The Facebook API presents multiple opportunities that can be exploited by malware writers. For example, the API is vulnerable to 'man in the middle' attacks between a client and a legitimate application server, and Luck also suggested that it wasn't a major challenge to arrange for the server behind one externally supported app to send a message to another unrelated app (spoofing).
"We have to live through the bad part of the [security] cycle before it stabilises," he warned.
Privacy is another issue, though one that doesn't seem to be taken seriously by most Facebook users. 89% of then use their real name, and 61% use an identifiable picture, Luck said. The problem for organisations is that information available via social networks can be used as an entry vector to internal networks. One example is that such information can be used for spearphishing or social engineering attacks - the more you know about someone, the easier it is to compile an email message that will appear trustworthy because it appears to come from a known source and contains subject matter that might be expected from that person.
Is your company likely to be attacked?, Luck asked. Maybe, maybe not - but he suggested that mining companies are a good example of organisations whose secrets are of great interest to competitors and to certain governments.
And developments like Facebook Places and foursquare reveal people's locations - very useful if you want to pickpocket a particular person's mobile device when they're in a crowded bar, or when you want to be confident they will be away from their desks for a certain period.
So what do you do? Please read on for some of Luck's suggestions.
The trick, he suggested, is to get the balance right. Information that's open to misuse shouldn't be published unnecessarily, but excessive prohibition can be counter-productive and may be ignored. Acceptable use policies might reasonably include not wasting company time, and not being derogatory about customers. Such policies should also cover the use of personal devices.
Talking of personal devices, Luck described mobile devices - especially smartphones - as "a target rich environment." He noted the discovery of multiple Android apps that request more rights than would be appropriate for the ostensible purpose and then use them for nefarious purposes. The fact that an Android app given rights to read logs has access to information including SMS messages, GPS coordinates, browser history and more doesn't help.
Among other problems with Android are the way old versions of the operating system with less restrictive default permissions are still being shipped by some manufacturers, and the period of vulnerability introduced by the delay between Google releasing a security update and it being distributed by vendors.
Android's not the only problem, Luck suggested, pointing out that techniques used to jailbreak an iPhone can also be used to implant malware.
Non platform-specific issues include mobile applications that expose personal data by failing to erase temporary files after use, web sites that use URL-based session IDs (which can then be abused by malware), and 'split tunnelling' situations caused by tethering a phone to a computer to bypass the corporate firewall (which can open the door to a cross-site attack).