A recent worm distributed through the Web 2.0 social network orkut points out the potential IT security risks presented by social media in an age where the number of Generation Y workers is increasing rapidly.

orkut is a social networking site with about 67 million registered users who can sign in with any Google account. Earlier this month, orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours.

Symantec’s analysis of the decoded JavaScript file named “virus.js” showed that through the use of an Embed tag, when the file’s script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. In Portuguese that translates to “Infected by Virus Orkut.” In essence, the worm author created a way to track orkut accounts that were affected by the worm.

The script then loads the “friends list” of the infected orkut account holder and sends them a malicious “scrap” – orkut’s term for user-generated messages and invitations, which arrive via the user’s “scrapbook”. As Umesh Wanve of Symantec points out in his blog post, a victim didn’t even need to click on the scrap. When the user’s scrapbook is loaded the malicious code loaded the virus.js file silently. The JavaScript takes the cookies and tokens of the logged in user and uses it to spread the worm.

orkut’s Response

Sergio Marti, a software engineer for orkut, posted a security bulletin on orkut’s blog that said in part:

This week, the orkut team discovered that a user had exploited a bug in our scrapbook feature. As a result, many of you likely received scraps from friends of yours that they actually didn’t send, and friends may have received scraps that appeared to come from you.

Of course, the blog post doesn’t mention that the unwanted scraps were actually distributed thanks to a virus that was quickly able to propagate through orkut’s user community. And, while the problem appears to be resolved for the moment, the issue makes you wonder about the role that popular social networks might continue to play in promoting the spread of viruses, Trojans, malware and more, especially since most networks, such as Facebook, etc. are strongly promoting the flexibility of their networks by making programming APIs available for the creation of widgets and other types of applications for use within the community.

Web 2.0 and IT Security

Is the burgeoning popularity of Web 2.0 making us even more vulnerable to security threats? Facebook, MySpace, Squidoo, orkut – and the list goes on and on in seemingly endless cyberspace. Millions, perhaps billions of users around the world, are unwittingly becoming potential targets for hackers, spammers and other ne’er-do-wells looking to exploit their systems, steal away their privacy, overload their inboxes, insert Trojans, backdoors or worms and more. Unfortunately, social media offers more than one way to network. orkut is by no means considered a “giant” in social networking circles, but consider that almost 700,000 users were affected in a time span of only 24 hours.

Social Networks Offer Major Point of Entry

Wikipedia’s list of social networking sites shows membership in MySpace at 289 million users – nearly the population of the entire United States. Wikipedia’s listing shows Facebook a distant second with 78.5 million community members, orkut (popular in Brazil and India) next with 67 million and Friendster and hi5 at 50 million members each. Using Wikipedia’s numbers, those 5 networks alone account for over 530 million users. Granted, some users are members of more than one social network, but still, the security exposure is absolutely mind boggling.

orkut’s breach was able to reach about 1.5 percent of its registered users in a time span of only 24 hours. When you think about it, 1.5 percent in 24 hours doesn’t sound very menacing, but consider a similar breach at MySpace over the same time period would effect over 4 million users in a single day. Double that if the breach hit the 5 biggest social networks at once and you have a very inviting target for virus writers and hackers around the world.

Generation Y – The “Millennials” and Corporate IT Risk

In a blog post titled, “IT Risk and the Millennials”, Samir Kapuria talks about what could turn out to be one of the most pressing issues for IT in 2008 – millions beginning to enter the workforce from Generation Y, while CIOs scramble to understand and address what could just be their greatest risk ever:

Trying to implement IT risk management policies with a “Millennial” workforce—one with members who have been labeled as “risk takers”—is very problematic. In general most “Millennials” tend to believe in a “no-walls” approach when it comes to sharing information. Why shouldn’t all information be shared? Their strength is digital sophistication; some would even claim that the true concept of information technology is their birthright.

In Attracting the Twentysomething Worker”, Nadira A. Hira of Fortune describes the Millennial Generation Y worker as “At once a hipster and a climber, he is all nonchalance and expectation. He is new, he is annoying, and he and his female counterparts are invading corporate offices across America.” She goes on to say, “When it comes to loyalty, the companies they work for are last on their list – behind their families, their friends, their communities, their co-workers and, of course, themselves.”

Kapuria points out, CIOs are trying to figure out how to keep up with this crazy Web 2.0 world. “Millennials are used to freely downloading software from the Internet, such as Skype; using applications like Facebook; and bringing their iPods and laptops into the office—all of it blurring the lines between personal and work life.” Is there any doubt then, that Generation Y workers – the “Millennials” as they are sometimes referred to – who are so consumed with social networking sites and Web 2.0, are a concern for IT security?

There’s no question that social networks, put to proper use, can act as valuable conduits for business promotion and business intelligence, but policies will need to be put in place to ensure that the IT risk that comes with them doesn’t get out of control.

Two Solutions for Managing Millenial IT Risk – McAfee LinuxShield Server and McAfee VirusScan for Mac

Two solutions for managing IT risk in today’s and tomorrow’s world are McAfee LinuxShield Server, one of the only products to deliver always-on, realtime anti-virus protection for Linux environments and McAfee VirusScan for Mac.

McAfee Linux Shield Server provides continuous on-access scanning for world class protection from the growing number of viruses, worms, and other malicious code targeting Linux systems through social networks and other points of entry. This robust Linux anti virus solution is designed for the realities of today’s fast-moving, highly adaptive businesses. It’s easily scalable, updates automatically, and can be centrally managed from a single console. While other anti-virus products are fooled by viruses hidden within archived files, the LinuxShield archive scanning function detects them, providing a more complete anti-virus protection for Linux.

LinuxShield’s anti-virus protection for was designed to meet real-world needs, including heterogeneous system environments because it’s effective against Microsoft Windows viruses that try to pass through your Linux system. Plus, updates are automatic and don’t require a server restart.

McAfee VirusScan for Mac offers complete protection for PowerPC and Intel-based systems. VirusScan for Mac protects your Macintosh systems against all types of viruses and other threats, including emerging malware. Staying up to date is accomplished with a single keystroke/mouse click. And, with McAfee ePolicy Orchestrator, you can control, manage, and report using a single-console display.