Inside the Ring: FBI on social-network risks
By Bill Gertz
The Washington Times
Wednesday, May 30, 2012
The FBI recently published a report warning of the dangers posed by social-network sites that it says are being exploited by digital “con artists, criminals and other dishonest actors.”
The FBI report, made public earlier this month, states that social-networking criminals are “exploiting this capability for nefarious purposes,” using two main tactics.
They include computer hackers who specialize in writing and manipulating computer code to gain access or install software on computers and phones. The second method involves hackers who specialize in exploiting personal connections through social networks.
“Social hackers, sometimes referred to as ‘social engineers,’ manipulate people through social interactions (in person, over the phone, or in writing),” the report said.
“Humans are a weak link in cybersecurity, and hackers and social manipulators know this. They try to trick people into getting past security walls. They design their actions to appear harmless and legitimate.”
Social-networking sites such as Facebook and others are Internet-based services that are used to share information and communicate.
According to the FBI, the risk of using social-network sties is that “once information is posted to a social-networking site, it is no longer private.”
“The more information you post, the more vulnerable you may become,” states the report, posted on the National Counterintelligence Executive site. “Even when using high-security settings, friends or websites may inadvertently leak your information.”
Personal information obtained by hackers and criminals on social networks can be used to conduct attacks on people or organizations; and the more information that is shared, “the more likely someone could impersonate you and trick one of your friends into sharing personal information, downloading malware, or providing access to restricted sites,” the report said.
Foreign intelligence agencies, predators, hackers and business competitors are among those who use social-networking sites that can be targeted in attacks. The information may not be used to attack the social-networking site, but could be used in other attacks.
Among the tactics used are infected USB flash drives preloaded with malicious software that are provided to people as part of an attack.
Another method is the use of messages from a friend on the social network that directs you to view a video on another site. However, when you view the video, a message appears asking you to download a new version of the software that is in reality a virus that will then take over your computer.
The malware then communicates to all “friends” on the network directing them to the same virus and thus giving them control of multiple computers.
The FBI report warns computer users to avoid “phishing” scams by not opening email or email attachments or click on links from people you do not know.
“Spear phishing” was behind the March 2011 hacker attack in emails sent to a small group of employees of the security firm RSA, which provided banking and other corporate-security software.
“They only needed one employee to open an infected file and launch the malware,” the report said. “The malware downloaded information from RSA that then helped the hackers learn how to defeat RSA’s security token.”
That attack led to the compromise of “a number of defense contractors’ networks” that were broken into as a result of the compromised RSA security token.
U.S. officials said at the time that China was thought to have been behind the RSA hack and the subsequent breach of the networks of the defense giant Lockheed Martin.
Another cyberthreat in the FBI report is called “click-jacking,” or concealing hyperlinks beneath legitimate clickable content that, when clicked, causes a user to unknowingly download a computer virus or send a user’s identification to a site.
Facebook “like” buttons and digital “share” buttons have been used for this purpose.
The FBI suggests using high-security settings on all social-networking sites to avoid being hacked.
To deal with the problem of unauthorized access to digital communications, especially risks linked to social-networking sites such as Twitter and Facebook, a new, free software was released this month and is rapidly catching on within U.S. and allied intelligence agencies.
The software is called Scrambls. It automatically encrypts messages sent on social-networking sites using software added to Web browsers.
Once installed, all text between two @ signs is scrambled so that only the intended user can read it.
The software was developed by Wave Systems Corp. and is designed to help computer users regain control of messages posted to the Web and social-network sites.
One key feature is that using Scrambls allows users to take back messages that were sent, an option currently unavailable for most digital communications.
The company also hopes that the use of the technology will help protect children online by boosting the security of their conversations and communications.
At least one U.S. intelligence service is using the product, and another North American intelligence agency and one Asian service also are interested.
“Greater control enables greater use of social media,” said Michael Sprague, Scrambls co-creator.
“Post confidently, knowing your boss won’t see messages meant for high school friends, and permanent records of what you say online won’t come back to haunt you in the future.”
Scrambls uses key-encryption, where decryption keys are provided to recipients through a browser plug-in. The result is that messages posted on Facebook and Twitter will only be legible to friends who are given the decoding key.
The software is available from www.scrmbls.com