Facebook, Twitter fail latest security assessment

Powered by SC Magazine
 

Lack of SSL authentication a major drawback.

A nonprofit security think-tank's 'report card' has failed Facebook and Twitter for neglecting to implement safeguards that are available on other popular online services.

Digital Society recently doled out grades for the security of a number of widely-used online services, including Facebook, Twitter, Gmail and Hotmail.

The services were graded on whether they use full Secure Sockets Layer (SSL) protection and if they are susceptible to attacks that can expose user's credentials or authentication cookies.
Out of the services graded, Facebook and Twitter came out on the bottom, both receiving the lowest grade of 'F'.

According to Digital Society, the most pressing security problem affecting the social networking sites is that they do not use SSL authentication, a means of verifying the site's identity to users through visual queues such as a padlock or 'HTTPS' in the website URL, George Ou, policy director at Digital Society, told SCMagazineUS.com.

“They are not verifying to users who they are before they ask for a username and password,” Ou said.

As a result, attackers can create a fake Facebook or Twitter login page that is indistinguishable from the real thing and trick users into handing over their credentials, he added.

Moreover, both Facebook and Twitter do not use end-to-end encryption to safeguard users' sessions, leaving them vulnerable to an attack known as 'HTTP session hijacking', in which an attacker steals a user's cookie to take over the account, Ou said.

The danger of unencrypted websites garnered widespread attention late last month with the release of a free tool called Firesheep. The Firefox web browser plug-in lets anyone scan open Wi-Fi networks and hijack accounts belonging to sites such as Twitter and Facebook. Since its release, the extension has been downloaded more than 600,000 times.

A Facebook spokesman told SCMagazineUS.com in an email that the site recently has implemented a number of safeguards and is working to further improve security.

“We appreciate Digital Society raising awareness about the dangers of surfing over unsecured networks, and we have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” a company spokesman said. “However, the report fails to include many important security metrics that place Facebook as a leader in this industry and doesn't even mention many of the unique security features we offer to make accounts more secure.”

Those security features include login notification, remote session management, one-time passwords, and internal spam prevention systems, the spokesman said.

A Twitter spokeswoman said the microblogging service takes security seriously but does not have a comment on Digital Society's report card. 

Meanwhile, in Digital Society's assessment, Gmail received an 'A' grade for implementing safeguards, such as SSL authentication and browsing.

Hotmail, on the other hand, received 'D-' grade. Security issues on the webmail service could allow an attacker to view every message a user has received and sent, or send messages on behalf of a user, Ou said.

Microsoft, however, plans to upgrade the security of Hotmail by enabling SSL browsing, he said.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1801

Vote
Do you support the abolition of the Office of the Information Commissioner?