The revolutionary concept of the electronic “global village” put forth by philosopher Marshall McLuhan in the 1960s has come full circle with the immense popularity of social networking sites like Facebook, MySpace, Linked-In, Flickr, and YouTube. These sites—some with as many as 200 million users worldwide (MySpace)—have evolved into global communities where people can meet, greet, and create their own content using high-powered interactive Web 2.0 applications. But lurking in the shadows are the omnipresent hackers who are champing at the bit to get their hands on the wealth of personal information that is shared at these online town squares.

One of the biggest security issues social networking sites face today is the widespread use of highly interactive, feature-rich Web 2.0 applications. The applications are certainly appealing and engaging to subscribers, who can use them to post their profiles, add banners to their pages, create their own news feeds, leave notes on friends’ sites, send “gifts” in the form of small novelty icons, even cross-reference contact lists. What wonderful opportunities for self-expression—and what wonderful opportunities for hackers to embed malware on those pages!

Many of these applications are insecure and rife with vulnerabilities. Networking sites are being pushed to provide new, better, more engaging interactive web applications, so time-to-market to satisfy user demand and beat the competition takes precedence over security. Also, web applications change so quickly that security is often a low priority, while implementing sizzling, innovative technologies that engage users and keep them coming back is on the front burner. Plus, network security products can bog down application performance, and no one wants to negatively impact an eager public’s online experience.

With so many people using these applications on a daily basis, cyber criminals have a vast reservoir of victims to exploit. And they’re not wasting any time. Wherever there’s an opportunity to rake in profits, hackers will make it a point to pounce on vulnerabilities as quickly as possible.

Hackers who prey on social networking sites generally use two techniques—SQL injection or cross-site scripting. Let’s take a look at how these work.

Structured Query Language (SQL) Injection
This technique takes advantage of security vulnerabilities in the database interaction layer of a web application. An SQL injection might occur through a user registration form on a social networking site. In the name field, instead of typing in a real name, the attacker types in a string of characters that the web application does not sanitize correctly, so it gets interpreted by the SQL server. By doing so, the hacker could prompt the server to return an error message that could contain all kinds of valuable information about how the application’s database is structured. When error messages are not available, the hackers can add more advanced techniques to their arsenal, such as blind SQL injection. Hackers can then craft a query that allows them to query or insert data in the database. By doing so, they can gain access to users’ profiles and private details or alter their content.

Cross-Site Scripting (XSS)
In a cross-site scripting exploit, dynamically generated web pages display input that has not been validated, which is an open invitation to a hacker to embed malicious JavaScript code into the page and execute the script on any visitor’s machine. This type of hack is typically used on applications that ask users to enter data. Examples include search engines that echo back the search keyword that you enter, error messages that display the text string that contained the error, forms where the input is later presented to users again, and web message boards that allow users to post messages. Attackers who use this technique can appropriate confidential information, manipulate or steal cookies, create requests that can be mistaken for requests made by a real user, or execute malicious code on end-user systems.

An XSS attack was discovered in November 2006 on MySpace. Fraudsters replaced the navigation menu and redirected users to a spoofed phishing web page. At the Black Hat hacker conference in Las Vegas that year, Rick Deacon, a 21-year-old network administrator from Beachwood, Ohio, revealed his discovery of a flaw on MySpace that allowed attackers to steal the cookies or alter the profile of users of the social network. [Source: http://www.newsfactor.com/news/Social-Networking-Sites-Are Vulnerable/story.xhtml?story_id=012000EW8420]. The same technique could also be used to spread malicious code from one user’s profile to another user’s profile, creating a powerful XSS based worm. [Source: http://namb.la/popular/] This could facilitate the exponential distribution of the malicious content inside the social networking community.

How can businesses that offer social networking services maintain a sense of community for their subscribers and keep them safe? One way to secure applications is to test software as it’s being written, and to look at it from a hacker’s perspective as way of uncovering vulnerabilities. McAfee Foundstone® Professional Services, for example, uses threat modeling to identify more than 75 percent of the security issues in an application. Another important part of the process is to make sure applications verify every piece of input before acting on it, which could eliminate a huge percentage of attacks. For instance, during the testing phase, you would want to make sure that applications don’t return error messages, so that hackers can’t draw conclusions about the application’s structure and find ways to embed their disruptive code.

For users who flock to social networking sites as a way to build their business contacts and share their lives with friends and family, here are a few pointers:

• Don’t freely share personal information or passwords with anyone.
• Don’t use the same password(s) for social networking sites as you use for your secure online activities, such as banking or payments.
• Avoid clicking on links within a profile. There might be a hacker lurking in the shadows.
• Choose your friends wisely and don’t worry about rejecting people and hurting their feelings. Link only to the profiles of people you absolutely trust.
• To avoid leakage of confidential information and loss of productivity (for statistics, see http://www.switched.com/2007/09/12/facebook-costing-businesses-264-million-daily-in-lost-man-hours/), businesses can set strict policies about employee use of social networking sites during working hours and what content they can post. Non-disclosure agreements and data loss prevention systems are a good place to start.

Social networking is here to stay. As these sites start including even more interesting, inviting high-touch applications for their users, you can be sure that hackers will be right there, sniffing out every possible opportunity to exploit innocent users. The best response for companies in the social networking business is to offer more secure applications to minimize the threat factor. And the best response for users is to keep their eyes wide open at work and at play.