Security | Feature

Social Networking: Keeping It Clean

Introducing online social media into your educational mission brings you right into a hacker’s bull’s-eye. Can you ensure your learning environment stays uninfected?

The staff and teachers at Blaine High School in Minnesota's Anoka-Hennepin District 11 had been considering the pros and cons of establishing a school Facebook page when the district's administrators got wind that someone else had beaten them to it.

"We checked it out and found this official-looking page," says Brett Johnson, the district's assistant director of communications and public relations. "It was very well done, had a photograph of the front of the school, and a professional design. But no one at the high school had any idea who was running it."

And no one was certain exactly what should be done about it. At first, nothing especially controversial was appearing on the bogus Blaine page. But then someone posted a student death notice.

"The student was very much alive," Johnson says. "But people were calling his family and the school to offer their sympathies, and there were a hundred anxious responses posted to the fake page. I immediately sent a message to Facebook, and it was taken down within a matter of hours." The perpetrator of the fraud has yet to be found, according to Johnson, but the district suspects it was a former student. The school promptly established its own official Facebook page, he says, "to fill the vacuum before someone else did."

Blaine High School's entry into the world of social media might not have been the most auspicious Facebook debut, but it illustrates one of several unique security challenges school districts face today when they decide to include social media in their mix of educational resources.

"These social media services weren't built with security in mind," says application security expert Gary McGraw. "They grew up and evolved around a focus on communication and ease of use. That's why it was so easy for someone to fake this high school Facebook page. These sites are highly inclusive and inherently open to this kind of mischief."

McGraw, the CTO of Cigital, a northern Virginia-based software security consulting firm and the author of several bestselling books on application security, says it's not just the openness of social networks that makes them attractive targets.

"Another thing to keep in mind about a service like Facebook is that it's big," McGraw says. "Huge, in fact. And huge is good if you're an attacker. Big targets give you more bang for your buck."

Facebook passed 500 million users in 2010, making it far and away the largest social network in the world. But if the scale isn't enough of a bull's eye for the black hats, all the leading, publicly accessible social networks (Facebook, MySpace, LinkedIn, Friendster, Bebo, etc.) present criminal hackers with a unique payoff.

"The social networks represent a collection of prime information about you," says David Perry, global director of education for Trend Micro, a Tokyo-based provider of network antivirus and online content security software. "They are designed--their very purpose in this world--is to get you to reveal saleable information about yourself. They are in the business of extracting your personal information and selling it to market research firms."

Perry points out that the lineup of security threats to social media sites is largely a familiar one: viruses, worms, Trojans, spyware, dishonest adware, rootkits, and phishing scams. It's the combination of these old approaches that tends to be characteristic of attacks on social media sites. He points to the Koobface worm as an example. The worm, which first struck Facebook in 2008, targets social networks and spreads by delivering messages to a user's friends. The messages direct those friends to a third-party Web site, where they are prompted to download an update to the Adobe Flash player. Downloading that file infects their system. Once a computer is infected, attackers can take over the system's search engine and direct it to contaminated Web sites.

"Stop and think about how this works," Perry says. "Koobface delivers itself through your contact list on Facebook, so it's a traditional e-mail worm, but it uses Facebook to spread itself out to people. It leads people to an off-Facebook site that then drive-by-downloads their system and plants a keylogger. So that's a worm and a virus and a phishing scam and a Trojan and a keylogger. That's typical of today's type of threat. It's not about a single piece of malware, but a suite of malware being used in the pursuit of an individual criminal enterprise."

Old Wine, New Bottles
You might think that the ordeal with the fake Blaine High School page would have soured Anoka-Hennepin on social networks, but Johnson says the district is moving forward with a Facebook pilot program that has been under way since September.

Located north of the Twin Cities, Anoka-Hennepin is one of the largest K-12 districts in Minnesota, serving approximately 40,500 students in 13 communities. The pilot program launched a district-sanctioned page and individual school pages for two high schools, two middle schools, and one elementary school. Two other districts are participating, and all three are sharing their experiences.

"We wanted to be a bit more deliberate about it, to put some thought behind it, and not just press 'go,'" says Johnson, who adds that he was hired in 2009 to "go into Web 2.0" for the district. "The superintendent and communications director felt that this was the place we needed to be. The technology may be new and we may encounter some new issues that we need to deal with, but what we're doing on Facebook is not new. This is just another venue for getting our messages out, letting people know what's going on, and giving people an opportunity to provide feedback."

However, the primary audience for the Anoka-Hennepin Facebook pages will be adults--parents, teachers, and administrators. Students can follow the district's Facebook pages, just as can anyone else with a Facebook account, but they won't be a place where educators hold conversations with kids, Johnson says. Consequently, security is less of a concern than it might be if the district found itself with the responsibility of protecting the privacy of its students.

"The threats aren't that different from what we know from e-mail," Johnson says, "so we're addressing them in the same way, with antivirus software and firewalls."

Many districts exclude students from social media as a security measure; some go so far as blocking all network users access to the likes of Facebook, YouTube, and Twitter. But other educators think locking down networks and isolating students from social networks is tantamount to shutting them off from the real world.

"It's like giving someone a tricycle, making them ride it until they're 16, and then giving them a motorcycle," says Ann Dunkin, director of technology for the Palo Alto Unified School District.

For teachers and students in the Silicon Valley-based district's two high schools, Facebook has become an important communications medium. Students use the school's Facebook page to learn about dances, school plays, and sporting events; teachers create pages for individual classes to facilitate collaboration on assignments; and staff members and teachers use the social network to interact with each other. There are main Facebook pages for both Palo Alto High School and Gunn High School, as well as pages for the schools' libraries, choirs, and tutoring services.

When Dunkin looks at the security threats to which social media expose her district, she sees merely old wine in new bottles. But she knows that social media--especially social networks--are providing the bad guys with a new, highly connected environment in which to propagate their malware to a vast population of "friends" faster and more extensively than ever before.

"For one thing, students and teachers spend a lot more time on social networks," Dunkin says. "You could say that social networks encourage a different kind of user behavior that malicious hackers can exploit."

One of the tools Palo Alto USD employs to help students and staff check their behavior on Facebook is LinkExtend. It's a Web browser addon that allows users to see where a particular link is taking them, and how that site has been rated by eight online services for computer safety, child safety, company ethics, and popularity. The tool lets users know if a Web page is known to carry malicious code, send spam, contain spyware, promulgate online scams, or engage in identity theft. It includes KidSafe alerts about sites that are deemed unsafe for children and allows users to erase these sites from their browser history.

Anoka-Hennepin's Johnson says his own boss could have used such a tool when she first signed up for the district's nascent Facebook page. "As soon as she signed up, she got a phishing request," he says. "The message said something like, 'You haven't visited us in a while.' She clicked on the link and it took her to a site for Canadian pharmaceuticals."

But LinkExtend requires the user to take action to determine whether a link is safe before clicking on it. It's not automatic, so it can't protect users of social media against their own unsafe behavior. Useful as it is, educator Matt Levinson points out, LinkExtend doesn't really address K-12 schools' concerns about the security risk they face by opening up their students and their networks to public-facing social networks such as Facebook or MySpace--concerns that are keeping them from taking pedagogical advantage of social networking.

"There's no silver-bullet security solution for Facebook--at least not one that I've found," says Levinson, the assistant director and head of The Nueva School, a small K-8 school in the San Francisco Bay Area. "And that's why some schools aren't going to use it for much more than posting the scores of football games and announcing snow days."

Levinson is the author of From Fear to Facebook: One School's Journey (International Society for Technology in Education, 2010), which describes the pitfalls his school faced in implementing a 1-to-1 laptop program--including a lack of understanding of social media. He says the onus for creating a safe social networking environment is on the service providers.

"Facebook should be doing something like what Google does," Levinson says. "Google Apps for Education has allowed a lot of schools to adopt Gmail and Google Docs, etc., as their main platform for kids. That Facebook hasn't yet created a 'Facebook Apps for Education' so K-12 teachers can use that network to interact and engage with students really surprises me."

Ironically, Levinson's own school blocks Facebook from its network. "You have to be 13 to use Facebook, so that would include only our eighth-graders. But we would be on it if Facebook could create a situation where teachers and students could use it as a teaching and learning tool securely."

A Network All Their Own
Facebook is showing no signs that a separate, secure social networking environment for students and teachers could be in its future. Fortunately, one already exists. It's called Edmodo, and it was created by technologists Nicolas Borg and Jeff O'Hara. While working in IT support for separate Chicago-area schools, both would get regular requests from administrators to turn off social networking tools. So the two teamed up to, as the Web site puts it, "address the demands of teachers and students seeking a secure social network for classroom use."

"Our goal in creating Edmodo was to provide a way for teachers to safely share the Web with their students," Borg says. Edmodo started as a microblogging service, like Twitter, but has evolved into a full-fledged social network. The free tool is accessible from any mobile computing device; Edmodo apps for the iPhone and Android phones were released in 2010.

In response to educator feedback, Edmodo launched several new features last year, such as new "subject" and "publisher" communities; a growing library designed to facilitate the exchange of digital content and user-created materials; the ability to differentiate instruction through the creation of small groups within a classroom; a new help center powered by the Edmodo community; and parent accounts designed to facilitate direct communication among teachers, parents, and students.

The feature that makes Edmodo secure is a simple one: It doesn't require private information from students. A teacher signs up first and creates a group on the network that has a unique code, which is then given to all the students. When the students sign up, they just need that group code to set up their own usernames and passwords. Teachers can post questions, post assignments, and grade assignments, as well as talk to other teachers. Students can participate in discussions and exchange information directly with the teacher or with the group as a whole, but they cannot post questions directly to each other.

"This allows students and teachers to interact with each other online and focus on the curriculum," says Betsy Whalen, the company's vice president of social media and marketing. "The demand for this kind of secure environment has been growing, and we've seen a building momentum over the past six months." That's an understatement; more than 17,000 schools now use Edmodo, and the company just announced that it has surpassed 1 million registered users.

Robert Miller, fifth-grade teacher at Port Orange Elementary in Port Orange, FL, has used Edmodo for the last two years.

"It has brought collaboration to my classes at a level I never thought would be possible," he says. "It extends the classroom. The kids pull it up at home, collaborate on projects in real time or time-shifted. And it's an ad-free environment, which is something I look for in all my online tools. Facebook makes its money on advertising, which is another reason I don't use it."

No one is arguing about the usefulness of a social network in K-12 education, Miller says. But only in an environment that is secure for students by design can schools comfortably make good use of the technology. And Miller's kids would be too young to collaborate through Facebook anyway.

"None of them are on it--legally," he says. "But for a lot of them, [Edmodo] is their first experience with social networking. Many of them have no idea how their comments can be misconstrued by their peers, and I've had to point that out to some. I haven't seen any cyberbullying, per se, but sometimes they can be harsh. Rather than shielding them from the real world, this gives me an opportunity to train them for it. I guess you could say, at the elementary level, it's social networking with training wheels."

The Firesheep Menace

When software developers Ian Gallagher and Eric Butler unleashed Firesheep, an addon they developed for Mozilla's Firefox Web browser that allows users on unsecured WiFi networks to identify and capture the social networking sessions of others on that network, Butler declared on his blog that their intention was to throw a spotlight on the lack of effective security among popular social media Web sites.

"This is a widely known problem that has been talked about to death," Butler wrote, "yet very popular Web sites continue to fail at protecting their users." He went on to scold Facebook and Twitter in particular for failing to fix the problem, adding, "They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web."

Firesheep is dead simple to use. No skills needed. You just download it from the Web, install it on Firefox, click on a button, and, voilà, you're free to snatch any session cookies floating around the WiFi network to which you're currently connected. Armed with those cookies, a hacker can commandeer a user's Facebook account and have full access to all private information on it, as well as log on to the site and masquerade as that person.

Firesheep generated lots of attention--not to mention a reported 500,000-plus downloads between its mid-October release and early November. Among those who noticed was Julien Sobrier, who says he appreciated Butler and Gallagher's goal, but as a senior security researcher at cloud security solutions provider Zscaler, he is determined to protect people from these kinds of exploits. "This is what we do," Sobrier says. "We try to help people to protect themselves and help them to be aware of the security threats that are out there. Not just our own users, but everybody. Firesheep gave us another opportunity to do this."

In November, Sobrier and his team created their own Firefox addon to defend against Firesheep. Dubbed BlackSheep, it was actually based on the Firesheep source code.

"Firesheep listens for HTTP connections to popular Web sites and looks for specific cookie values that will identify a user," Sobrier says. "When it detects a connection to, let's say, Facebook, it connects back to the same Web site with the same cookie values to retrieve information about the user." To counter, Sobrier explains, when BlackSheep detects a session hijacker using Firesheep, it distracts the program with a fake login cookie, while letting the unsuspecting user know that someone is trying to steal the real cookie, displaying the thief's IP address, and advising the threatened user to log off.

BlackSheep is available now as a free download from the Zscaler Web site.