- Category: July - August 2009
There is no denying that social networking is on the rise. Social networking sites are basically online communities that allow people refers to the building of online communities based on common interests and activities. This structure includes having profiles, blog posts, widgets and usually something unique to that particular social networking site, such as the ability to ‘poke’ people on Facebook or high-five someone on Hi5.
Although the term has only become popular fairly recently, social networks have been around since the early days of commercial Internet access - in the form of newsgroups, chat rooms and web forums dedicated to specific areas of interest.
However, what started out as a way to use the ‘Net to make friends and meet romantic partners' has moved into the business world, with some companies actively promoting employee involvement to raise awareness of their products or services, branding their company/products/services and keeping in touch with each other and existing or potential customers/partners.
Although some companies view social networking sites as time-wasters and block them altogether, more and more companies are recognizing their value as marketing and collaboration tools. Some companies, such as Intel, are actively encouraging their employees to get involved in social media activities on the company’s behalf.
Increasing Security Risks
However, with the level of interest in social networking steadily gaining traction, it was only a matter of time before it attracted unwanted attention. Social networking sites are increasingly on the radar of cybercriminals. A number of security concerns have been raised regarding popular social networking sites, and there have been an increasing number of security breaches reported.
The risks associated with social networking fall into a few broad categories:
- The risk of having the social networking account itself hacked
An example of this is Miley Cyrus’ Twitter account which was hijacked in February 2008 and resulted in offensive messages of her being posted on her own site).
- Data leakage and/or loss /compromise of privacy therein, or worse, misuse /abuse of the hijacked data
- Attempted identity theft
For example, hackers try to associate your picture with your password (if they’ve stolen it) and UserId or nickname, try to associate it with your friends, habits or hobbies etc and then try to use your password (if stolen) and ID at say a local internet banking site, hoping that the latter uses the same userid and password.
- The risk that users will pick up malware through the social networking site
Social networking sites, like any other web sites, can be conduits for the distribution of malicious software. Your employees might be well-versed on knowing not to click a link in an email message from an unknown source, but if that link appears in a message from a social networking “friend” or in a tweet from someone the employee is following, it might be a different story. This action could result in malware being downloaded to a computer on your company network.
A problem with many of the social networking sites is that the default settings make users vulnerable, and those who aren’t technically savvy may not know that they need to change the settings to protect themselves. For example, by default, sites may allow HTML in comments. That makes it easier for social networkers to share links, insert pictures, etc. – but it also makes it easier for an attacker to slip malicious code in or link to off-site content that contains malware.
- The risk that a hacker will gain information through the social networking site that will allow him/her to attack your company network (social engineering)
It is a known fact that it is less work to trick someone into giving you a password or other information you can use to break into a system than spending your time trying to hack into it. In other words, it’s easier to exploit human vulnerabilities than software vulnerabilities. Social networks present another, very ripe avenue for social engineering that preys on people’s trust in those who present themselves as friends or colleagues.
Unfortunately, most social networking sites do not verify the identities or credentials of those who sign up. For example, you can create a Facebook or Twitter account using any name you want, or you can claim to work for a company when you don’t. Although the Terms of Service generally prohibit giving false information, it’s unlikely that the consequences of getting caught will extend beyond losing access to the site. Therefore, there is not much stopping someone from creating a fake profile, claiming to be an employee of a large company such as Microsoft or Intel, and then seeking out “fellow” employees (using the site’s keyword search) to befriend. This gives the social engineer access to those people’s sites, where he can obtain all sorts of information that may be useful for hacking into the company’s network. This will most likely not work in a small business where everyone knows everyone else, but any large company with multiple sites is vulnerable. Once the fake employee has made “friends” within the company, he can start chatting with them and collect inside information about the company. He could even set up a fake “company” website (a phishing site) and direct the real employees to it, collecting their passwords to the company network.
- Personal data on social networking sites can be manipulated by attackers
Even without hackers overtly trying to obtain information, employees who use social networking may inadvertently leak confidential data in the form of text postings, photos, videos or audio recordings.
In addition, the add-on applications that enhance social networking sites can pose additional risks of their own. When you download these mini-applications, you have to check a checkbox that allows the application’s developers access to your profile information (with the exception of contact information). If this information falls into the wrong hands, it can then be used for targeted advertising or other purposes.
Anthony Lim, director, Security, Rational Software, IBM Asia Pacific, says that the increasing number of attacks on social networking site such as Facebook, is mainly due to two reasons: being immensely successful and popular with hundreds of millions of users, they naturally attract baddies and mad people to try their luck hacking – whether for warped fun or truly evil purposes and secondly, many people tend to put more personal or even corporate information on sites that are meant to be used for social purposes such as Facebook, than they should. Lim adds, “I like to joke that some people think Facebook is the next LinkedIn and others even use Facebook for work purposes – again – this unduly attracts the hackers. It is important to remember that the world is not safe…”
Lim adds that these threats are going to get worse only because attack and data-theft methodologies and other ways of wreaking heinous havoc on the innocent, are getting worse over time as they get more sophisticated, e.g. bots, malware and so on. “Whether these specifically target social networking sites is another issue, as statistically these will attack any /all sites,” he observes.
So does Lim believe that developing policies for the use of social media can help? His answer: “This is itself another nightmare or PhD. It will never be exact, and be subject to many opinions and scenarios. Ultimately, it all boils down to the users of the networks. Users need to be professionally responsible and have self-discipline.”
Are social networks doing enough (security-wise) to protect their users? Lim feels that this is hard to say, as apart from warning people not to put undue amounts of personal or corporate data on the service, and taking basic security steps like firewall, strong password management, maybe anti-virus and anti-phishing education of its users, there’s little else the social networking site can do or is obliged to do vis-à-vis providing security. “After all, at the same time, the service needs to be open and friendly or else it will become cumbersome and slow, demoralizing the users and pushing them away – e.g. MS Win Vista tries to be too smart and too secure so you have to click “yes” 2-3 times before executing a function, and get frustrated no end!”
He adds, “Perhaps an alternative is like what Yahoo does - from time to time, random and routine re-authentication of the user during a session, thereby assuring the sanctity or legitimacy of the users. The service basically also needs many strong, smart and fast firewalls to protect the immense amount of data on their hard disks!”
“Above all, social networking sites should have a comprehensive black-box web application security policy and regime (for example, IBM’s Rational Appscan) for its software development quality control, as many hackers today know you have firewalls and so are turning their attacks away from network layer, to attacking the web application (new attacks such as SQL-injection and Cross-site-scripting target specifically the web application, and firewalls do not protect against such attacks - only QA will),” he continues.
Lim applauds Facebook’s recent tie-up with an anti-virus firm. “I think that’s very good and it minimizes the possibility of viruses, worms and malware being distributed through their service for example, from one user to another, whether inadvertently or on purpose. In addition, it also keeps the morale and support of the users up,” he comments.
Some best practice guidelines to follow while on social networking sites include: never putting undue corporate or personal data on the social networking service, never sharing passwords with other users, never clicking on links or information you are unsure about, ensuring that you are protected from Web-based infection and using more ‘complicated’ or stronger passwords – just know how to remember them! In addition, Lim adds, “Never make yourself too attractive on the social networking site (whether for real or not) – be humble – if you are too attractive or too much of a show-off, or project yourself as haughty or disgusting, you may attract the wrong attention!”
Being the security advocate he is, you may be surprised that Lim is against the idea of blocking employees from using social networking sites. Explaining his stand here, he says, “Doing this demoralizes the employees and makes them hate their employer or maybe not so extreme, makes the employer unpopular. In addition, many people today actually use social networking services for business and marketing and industry networking – it’s becoming more and more a part of the business world and an important business tool. Here is a funny but true story – recently a European colleague of mine was traveling in the US and at a training session or conference, and had not replied to an email of mine requesting for some technical information, for a week already – and my Taiwan client was chasing for the information … then I noticed him online on Facebook and I sent him a message informing him that he hadn’t replied to that email of mine. Within the next 24 hours I got the information I needed, and sent it off in turn to the client.”
So does Lim feel that social networking is a security nightmare? His parting shot: “Funny thing – currently the majority of social networking users don’t know or don’t care about such things!”
Social networking is definitely here to stay. As long as users adhere to the security guidelines mentioned above, social networking can remain a pleasant experience and valuable tool for all.
By Shanti Anne Morais