Posts Tagged ‘KoobFace’

Risk and Social Networking Sites

Thursday, August 20th, 2009


So you are looking to lift your company, education institution or government agency’s web profile…

You do the usual things: rework the main web site, stat-up blog feeds, revamp forums, establish wiki or other information feeds, acquire/renew SSL certificates so the site can be authenticated as really being a bricks and mortar business .  So far so good.  All this stuff is under your control on your servers.  Your IT team can establish control and security over the software, you can monitor it and get a reasonable level of comfort that you can assure visitors that your site is safe to visit.

Then a consultant advises you that to reach the younger market, or even simply to project a progressive and innovative image you need to embrace the more inclusive social networking spaces like MySpace, FaceBook, YouTube and/or Twitter.   “Everyone” is using these sites so they must be safe. Right? 

No, wrong. 


Identifying the Social Networking Strategy

Let’s look a little more closely at MySpace and FaceBook, specifically.  There are three broad approaches to using these platforms in business:

  1. Teams use the sites to establish private networks for intra-team communication;
  2. Employees establish individual profiles and use the sites to establish direct customer to staff connections; and
  3. The business uses the sites (primarily, MySpace in this case) to establish branding for a product or service and allowing the public to friend the product or service, etc.


Analysing The  General Risks

Each of these uses, in the right context, carries advantages to the business,  so one view of the risk profile would say that not using the facilities is an opportunity cost that may disadvantage the business with respect to the competition, or (in the case of government) achieving the best possible policy outcomes and staying in-tune with a target market or spinning the desired message.  So the case for adoption, might consider possible causes of outcome failures to include:

  1. Costs of  setup and maintenance (staff time, materials preparation, policy formation, training, etc) exceeding tangible and intangible returns;
  2. Inattention of staff to maintenance of the material – hence tarnishing the organisation’s image rather than enhancing it;
  3. Inappropriate, inconsistent,  or confidential content being posted  hence complicating both the public positioning of the business or occasioning legal exposures;
  4. Inconsistent branding or product/business positioning, where branding and positioning consistency are part of the business image, thus creating confusion in the market;
  5. Disproportionate effort/investment (time, cost, attention, etc) being injected into maintenance of social marketing at the expense of other marketing or activity streams when measured in terms of comparative effectiveness and efficiency in achieving the business objectives, thus resulting in an overall drop in business performance and a net reduction in outcome achievement;
  6. Exposure of information that materially benefits competitors more than than advantages the business, thus resulting in a general weakening of the market positioning through more effective and targeted competitor behaviour;
  7. Market awareness among the target market of potential or actual service consumers of the social services being low while awareness among the non target groups is relatively high, thus resulting in a net reduction in spend efficiency, or no perceived improvement of service among the consumer group.
  8. Increased allocation of staff resources from finite available resources to maintenance of profiling information and friend interaction at the expense of productive outcomes (the traditional email productivity problem) – thus resulting in a demand for increased resources now for the same transaction outputs as before.


 We will  identify these collective issues as the overall risk “That  adoption of social networking within an Enterprise will fail  to achieve intended  business objectives” (such as improved brand awareness, improved profit, public acceptance of policy objectives, improved targeting of consumers through better feedback, etc).  The risk’s identified causes and consequencescan be managed by appropriate remediation strategies and informed through the right measurement systems.  They are essentially under your control – if in some cases, only just!

Between the three broad purposes of FaceBook/MySpace adoption there are some additional point-risks (a cause – consequence subgrouping of an overall master risk) that are specific to your purpose for the site(s).  For example:

  1. Objectives 1 & 2 increase the information available to both internal and external recruiters, better enabling them to target your staff;
  2. Objectives 2 & 3 increase the group awareness of public perceptions of the business and the individuals because comments and feedback posted to the individual profiles by customers (or people pretending to be customers)  can be visible to all other customers;
  3. Objectives 2 & 3 can be hampered by perceptions of low friend counts implying general public disinterest in the service, or the firm, etc.


Identifying The Show Stopper Risk

Again these potential outcomes can, to some extent, be managed, but there is another risk that is potentially far more serious.  It  is either not under your control or only controlled with an extensive amount of effort on your part.  It is squarely in the IT domain, surprisingly traditional  and arises directly as a consequence of the social networking medium:

  • Client or staff computer infection by Trojan software.

Now before, you go “oh right, that one again”…I fall squarely in the camp of IT professionals who consider that virus and Trojan defences are not a big issue, and relatively easy to manage for both the individual and the enterprise.  An enterprise just needs a sensible and proactive defence policy and some basic good house-keeping rules, and common sense.  So this is a most unusual thing for me to decide to highlight.

The difference is the nature of the interaction among users and otherwise experienced and knowledgeable staff that a social web site creates.   If someone you trust gives you something to look at,  in an environment in which you feel secure, you will probably look at it…and that is the essence of the problem.   I suspect that users are likely to be less cautious in the social networking context than they are even with email systems – which we know are 98% spam (statistic based on our own email filter logs!).

 For some years my IT Audit team ran “Tiger Team” penetrations of secure networks.   All IT intrusion specialists understand, that apart from systems that are simply below standard in their defences, effective intrusion generally requires some degree of social engineering – a bit of research on key people to get an idea of the passwords possibilities and targets, knowledge of where to go to get access (eg. where branches are located, where systems are located in virtual or physical space, etc), physical access (or virtual access) to a weakly protected node, knowledge about work habits, an understanding of human nature, the ability to claim an association with someone else who is trusted,  some degree of trust (eg an employee) so you can get others to cooperate with you, knowledge of the technologies in use, the ability to hide in a stream of otherwise normal activity without attracting attention, the ability to attract the attention/assistance  of individuals or applications that can facilitate an attack without them realising they are assisting, etc.  

MySpace and FaceBook in the first instance, deliver on all these fronts:

  1. Their nature is to expose personal information about the individuals profiled on the pages – that is, after all, what they are about.
  2. They provide a common meeting place that is universally known – the MySpace and FaceBook sites themselves.  The whole point of using these sites is that the job of getting your market to find you is done, so setting up your own version of MySpace or FaceBook on your web site does not achieve the same outcome.
  3. They facilitate the knowledge of the technologies in use  -  Anybody can create FaceBook and MySpace apps, or learn how to create a profile page, or interact with others, etc – it is the entire purpose of and essential to the medium.
  4. The sites create a false sense of safety.  They protect themselves from attack, but not the necessarily the users, yet the illusion of a controlled space promotes an expectation that the services available have been vetted, when in fact the nature of the web means that services are no more secure than any other web service.
  5. They foster trust of individuals through artificial group association when in reality “friends” are simply random potentially unknown individuals who are self selected.  While you do not have to accept them, part of the point about using such a medium to promote yourself or your business/product is that you will probably be inclusive rather than exclusive – so clients visiting you should not assume that your other friends are in any way a vetted and approved group (as opposed to a user group forum, who will generally all be actual clients).   “Strangers” would be a better, more appropriate term.
  6. They facilitate the exchange of large volumes of trivia.

Now, all this is not necessarily a problem without the last ingredient.  They attract your clients like bees to honey, and because of all the other factors, in the process your clients “open the door” – they click on links of your friends, they view pages with add feeds fed by a third party and they post things (potentially with links) to you bulletin boards that you do not control, but that others access in trust.   And it all happens in real time.

Does this matter?  Yes. 


Where Theory Meets Reality

Here are some examples:

  • In July 2006,  1 million users of MySpace were infected with ad-ware simply by visiting profile pages.
  • In 2007, 12 million page views potentially infected up to that number of MySpace visitors with with a Trojan.
  • This month and last (2009), an unknown number of MySpace and FaceBook users have been infected by the KoobFace Trojan as a result of viewing items added to the postings of friends of others’ MySpace and FaceBook sites.    The first thing this Trojan does is contact all your existing “friends” via your site and post messages to them from you with the Trojan embedded in the message (after changing your mood so they are encouraged to take a look!).    The second thing this Trojan does is monitor your key strokes so as to collect identity, account and credit card information.

This is just the start of the list.   When we tested this, the KoobFace Trojan slipped straight past two of our anti-virus/anti-spy-ware systems unnoticed!   Our tertiary network analysis defences spotted the change – but these are security specialists tools and not the stuff on normal machines – and we knew for what we were looking.  Imagine how infecting the networks and computers of your corporate and public clients would help your market brand.  Bad if the client’s protection systems detected the infection attempt – but even worse, if they didn’t!   Not only will the Trojan keylogger infection compromise their security, but as they enter the user id’s and passwords to access your client support systems, they will compromise your security.

The first problem here is that you and your IT team do not control the platform – and that is the issue that has to be addressed with all cloud computing solutions.  The second problem is that the essence of these technologies is unstructured social interaction (which is good), seemingly in a playground with nice metal fences (which is also good), but really in the middle of a highway, where the cars and trucks are invisible – but just as dangerous  (which is not so good). 

Wan’na play outside?  Yep – why not play in the street?