Controlling anti-social networking – a guide to blocking employees access to Facebook, MySpace and more.
Social networking has only gained popularity in the last three or four years, but it is generating the same concerns that instant messaging did at the start of the decade.
Viral marketing or virus?
Vulnerabilities and associated exploits are found on sites such as MySpace and Facebook with alarming regularity. Some rely on user naivety. One Facebook exploit, Koobface, relies on users accessing a link with an amusing title offering a video download. The link takes them to a site instructing them to download ‘the latest version of Flash’ — which is actually a Trojan — in order to view the material. Similarly, MySpace has been targeted by malware writers leaving comments on their page promising videos but telling people to download fake codecs first, and these attacks often download worms for both sites. Phishing mails masquerading as friend notifications from Facebook have an image attached that’s actually a Trojan and some of these lull suspicion by actually taking you to Facebook. Potentially more dangerous are exploits which require practically no action on the users’ part, save for visiting the site. It takes just five friends and an application form to become ‘a Facebook application developer’ and proof-of-concept malware has already been developed.
But most of your clients won’t be worrying about the danger of having their network taken over, although they may be calling you in to deal with virus attacks more often. They’re more likely to be concerned about the productivity and liability problems of having their employees using Facebook and MySpace indiscriminately. The temptation to ‘just log on for a quick look’ is second only to the temptation to stay.
Facebook in particular is a rat’s nest of status updates, social applications and conversational opportunities, and can suck in well-meaning employees who suddenly forget how long a lunch break is supposed to be.
The liability associated with ill-advised posts is also a problem. Inappropriate jokes posted from a client’s IP address could potentially backfire, but the potential for intellectual property violation is even worse. The terms and conditions on some Web sites are long, and increasingly draconian. Few if any of your clients will have read it, but security experts worry that those terms and conditions could taint a company that lets employees post information, in just the same way as adware T&Cs often taint users by providing unfettered access to everything from private surfing information through to a user’s machine.
Such concerns lead to the basic question: to block, or not to block? One obvious choice is to block everything vaguely social. In practice, you might find that this affects morale at your clients’ customers (although with the economy in the current state, reduced access is unlikely to be the last straw for anyone — who’s going to leave at this point?) Some people are also using social networking applications for valid work reasons. Practices such as networking with colleagues in other companies, and joining groups relating to work-based interests are on the rise.
Use Web security gateways to easily apply access policies to a client’s whole employee base. Look for features such as URL filtering, content inspection and malware detection in these appliances, which are designed to be easily deployed and centrally managed. But unlike some other sites, it’s difficult for URL filtering to be granular on many social networking sites. You might block, say, the sports section of the BBC Web site while leaving the financial news intact. But the domain structure on sites like Facebook makes it difficult to block, say, specific sub-applications – especially as these services use AJAX technology to make Web pages more dynamic.
Even if you don’t want to choke off social network sites completely for all users, URL filtering has its benefits. Secure Computing’s Webwasher product lets administrators restrict URLs based on the identity of the person accessing them, for example. Access can be restricted according to groups in an LDAP compatible directory such as Active Directory (maybe your clients’ HR department wants to access LinkedIn to check up on job applicants, but the board doesn’t want anyone else to surf there). Other features include the ability to access sites at certain times, such as weekends. System admins using the Webwasher appliance can also set manual override options that let users enter login credentials and get access to a site for an amount of time predetermined by the administrator.
The problem with social networking sites is that users want to get there – often quite badly. People may decide to subvert network protection measures to do so, if they feel that their right to Internet access is being unfairly denied. Anonymous proxies are a way for users to punch out to these sites without alerting gateway proxies to your destination. Products including Sophos’s Web Security and Control appliance, and Secure Computing’s Webwasher, can spot and stop anonymous proxy use. These appliances keep an ever-growing list of anonymous proxies, as exchanged on message boards and other online hangouts.
URL filtering can also stop some malware delivery vectors. The use of IFRAMES and IMG tags to point to malicious content on other sites means that browsers will make GET requests to those other domains. URL filtering services can be programmed with blacklists, but the best ones maintain a remotely updated list of known offenders, so that when an innocent visit to a social network page prompts a GET request to a Chinese malware server, the user will stand a better chance of being protected.
Internet Explorer 8 and Google’s new Chrome browser run in multiple processes to improve security and Chrome promises more security with each browser tab in a separate process (IE8 only does this after a tab has crashed and been reloaded). Chrome also has a sandboxed environment that uses the process token feature in both Vista and XP to apply a token to each instance of the rendering engine, restricting that rendering engine’s access to system-level resources through Windows security.
Again, on Vista, Chrome uses protected mode so the token for each browser tab stops it writing to a process with a higher integrity level. When the new browsers mature, you can use Group Policy to stipulate your preferred browser, but that’s not advisable while they’re still in beta and alpha release respectively.
An alternative is to virtualise existing browsers. Altiris (now owned by Symantec) offers Software Virtualisation Solution (SVS), which inserts a ‘shim’ between the operating system and installed applications. Apps write to a virtual registry and file system, protecting the underlying operating system from unauthorised changes. If and when a browser is compromised by malware delivered via a social networking system, it can simply be reset, either by the user or from a central console, and it is removed from the system and refreshed with a new copy.
Layers of security
With SVS, you put the management server at your location and remotely manage your clients’ desktops. Operating an appliance remotely is similarly easy. Configure the rules on the router in the client’s office to point to the gateway Web security appliance in your office as a proxy. The appliance filters incoming Web traffic before it reaches your client’s router, essentially turning your office into a demilitarised zone (DMZ) for your clients.
However, filtering for different clients’ domains on a single appliance may be more difficult, depending on the appliance you’re using. The main problem is the routing of the traffic. Astaro, which offers the Astaro Web Gateway Web filtering system, allows support of distant subnets. The quick and easy way to support multiple subnets on the same box is to set up a VPN between the appliance and each office. However, that would still need low-end boxes at the customer site to act as VPN endpoints.
In many cases, such deployments are not officially supported. The Sophos appliance is a 1U rack system specifically designed for on-site deployment, for example. Technically, it could be deployed at a central remote site but the company would have to negotiate a new licensing scheme for it, and traffic routing would need to be managed carefully to avoid different clients seeing each other’s packets. If budgets allow, you can install an appliance at each customer site, and manage them remotely; Astaro offers a free management tool, Command Center. A more elegant solution might be to use a virtual appliance for each customer, many of which can be deployed on the same server. This would solve the routing problem altogether, and make central management easier. Astaro’s Web security gateway can be installed in this way, using VMware as a platform. It is licensed by the number of users.
Central blocking of all clients using an appliance at the network gateway may stop embedded Web page and application attacks, but with social network exploits constantly evolving, it becomes difficult to guarantee protection. Using a gateway may work for people in the office, but unless you can force laptop users to connect via your proxy when they’re using the machine at home on the weekend, it won’t provide total protection. It is possible to use Group Policy settings in Windows Server 2003 to remote the connections tab on the endpoint, which would effectively enforce predefined proxy settings and point the laptop at a chosen proxy server wherever it is.
A defence in depth approach, in which you apply layered security measures at various points in the network, is the best method of protection. Critical Software, which provides a Web security gateway called iCritical, scans malware at the gateway. All reputable Web security gateway vendors do, (and Gartner has stipulated URL filtering, malware protection and content inspection as basic requirements of any such product). Nevertheless, Critical Software also recommends installing the NOD32 Anti-virus product, from Eset, on the desktop. Like many antivirus products today, it uses heuristical analysis rather than simply relying on signature-based scans to protect the endpoint.
Secure your relationship
Another option for monitoring incoming Web traffic is to use the growing number of cloud-based Web filtering services, eliminating the need for capital expenses on equipment and protecting remote users too. These are often available through the channel, with the prerequisite margins. Websense, like Critical Software and MessageLabs, offers an on-demand service. The company sells Websense Hosted Web Security on a per-seat, per-year basis through channel partners.
The danger here is that small businesses will simply opt for a direct relationship with vendors who offer security as a service. The way around that is to sell social network management as part of a holistic security strategy, focusing equally on the need for outbound information control as well as incoming filtering. Web security filters are largely focused on incoming content analysis, but businesses may want to stop unauthorised information being posted to Web sites using tools for endpoint data leak prevention. McAfee Total Protection for Data product can be programmed to recognise when data from a confidential document is copied to the clipboard, making it impossible for clients to post that information to their Facebook pages, for example, and Trend Micro has a similar tool.
Facetime, which sells the Unified Security Gateway, emphasises the two-way nature of the system. The basic box filters incoming traffic, but it is possible to include sidecar modules that impose data leak prevention measures on outgoing information. These use PreciseID, a technology which allows administrators to ‘fingerprint’ documents and use fuzzy matching, going beyond simple keyword definitions.
It nevertheless gets difficult to block everything inappropriate that a user might want to post. This comes down to basic common sense. Putting something in the employee handbook explaining what constitutes sensible use of a social networking system (or indeed any electronic communications mechanism) is a must, and will also protect your clients from liability issues down the line. Using appliances such as FaceTime’s, which provide the option to display end-user disclaimers, can help strengthen your clients’ legal position by proving that they’re taking active steps to remind users of what they should and shouldn’t post online.
Ultimately, protecting your clients against the dangers of social networking comes down to a mixture of judiciously applied technology and common sense. The need for user education shouldn’t be underestimated, and a training course for your clients can be justified on both legal liability and security grounds. Using a combination of these tools should help you protect your clients and make a healthy margin into the bargain.
Blocking Facebook altogether can be just as counterproductive in productivity and morale terms as leaving it on. WorkLight, which sells technologies designed to make in-house applications available through social media channels, has tried to find a compromise. Its WorkBook product makes an internal collaboration application available through the FaceBook interface, without exposing that information to Facebook or its other users.
The product is accessed like any other FaceBook application, but it is run behind a firewall and hosted by the user (or, perhaps in this case, your company, on their behalf). That means that the application is safe (although you couldn’t say that for the rest of Facebook)
-- click image to enlarge --
Once logged in, your clients can see a news feed highlighting activities and comments from the rest of their team. The Time Report function is a feature of the WorkBook application, and the groups are also hosted on the WorkBook server, rather than by Facebook itself. Only colleagues get to see information pertaining to the team.
-- click image to enlarge --
Users join internally hosted groups for team discussions. This makes it possible for your clients to conduct private, sensitive discussions without worrying about Facebook’s privacy issues.
-- click image to enlarge --
Updating your profile in this application stores the information on the WorkLight server, so that Facebook users don’t get to see it.
-- click image to enlarge --
‘Satan is on my Friends List’ talk from BlackHat 2008.
Using social networking attacks to compromise a client and co-opt it into a botnet.
Astaro Web Gateway
Software Virtualisation Solution Professional
McAfee Total Protection for Data
Unified Security Gateway
Secure Computing Webwasher
Sophos Web Security and Control
Discussion of social network attacks using password resets
Design document for Chromium sandbox
Discussion of sandbox security in Google Chrome browser
Explanation of protected mode and integrity levels in Windows Vista:
List of social networking applications in FaceTime’s ‘Greynets Guide’