Director Magazine—for business leaders

Corporate security is under threat from shortened links

The explosion in popularity of URL shortening tools is a growing threat to corporate security, according to industry experts. The rise in use of tools such as TinyURL and bit.ly, which allow users to condense unwieldy web addresses, has allowed malicious hackers to direct more and more unsuspecting surfers to harmful destinations. The use of URL shortening tools has risen thanks to micro-blogging sites such as Twitter, which limits users to 140 characters per message.

The problem is that "end users have no idea where they are going to end up when they click on one of these links," says Spencer Parker, director of product management at ScanSafe. "A lot of spam and phishing attacks make use of this via online forums and twitter postings to fool end users to click on a link that they would never usually have clicked on if they could see the domain. This puts users at risk of data theft, among other things," he says. "Companies should ensure they have real-time scanning in place so that these offending attacks are removed."

URL shortening exposes users to potential security risks, the most dangerous being "a redirection to a site that installs malicious software or crimeware on their computer," says Dave Jevans, chief executive for Iron Key and chairman of the Anti-Phishing Working Group. Worse, adds Jevans, this reinforces careless behaviour, training users to "ignore what URLs say, which may make them more vulnerable to clicking on phishing links in email."

Companies are often slow in adapting their IT policies, says Neil Fisher, vice president of global security solutions at Unisys—too slow. "Innovative" cyber criminals "bank on the assumption that corporate policies will be out of date by at least a couple of years, if they exist at all," he says. Companies shouldn't expect network firewalls to do all the work, adds Fisher, "which means that the final firewall is the employee." Members of staff must be well trained on corporate policy "as they will ultimately make the final judgement on whether an email is malicious."

There are ways to limit the damage. The first step is making employees aware of the potential damage. It is not always enough to ensure people only click on links posted by people they trust. That's because it's relatively easy to set up a seemingly genuine Twitter account in somebody else's name. There are browser plug-ins that allow the user to see the true destination of the link before clicking on it. On Firefox, users can install Interclue and Long URL Please. For Internet Explorer users, Websnapr generates a thumbnail of the target web site when a user selects the URL or hovers over it with the mouse cursor. Search engine Bing's real-time search option automatically lengthens shortened URL to reveal their true destination.

Even more simply, says Fisher, "you can quickly view the full address of a URL by moving it into your junk folder." But none of these procedures can protect companies from a URL that has been doctored to appear safe. Make your employees aware of the tools available to them, but consider investing in a Web access software, "which validates who is using what, and from where," says Simon Godfrey, Director, Security Solutions at CA.

Posted 28 October 2009 : Director.co.uk

HAVE YOUR SAY >Add your comments

Jane Simms >Why the UK's approach to industrial relations is out of date

Debate >Should businesses trust the cloud?

Cary Cooper >Bonuses are not the only way to attract or retain talent

Iqbal Wahhab >It's wise to know your enemies as well as your friends

Richard Cree >Translating political ambitions into policies isn't easy

John Elkington > Why biodiversity looks set to rise up the business agenda

• Winning by design

• A new breed of seed capital is redefining the way start-ups develop

• Predictions for 2010 that might impact your business

• The 13 golden rules of Twitter