THE STAFF AND TEACHERS at Blaine High School in Minnesota's Anoka-Hennepin District 11 had been considering the pros and cons of establishing a school Facebook page when the district's administrators got wind that someone else had beaten them to it.
"We checked it out and found this official-looking page," says Brett Johnson, the district s assistant director of communications and public relations. It was very well done, had a photograph of the front of the school, and a professional design. But no one at the high school had any idea who was running it.
And no one was certain exactly what should be done about it. At first, nothing especially controversial was appearing on the bogus Blaine page. But then someone posted a student death notice.
"The student was very much alive," Johnson says. "But people were calling his family and the school to offer their sympathies, and there were a hundred anxious responses posted to the fake page. I immediately sent a message to Facebook, and it was taken down within a matter of hours." The perpetrator of the fraud has yet to be found, according to Johnson, but the district suspects it was a former student. The school promptly established its own official Facebook page, he says, "to fill the vacuum before someone else did."
Blaine High School's entry into the world of social media might not have been the most auspicious Facebook debut, but it illustrates one of several unique security challenges school districts face today when they decide to include social media in their mix of educational resources.
"These social media services weren't built with security in mind," says application security expert Gary McGraw. "They grew up and evolved around a focus on communication and ease of use. That's why it was so easy for someone to fake this high school Facebook page. These sites are highly inclusive and inherently open to this kind of mischief."
McGraw, the CTO of Cigital, a northern Virginia-based software security consulting firm and the author of several bestselling books on application security, says it's not just the openness of social networks that makes them attractive targets.
"Another thing to keep in mind about a service like Facebook is that it's big," McGraw says. "Huge, in fact. And huge is good if you're an attacker. Big targets give you more bang for your buck."
Facebook passed 500 million users in 2010, making it far and away the largest social network in the world. But if the scale isn't enough of a bull's eye for the black hats, all the leading, publicly accessible social networks (Facebook, MySpace, Linkedin, Friendster, Bebo, etc.) present criminal hackers with a unique payoff.
"The social networks represent a collection of prime information about you," says David Perry, global director of education for Trend Micro, a Tokyo-based provider of network antivirus and online content security software. "They are designed--their very purpose in this world--is to get you to reveal saleable information about yourself. They are in the business of extracting your personal information and selling it to market research firms."
Perry points out that the lineup of security threats to social media sites is largely a familiar one: viruses, worms, Trojans, spyware, dishonest adware, rootkits, and phishing scams. It's the combination of these old approaches that tends to be characteristic of attacks on social media sites. He points to the Koobface worm as an example. The worm, which first struck Facebook in 2008, targets social networks and spreads by delivering messages to a user's friends. The messages direct those friends to a third-party website, where they are prompted to download an update to the Adobe Flash player. Downloading that file infects their system. Once a computer is infected, attackers can take over the system's search engine and direct it to contaminated websites. …