Proactive IT Security
 

Communication consolidation or security nightmare

2010-11-26 [Malware discussion, Privacy issues, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

In recent months there have been lots of rumors about the upcoming email system closely integrated with Facebook. More detaileds about this have recently been disclosed by Facebook, and we will examine some aspects of the new offerings.

The system

Overview

The main advantage by the system is the possibility to have as much as possible of the communication methods available and accessible from one place.

This obviously has its attractions. It is for example not uncommon to search for a message received from a friend among the instant messages, while it turned out that it was received as an email. Melting together all your electronic communications channels into one smooth and seamless view, will be a convincing factor for Facebook users..

Facebook describes the new system in an overview as illustrated by the image below:

Click image to enlarge

More about the new communication systems in Facebook

The most important functions in Facebooks new messaging system are:

  • all types of messages will be available from the same place,
  • conversation history between you and another person is viewed as one single conversation,
  • you may get your own new email address in the format 'public facebook username'@facebook.com,
  • emails are delivered directly to your Facebook messaging system, and your outgoing emails are formatted as Facebook messages, including your name and profile photo,
  • you may set up email filtering in such a way that only friends (and optionally friends's friends) can send you messages,
  • integration with the Short Message Service (SMS) used by mobile phones communication,
    [a system which has even more users than Facebook, in the range of 2.5 billion],
  • possibility to attach files to your messages,
  • group conversations, where people added at a later point in time may view all previous group conversation,
  • messages are ordered by person/group, not by date or subject,
  • applications can request to send you messages (you must accept these requests).

The new communication system for Facebook has not been rolled out to all the half a billion Facebook users yet. However, Facebook has now opened for requesting an invitation to try the new system.

More details are available from Facebook's overview here

A general consideration

In our security article from May last year - The death of a killer application? - we discussed the fact that spam was becoming such a big problem that it threatened email as a communication method. We ended the article with the following statement:

If someone comes up with a system that solves the issues discussed above, he/she has given birth to a new killer application.

It can hardly be argued that Facebook itself must be considered as a killer application. Whether the upcoming messaging system in Facebook will be considered as such is more dubious.

Facebook should be credited for approaching the issues with several different communication channels, and attempting to come up with a solution. If this solution is the solution to the many problems, is not evident. One possible way to view Facebook's new messaging systems is that it incorporates all problems with several exisiting communication methods into one system. This in itself does not eliminate the inherent problems in the integrated methods.

Facebook's motivation

We have no inside information about Facebook's motivation for offering this new messaging system. We can, however speculate.

One reason is most likely provide a community that offers all types of communication technologies that ordinary users feel they need. That way, users only have to deal with the Facebook environment and not engage in any of the "competing" technologies available on the Internet. Speculations that Facebook's new messaging system is a Gmail killer, fall in this category.

When a user decides to engage fully in the communication system that Facebook offers, he may perceive it as very awkward to cease using one or all of these messaging technologies at a later point in time. Changing this type of addresses and informing all potential future communication partners is not a small task to engage in. The new messaging system will thus bind the user even more tightly to the Facebook environment.

Facebook's most valuable asset is the information about users (in a broad sense) that engage in the Facebook community. More data about each user and more users imply more value for Facebook. The new messaging system may facilitate this.

Security implications 

Old tricks, new wrapping

In several of our security articles over the years, we have pointed to the following fact. Whenever new communication channels and devices appear, the security mechanisms that we have been used to deploy with existing communication types, are not automatically (adapted and) transferred to the new channel. This was in particular the topic for our article about Facebook more than two years ago - Facebook - an increasingly popular spreading vector for malware. We then concluded that

We must learn to distinguish better between the legitimate and the illegitimate message - regardless of the medium used to display the message.

Facebook's new system is primarily a new method for displaying and organizing messages of various types. The techniques used by cybercriminals to spread malware and spam, trick you into visiting Internet resources with malicious or offending content, and manipulate you to part with personal information, are the same.

Our two years old caveat above still stands, and is important to have in mind for Facebook users who are going to use the new messaging system that Facebook offers. 

Email filtering option

The new email system from Facebook has filtering mechanisms, which e.g. can be tuned in such a way that only approved "friends" are allowed to send you emails. Our guess, however, is that this filtering mechanism will not be used much, at least for those who want to use Facebook as one of their "normal" email accounts. It will turn out to be too cumbersome to maintain this type of "whitelisting" for ordinary email communication.

Attachments

In accordance with the way email systems are used, Facebook's email system (obviously?) also allows attachments. This is itself is no more dangerous than email attachments in any email system. On the other hand, problems may arise when/if some users lower their automatic defense mechanisms against attachments received in an environment (Facebook) that traditionally has been perceived as safe.

We would expect that a new flood of email scams directed at Facebook users will arrive when the new system has been rolled out.

Facebook applications

Recent studies indicate that some authors of Facebook application have malicious activity as their main motivation. One may presume that the new Facebook setup will encourage such activity even further, as it may make it easier to trick users to open e.g. malicious URLs in messages created by Facebook applications.

Information abuse

The more information that exists in one place, the more dangerous it is if the information gets into the wrong hands. And the more tempting it is for criminals to try to get this information.

Since Facebook's new messaging system implicitly encourages gathering more information, each and every Facebook account will be a more tempting target for cybercriminals. The same applies for trying to find security vulnerabilities in Facebook's systems in general.

One may expect that malcious activities directed against Facebook will rise.

Conclusion and recommendations

Our security article from April this year - The pros and cons of using Facebook as THE device for communication and work discussed some aspects with Facebook, and also discussed the "all eggs in one basket" problem. 

This issue is even more relevant considering the upcoming messaging system. If your Facebook credentials are compromised (by whatever means, the techniques available are beyond the scope of this article), all your communication channels are simultaneously endangered. Using different - not interweaved - communication channels for different types of communication, ensures that even though one communication method is compromised, others may remain safe.

However, the advantages of combining communication channels in one place are obvious, and we presume that systems to accomplish this will continue to appear and evolve. This includes communication between software channels as well as different types of hardware devices.

The way Facebook has approached this need implies that increased focus must be on securing the communication repository, i.e. the Facebook credentials itself and the Facebook framework.

Facebook itself should focus on helping the users to protect themselves. One way of accomplishing this is to educate users about the perils involved in any online presence in general, and the Facebook presence in particular. Another is to set up new and strengthen the existing mechanisms to stop malicious and other unwanted activity directed against users of the Facebook community.

Each and every user who embrace the new messaging system should continue to invoke at least the same sound skepticism as before, even if communication channels are moved into the Facebook environment. 

 

More about...

Communication consolidation or security nightmare
The death of a killer application?
Facebook - an increasingly popular spreading vector for malware
The pros and cons of using Facebook as THE device for communication and work