Weak passwords and lack of AV a major issue in social network security
13th Mar 2010 | 05:12
Twitter, Facebook and Microsoft warn of dangers
Weak passwords on social network sites
Even after many high-profile hacking and phishing attacks on social networking accounts, and constant messages urging people to be vigilant, the biggest problem with web security is still weak passwords.
Speaking at South by South West Interactive (SXSWi), an industry panel of security engineering managers from Twitter, Facebook and Microsoft discussed the approaches they use to secure their web services.
Del Harvey is Director of Trust and Safety at Twitter. "I have a team of 20 folks, which given that the team at Twitter is about 160, is a very large team and we deal with ensuring the user expectations for privacy are there, and when bad things happen we work to fix them."
Harvey says education is an on-going problem: "The current biggest thing that is crucial to our security programme is trying to get users educated about security. Everyone knows at least one person who says 'I use the same password on every site – but it's a really good one', or 'I use different passwords on every site – I take the first letter of the site and the last letter of the site and then I put my birth year in the middle.'
"It's this big wave right now of almost identity theft-based attempts at hacking, not just on Twitter but also on Facebook and on email sites and messenger sites. There's a big push towards not necessarily brute force [attacks] but more specialised. Obviously we still have brute force issues where we deal with, OK they've tried to log into x number of accounts in y amount of time with z combinations of passwords. And then we have rounds of phishing, straight out 'haha this you?' links."
Ryan McGeehan, Security Manager for Incident Response at Facebook, says: "Awareness is a major thing for us, too. The number of individuals who use the same password across multiple sites is astounding.
"So, for instance, if some obscure web forum that you are a part of gets compromised and the database gets leaked, and the passwords are stored in clear text, then the person who stole that database decides to try all of those usernames and passwords on other sites the success rate is astounding.
"It's an awareness issue; it's a security issue for any site that is dealing with usernames and passwords."
AWARENESS ISSUE:Facebook's Ryan McGeehan
Deepak Manohar looks after security on Windows Live products, which include Hotmail, Live Messenger and Windows Live Photo Gallery. "It's my job to work with our developers to ensure we don't have security and privacy issues with our products and to protect your identity from being stolen," he explains.
User awareness is a major concern and a major part of the Windows Live security program, says Manohar.
"The way we break up our security programme is into proactive and reactive security. Proactive security is what we do up front in the developer life cycle, and we break that up into training – every developer at Microsoft goes through at least an hour of security training every year.
"We try to cover the most important security threats in that hour of training. So developers learn how these threats are exploited, how these methods are used by attackers to spread malware and perform phishing attacks."
"For our reactive process, we have an incident monitoring team who scour the internet and search for potential issues that people are talking about regarding our sites, so even if they don't properly disclose it to us, we become aware of it and we take reactive steps to mitigate this."
Lack of anti-virus protection causes headaches
That many people simply don't run anti-virus software is another major headache, adds Manohar.
"Many people don't have anti-virus software on their computer - that is the biggest vector, that's affecting us quite a bit. About 60% of legitimate websites have had some security vulnerability in the last year. And these vulnerabilities are used to spread malware to your computer.
"So my first suggestion is: get anti-virus on your computer and that will help solve the problem. Because once they get malware on your computer, they can log every keystroke; they can change the websites that you visit; they can change the DNS entry in your computer and they send all this data to arbitrary people and there's an underground market which buys and sells this information.
ACCOUNTS FOR SALE:Microsoft's Deepak Manohar
"You can buy Facebook accounts, you can buy Twitter accounts, and you can buy Windows Live accounts, and this is the vector that they use. It is more because of a lack of anti-virus on computers which is leading to people being affected rather than vulnerabilities in the website itself."
Getting your phished account back
So how do you restore access to a compromised account? That's difficult, says Harvey. "If you reset a password and your users don't have a login other than their username and password with no email address connected to it, what are they going to do?"
McGeehan continues: "If you have a single webmail account and it gets phished, usually a good response would be to block out anyone from accessing that account. But then how do you notify that person that they need to reset their password? Because you've just locked out their email.
"And if the user has malware that is attacking your website – if you terminate the session of the attacker there is a piece of malware on that user's machine that is going to bring it right back so you have to communicate to that user and say 'hey, you have to manually remove malware from your machine and then we'll do the rest of the process, which will include resetting your password'."
"And that's really hard," adds Harvey. "Telling someone 'hey, your computer is infected - trust us, we are a site on the internet!' It's not very convincing to a lot of people.
"We have a lot of users who will write in and say 'you suspended my account, what's up?' and we say 'you're super-infected, actually' and they will say 'no, I downloaded five torrents last week, and they were .EXEs, but I am not infected.'
"Telling a user in a non-aggressive but factual way is really hard. This is their Facebook account, their Twitter account, their email account, their online identity of some form and you are telling them that it is jacked up and they cannot touch it right now. Nobody wants to hear that.
"So telling them that in a way that doesn't come across as us being aggressive or over-protective or 'we just made an error on our end'… We get a lot of 'no, you must be wrong'. And we're like, 'actually you posted malware. Seven times. In 18 seconds. You are."
Liked this? Then check out 10 easy ways to boost your online security
Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register