There’s a meme going around about socnet ROT measurements and I got pinged by Clay Newton about socnet inputs into security metrics. It’s always interesting to discuss security and ROI, because one of the more elusive aspects of security. Having good security is generally compared to insurance. You don’t realize you need it until it’s too late. OR You pay and pay and pay for it, but never realize the need for it. So what’s the ROI? Not being hacked? How do you monitize that? ROI is hard enough to determine in general, nevermind on a social network where there’s no data. So allow me to ramble for a few brief moments.
Security metrics are somewhat difficult in general, especially if you’re trying to get detail on how much “hacking” is going on. People don’t like talking about being hacked in general, never-mind on a public network. I’ve tried tracking various security related keywords on twitter such as “hacked”, “security”, “hacker” etc and the resulting tweets are pretty limited. So let’s talk about security within social networks themselves.
What are the two primary concerns on social networks? The enormous!!! attack surface and the information disclosure.
Let’s take attack surface first. Organizations have their perimeters relatively well locked down these days. The internal networks are getting better, but still pretty soft. Nevertheless, any security research will tell you that the current target these days is the client, more specifically…the browser. Individuals are becoming much more connected. And attackers have realized that if you can attack the individual, you can gain access to a whole bunch else. Historically there have been a couple widescale attacks on social networks. The samy worm (October 2005) took advantage of an xss bug in MySpace’s site and affected over one million users in 5 hours. Now the samy worm was fairly benign, but there was another attack on MySpace that took advantage of the ad network and a vulnerability in windows metafile to install adware, keystroke loggers and who knows what else. Again, this attack likely affected over one million users. Even this past week, there was an issue with MySpace music pages. So we’ve seen that malware distribution through social networks is definitely possible. But, of course, social networks are getting more dynamic. With Facebook releasing their SDK and OpenSocial coming out, socnets are trying to make it easier to write applications that are portable across all networks. And the only difference between a malicious application and one that’s not…is the intent of the author.
The other concern, of course, is privacy. Imagine a low-profile worm, silently crawling across all networks gathering the information you’ve put about yourself on those networks and compiling it into a giant database. Think, just for a brief moment who you’ve given access to your life. You could build an immensely detailed picture of the past five years of my life by simply crawling the diferent social networks I’m on.
Think of all the hard work you’ve put into making each of your networks complete. MySpace - how many crimes (the most recent is the UW student being accused of murder) have been revealed becauuse of MySpace. OpenSocial - how long did it take to “hack” the first opensoc app? 45 minutes. Facebook - Facebook is “more mature” than MySpace, but it collects a lot more statistics about their users (I believe, because it’s beneficial to then join facebook networks). What if somebody could harvest all of that data. …and then sell it. How’s that for an ROI?! Twitter. To make twitter work, you have to tweet. To tweet, you have to expose information about yourself. To expand your network, you have open yourself up. Unless you already have a network.
So those are a couple of my immediate thoughts when the words security and socnet appear in the same sentence. I realize that didn’t quite address the original question, but I would be happy to answer any specific questions. For now, I must collapse on my German bed.