White House backing could leave social media sites more vulnerable

The Obama administration is right to embrace social media, but should do more to educate users on the risk of cyberattacks such as the one that shut down the messaging service Twitter on Thursday, according to security experts.

The administration's endorsement of social media could give the public a false sense of security, said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team.

"Everyone has this inherent trust for the president and his team's messages," he said. "They're going to click on the links and inevitably pollute systems."

The hackers who crashed Twitter and slowed the social networking site Facebook on Thursday launched a denial-of-service attack that bombarded Web sites with traffic in an effort to force them to shut down. At the same time, a new wave of a malicious computer worm began to send unique Twitter messages, or Tweets, that tricked Windows users into downloading malicious software from a Facebook look-alike page, according to the computer security portal Viruslist.com. A variant of the worm, known as Koobface, was behind attacks on Twitter in June and on Facebook multiple times in 2008.

Social media sites also are susceptible to spear phishing, in which hackers send targeted messages masquerading as notices from legitimate organizations or people, with the expectation that users will click on a link and launch malicious software or provide financial information; or SQL injections, which attack the database layer of a Web application by taking advantage of insecure code to execute unauthorized commands.

"The theory is that technology is a wonderful enabler," Kellermann said. "But to assume and presume the Internet is a secure environment is foolhardy. This is a hostile environment, and if you're going to push citizens to rely on that [environment] to get messages from you, there better be leadership in place to manage the risk."

According to Kellermann, the government must not only step up educational efforts, but also conduct more thorough assessments of cyber risks to identify and mitigate vulnerabilities. Federal chief information and chief technology officers are too focused on granting increased access to services and are not backing up chief information security officers, he added.

Federal agencies that use the sites to share information with constituents also risk becoming targets of hackers seeking to disrupt such communications. That was the scenario in Thursday's cyberattacks, said Max Kelly, chief security officer at Google, whose blog publishing tool was among the applications targeted. Kelly told CNET News that the goal of the attack was to silence a Georgian blogger with accounts on the social networking sites.

Amit Yoran, chairman and chief executive officer of security software company NetWitness and former director of the Homeland Security Department's national cybersecurity division, agreed that social media applications introduce vulnerabilities, but said the government must use collaborative Web 2.0 technologies to keep up with industry.

"Social media techniques add an additional path by which systems can be infected; they also allow attackers to much more accurately target victims using more aggressive methods," Yoran said. "[But] at the end of the day, systems are going to be compromised and polluted with or without social media. Banning them will not solve this dilemma, but only lull us into complacency."

White House spokesman Nick Shapiro noted in an e-mail to Nextgov that the Obama administration believes "social media networks are an important and powerful tool for communicating with the American people and the rest of the world." He also said cybersecurity is a major priority for the president, pointing to the White House review of cybersecurity policies and programs, and Obama's promise to appoint a cybersecurity coordinator who will have direct access to the president. While the individual has yet to be named, Shapiro said a rigorous selection process is well under way.

"The use of social network services has become a normal business practice in the corporate world and government needs to follow this example," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "There are security concerns, but they can be dealt with and the productivity benefits justify the effort."