Taking it Seriously: Social Networking and Security

Last week I was asked an interesting question that boggled my mind with the current state of social networking. And just last week Facebook decides to sell the information we share with them with Microsoft, Yelp and Pandora. Sure, social networking has gone from just a tool to meet friends through friends, to a necessity for some and a marketing ploy for companies to promote and communicate their products by giving them information that attracts the other party. But for someone with malicious intent this kind of information can be used against that very person and unfortunately enough the top social networking site, Facebook, is somehow making this all too easy.

What are the security implications of social networking sites?

Social networking relies on the members to give information about themselves but people tend to want to impress others and by doing so, giving as much information as possible to the other party that might be interested. And as far as revealing themselves online, different people will not exercise the same amount of caution as they would in real life because;

  • The lack of physical interaction provides you a false sense of security. Hey sitting here comfortably in my confined space, nothing can go wrong attitude is dangerous. And unfortunately the more comfortable a person is the less caution they are.
  • Although one would expect that the information that they provide online will only be read by their friends. But others might be able to read that too, due to misconfiguration of privacy settings, or through shoulder surfing, browser exploits, account hacks or other methods.

And the more information one has on someone, the easier it is to impersonate them, and use this to gain access to unauthorized resources. And as the popularity of social networking sites increases, it is easier for hackers to distribute malicious codes, and control zombies or botnets. Sites that allows third party to display content on their sites like Facebook are particularly susceptible.

That is not the only thing.

Though you may properly adjust your privacy settings and make sure you are not vulnerable to hacks the information you provide on the internet lingers, saved on their network, and due to economic reasons, sold to their partners so they can spam you with targeted advertisements by making sense of your hobby, habits and any other things based on the information they gathered. And though in the beginning they say that they will protect your information, but they can only do so much because human make mistakes, even if they use proper controls to check their own codes. Their own controls might have loopholes.

So what can you do to protect yourself on social networking sites?

Limit the personal information that you share. Use common sense when giving information on the internet. Remember that once it is out there, it stays there, indefinitely. And DO NOT post the following information that is the answer to the most common password recovery questions on social networking sites. Any information that is listed on your national identity card, (e.g. your house address, birthdate, phone numbers), names of family members (and do not link yourself to your immediate family members), bank account number, credit card information (these two are no brainers), your office address, names of pets etc.

Manage your Privacy Settings. Give yourself enough time to understand about the privacy settings. Some social networking sites keep changing theirs. *cough*Facebook*cough* keeps making changes to their privacy policy and settings for the worst more often than a baboon would eat their young. Do you really expect privacy from companies that actually makes a business out of selling personal information, that has been hacked numerous time, targeted by privacy advocates and made by a person who mentioned that he said the he foreseen the death of privacy?

Secure Your Computer. Keep your operating system and browsers up to date. Install antivirus, firewall, spyware, and keep them up to date. If you want to be really secure, disable java script on Firefox and ActiveX on Internet Explorer. Do not install Adobe flash nor use adobe acrobat reader. Avoid those two like the plague. FYI: Between Dec 2009 and April 2010 Adobe reader has four vulnerability announcements. And those are only that is aurora IE exploit which actually compromises huge companies like Google, Juniper, Adobe and it takes several months for antivirus to be able to detect it. And also the multistage Adobe Acrobat exploit. I cannot stress enough on the importance of regular security awareness training. (Strangest thing is I understand why Google, who has their own browser which is relatively more secure than Internet Explorer let their employee to use IE in their office to browse internet web pages.)

Treat information security seriously. While senior management thinks about strategic plans, aims and objectives, most of them fail to put security as part of their plan and see that they are ultimately responsible for their companies’ security. Unfortunately most of them expect security to “just happen” without trying to understand it. Most big companies follow security strict security standards because they are required to do so. Medium and small companies either do not have enough resources or sometimes because the companies do not have a proper framework for initiating and implementing security they just simply do it haphazardly and for the worst part they just do not care. Hey, I have met with an IT Manager that thinks that they do not need antivirus. But the fact is that for security to be viewed seriously organizations have to take the top down approach.

I would like to go on but it would take too much and there are better websites that would give you a better understanding on security, the risks and how to mitigate those risks. What I wrote are just a few things that you can do to protect yourself and others. Lots more can be found on the websites like SANS and NIST. Have fun and be safe.


PCWORLD just posted an article about the privacy setting on the latest Facebook. Please do as recommended.