Leveraging the benefits of Facebook, without compromising the company network.

December 4, 2009 - By Justin E. Gehrke

Our last article dedicated to Facebook dealt with the potential downside users experience by providing an open view of their lives to their virtual world (Read it here). In this article, we’ll change the scenario and examine it from a business perspective. Facebook was originally responsible for reconnecting millions and millions of friends from around the world. In the last year or so, though, users have seen a sharp uptake in the amount of companies using Facebook. Why would a company use a social networking site? After seeing the speed with which information is passed throughout the Facebook Kingdom, many companies began eyeing it as a venue to attract new customers and retain their loyalty. Numerous well-known (and lesser-known) companies now have Facebook Fan Pages. Many of these same companies purchase banner advertising on Facebook that link to their fan page or company website.

For the companies that use Facebook for this purpose, it is necessary to allow access to the website on their local networks, so that status updates, offers, and other communication can be effected on a daily basis. While leveraging the power of social media and networking is a great idea that usually represents a minimal investment, with maximum opportunity for return, there are also some vulnerabilities that should be considered. In addition to ensuring certain employees can update the company’s Facebook profile, they may also want to allow access to all employees, to ensure they are aware of current offers, promotions, etc. and are able to share the information with users in their own respective Facebook networks. Unfortunately, providing access to the site quickly proved to have a downside….    (Click on the “Continue Reading this Post” link, below.)

Allowing access to Facebook automatically increased the vulnerability of the network at the company level. Responsible companies employ full-time network security personnel to maintain Firewalls, Intrusion Prevention Systems (IPS), web filters, and antivirus. Using their web filter, IPS, and Firewall, they were able to block potentially malicious avenues of entry, to include web-based email, Instant Messaging, Online Games, Chat, etc. Allowing Facebook to be accessed, though, created another avenue of entry, in the form of Facebook email, chat, and applications. Why did all of these previously inaccessible things become accessible? What happened to the web filter, firewall, and IPS? The answer is a simple one. These devices were rendered useless, since all the Facebook-related traffic is coming in and going out, via Port 80 (the basic internet browser port). Malicious hackers quickly figured this out and began exploiting the vulnerability, through the posting of maliciously-encoded Facebook Applications and dissemination of Facebook-based emails with malicious links embedded in them. These most often redirect the user to another site that either attempts to quietly exploit a scripting-type vulnerability or attempts to lure the user into providing confidential information about their account. In addition to these technical vulnerabilities, administrative vulnerabilities are also created in the form of potential for lost productivity by employees. While the company employees may be able to use Facebook to post company information, they do not generally need to use the email, chat, or application features natively embedded within it.

So where does this leave the network security professional or other responsible company employee tasked with ensuring the company’s network is secure? He or she must now be more inventive in their approach. A basic tool that must be employed is the web filter. (Note: Without this basic yet invaluable tool, the potential avenues for malicious logic exploitation increased phenomenally.) Unlike the IPS or Firewall, which must both be configured to generally allow inbound and outbound traffic on Port 80, the web filter generally focuses its control via Port 80. This means that specific URLs (website addresses) must be examined to determine which ones support the Facebook’s many embedded features. Initially, Geek Shui Living scoured the internet for websites and forums where information on blocking embedded Facebook features. Suprisingly, we found nothing. There were many articles on developing Facebook Applications and blocking Facebook, as a whole, but nothing that helped us in our endeavor. In an effort to help companies and their security administrators, we at Geek Shui Living took it upon ourselves to pinpoint the exact URLs of each embedded feature. After spending hours (and hours) on the process, we can safely say that the code users don’t see behind Facebook’s attractive facade is complex and voluminous. The very fact that most of the features are displayed within the same homepage platform, via embed, and the fact that there are an innumerable number of Ajax reconnects made it difficult to pinpoint each one, with certainty. Ultimately, we were able to identify them individually and block them on a standard feature web filter. The testing phase had its own surprises. What we found was that, since most features (e.g. chat, email, etc.) are embedded (meaning not their own separate page), the standard “Block” page is not displayed. Only by carefully watching the browser’s activity window were we able to discern that the blocks, indeed, were working. What does this mean? The regular user (e.g. company employee) will click on these newly blocked links and find that nothing happens. There is no message, banner, etc. It just won’t work. This presents a benefit to the company’s network security staff because, unless they’re told, the staff can blame it on Facebook’s webservers (making them the culprit).

After reading, companies and their network security staff may applaud this article. Regular users and employees may decry it as another form of tyranny or censorship. The truth, though, is that all parties can benefit in this scenario. Employees can still post and read updates, add friends, etc. The company is able to promote itself in a cost-effective, yet dynamic, way. Productivity loss and network vulnerabilities are minimized to the lowest level possible. Ultimately, that makes everyone a winner and a practitioner of Geek Shui!

Justin E. Gehrke is the founder of Geek Shui Living. As a right and left-brained geek, he is available for consulting in the areas of Information Technology, Network Security, and creative web design and development. You can contact him via the Geek Shui Living Contact page. Alternatively, you can follow him, via twitter, and be voraciously consume his technology news commentary and random geek ramblings: http://twitter.com/GeekShui

Related posts:

1. Facebook: 200 million members…or potential targets?
2. Cisco’s “SIO To Go” App Brings Network Security Management to the iPhone
3. Geek Shui Living: Taking Twittering to the Next Level
4. Geek Shui Living welcomes Windows 7 with some Photoshop fun!
5. Take the Geek Shui Living SPAM Poll!