ENISA: a report on Social Networking Spam

A number of recent news about security and spam have pointed me to ENISA, the European Network and Information Security Agency. Among a number of documents worth reading produced by this agency, I have had the pleasure to find a position paper dated on October 2007, on Social Networking Spam. This is an increasing phenomenon, consisting of using "friend of a friend" mechanisms to propagate spam and phishing messages.

This important threat is covered in depth in the study, titled "Security Issues and Recommendations for Online Social Networks", dealing with the problems SN spam can produce, and providing a number of recommendations addressing it. The main problems (most the same as in email spam), according to the study, are:

  • Traffic overload.
  • Loss of trust or difficulty in using the underlying application.
  • Phishing and diversion to pornographic sites.
  • One risk specific to SNs is that, because profiles are created specifically for spamming, and Sybil attacks (a type of reputation attack) on spam protectors involve the creation of large numbers of false profiles, the SNs can become 'diluted' by fake profiles which reduce its value to legitimate users.

The recommended countermeasures are:

  • Rec. SN.1 Encourage awareness-raising and Educational Campaigns - Educate about what is licit to do in SNs, and which are the threats to users privacy.
  • Rec. SN.5 Promote Stronger Authentication and Access-control where appropriate - to avoid mass/automated-subscription by spammers.
  • Rec. SN.7 Maximize Possibilities for Reporting and Detecting Abuse - enable easy reporting of spam abuses.
  • Rec. SN.8 Set Appropriate Defaults - in order to avoid easy collection of users' data, and to provide a first line of defense.
  • Rec. SN.10 Encourage the use of Reputation Techniques - reputation has been effectively employed against email and web spam. You may filter out messages and invitations by less trustable users.
  • Rec. SN.11 Build in Automated Filters - as those used in email spam.
  • Rec. SN.14 Provide more Privacy Control over Search Results - users should be able to easily decide what will be seen in their profile and their postings.
  • Rec. SN.15 Recommendations for Addressing SNS Spam - in short, just another recommendation of using anti-web spam techniques.
A final note. Since 2006, there are specific spamming programs like Friend<>Bot (I will not link this one, remove "<>" and search Google; they will not have my keyword or link).

No hay comentarios: