructure was partly taken down in 2010, the computer worm known as Koobface specifically targeted Facebook, Twitter and MySpace social networking sites' users. Similar malicious activity is still being reported.

References:

• http://www.infowar-monitor.net/2010/11/koobface/
• http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_koobface_jul2009.pdf

Various Facebook scams and threats, sometimes through third party applications

References:

• http://www.allfacebook.com/warning-three-scams-hit-facebook-2011-02
• http://nakedsecurity.sophos.com/2011/01/24/thank-you-google-facebook-personal-messages-malware/
• http://community.websense.com/blogs/securitylabs/archive/2011/02/07/viral-and-malicious-facebook-application-for-25.aspx
• http://www.thesecurityblog.com/2011/03/counting-facebook-scam-applications/
• http://nakedsecurity.sophos.com/2011/01/19/sophos-security-threat-report-2011-social-networking/
• http://www.h-online.com/security/news/item/Facebook-s-crude-https-workaround-1184731.html

Facebook vulnerability which exposed personal information

Reference:

• http://nakedsecurity.sophos.com/2011/02/02/facebook-flaw-websites-steal-personal-data/

Poisoning of Twitter Trends with malicious links

Reference:

• http://news.softpedia.com/news/Twitter-Trends-Poisoned-with-Malicious-Links-169994.shtml

Webmail
-------

Webmail is the term associated with the many forms of email services made available via the Internet using a web browser.  Most Internet and web service providers offer users free email accounts with relatively large amounts of storage and a compelling feature-rich web-based user interface. Usually, anyone can register one or many accounts, from virtually anywhere.  Some of the best-known webmail providers include Yahoo, Gmail and Hotmail.

The following are two examples of threats associated with webmail corporate IT environments:

- Use of webmail in targeted emails

Users in an environment allowing webmail use are likely to trust more emails sent from other webmail accounts. However, attack schemes can leverage this trust through two common approaches: fake webmail service notification emails (e.g., “email account limit exceeded” warning emails) and spear phishing emails originating from an address similar to a trusted one.

In the first scheme, the user may receive an email requiring them to reset their account due to an exceeded storage limit. This email will entice the user to follow a link to a fake webmail administration site and then prompt the user to enter their webmail user name and password (often similar to corporate network login). In the second scheme, a crafted email with a malicious attachment, or a link to a malicious site, is typically sent from a fraudulent webmail account to  either a specific or large distribution list. The crafting (social engineering) of these malicious emails may leverage information posted on social networking sites. In many cases, users subjected to this type of attack are able to recognize the fact that legitimate corporate correspondence may not typically originate from a webmail account.  However, detection of this threat is often reliant on a user’s ability to recognize a suspicious email. These schemes, sometimes combined, have been associated with advanced intrusion attempts in the past.

- Webmail may circumvent enterprise/corporate security measures

There is a common belief that users who are accessing their webmail account on the corporate network are protected by the same security measures that are in place to protect corporate email systems.  Although there is coverage of some aspects of an environment where both corporate and web-based emails exist, they sometimes do not cover all avenues. 

For example, an organization can institute a block against a known malicious email that is targeting senior executives.  Within that email, there may be a malicious document that contains a virus.  Mitigation would usually consist of adding signatures to the corporate infrastructure to promote the detection and removal of the malicious file at the network perimeter.  However, if the targeted user also receives the email via a webmail account, detection of the email may not be possible.

In addition to the challenges associated with security monitoring of inbound webmail messages, the potential for data loss such as intellectual property and other sensitive corporate information via webmail platforms is also an issue. Technologies such as Data Loss Prevention (DLP) used to monitor outbound information on a corporate network may be rendered ineffective with file sharing and email attachment features available through webmail services. Not only is the monitoring of outbound information more challenging, this information is also difficult to recover once it leaves the corporate environment since it is often stored on third-party servers that may be located in other countries.

Reference:

• http://www.darkreading.com/security/news/227900492/index.html

Smartphones
-----------

Smartphones are devices that have advanced networking and computing capabilities in addition to the traditional phone voice services.  Many smartphones today offer expanded functionalities through the integration of a large number of third-party applications, including email and social networking tools.  The combination of increased networking abilities, memory and computing power has made smartphones the users’ device of choice for using web-based services, for data processing and for storing personal information such as contacts, calendar and even passwords. Some of the best-known smartphones in use today include the RIM BlackBerry and the Apple iPhone.

McAfee, a leading antivirus firm, is already predicting that 2011 will see a large increase in the targeting of smartphones for exploitation.  Smartphones are also on track to overtake and replace the footprint of laptops in the consumer market place.  As iterations of smartphone technologies occur, the possibility of new vulnerabilities within the many vendor and third-party applications that are used within the devices also exists. As well, criminal toolkits that are designed to develop and deliver malicious content for financial gain and data theft can now include modules to compromise smartphones.

References:

• http://blog.trendmicro.com/zeus-targets-mobile-users/
• http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2011.pdf

Mitigation

The methods to secure the technologies herein detailed are dependant on many factors that are beyond the scope of this Information Note.  However, as with other information technology areas, a combined approach that carefully balances functionality with the environmental vulnerabilities and threats is key.  User awareness, user training (at all levels), acceptable use policies, up-to-date software/firmware products and effective security procedures and controls can help maintain a more secure corporate networking environment.  The following references are provided to give users awareness of various tools and techniques that may be employed to reduce exposure to some of these various social networking, webmail and smartphone threats and vulnerabilities.

Facebook guides for privacy settings: Controlling what Facebook information is accessible to others

References:

• http://www.facebook.com/privacy/explanation.php
• http://www.facebook.com/help/?page=419

Socializing Securely: Using Social Networking Services.

Reference:

• http://www.us-cert.gov/reading_room/safe_social_networking.pdf

Cyber awareness: Protecting and managing your digital identity on social media sites.

Reference:

• http://isc.sans.edu/diary/Cyber+Security+Awareness+Month++Day+12++Protecting+and+Managing+Your+Digital+Identity+On+Social+Media+Sites+/9733

Cyber awareness: Social media use in the office

Reference:

• http://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+27+-+Social+Media+use+in+the+office/9826

Webmail Security Checklist.

Reference:

• http://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488

Smartphone security:

References:

• http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
• http://www.cse-cst.gc.ca/its-sti/services/csg-cspc/csg-cspc05l-eng.html
• http://www.cse-cst.gc.ca/its-sti/services/csg-cspc/index-eng.html
• http://www.cse-cst.gc.ca/its-sti/publications/itspsr-rpssti/index-eng.html

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca