Never trust a stranger: Secure social networking
Rob Rachwald, director of security strategy, Imperva
Recently, Facebook admitted that 83 million – about the population of Egypt, Germany or Ethiopia – accounts are phony. Who are the phonies? No one can say for sure, but it's a safe bet that they're not charity workers or clergy. Consequently, now is a good time to remind you of what your mom likely taught: “Never trust a stranger.” Especially online.
The internet has enabled many things – among them is the ability to communicate with anonymous or unknown individuals. But have you ever thought that the person you're talking to might be a hacker? Social networks, like Facebook, are valued by information diggers because they contain personally identifiable information (PII), as well as general personal information.
This type of data can be used for various purposes. With enough information a hacker can even gain control of a user's other online accounts; for example, using the “forgot password” feature that exists in many social networks. This feature requires a person to identify themselves by supplying an answer to a pre-determined personal question, such as the name of a pet, or a hometown high school. More often than not, a hacker can retrieve this type of information by viewing publicly available information on a social network profile. As soon as a hacker is able to access the password to your profile, the odds are that they will also get the password for your email and bank accounts. Game over.
Since social networks are all about “friends,” getting hold of a victim's account will provide the hacker knowledge of that victim's circle of friends. Once the hacker has access, they can pose as a trusted friend, creating phishing messages containing links to malware or including malware-laden files. Because the messages purportedly come from a “friend,” the victim may be more susceptible to follow the links or open the attachments.
We've established that the main method to gain access to the account of a specific user is getting the password. But how can this be accomplished? There are myriad ways:
- Malware: Keystroke loggers can record a user's activity, including passwords for different applications. This malware can be installed through social engineering techniques circulated via email or over a social network, like Facebook, that encourage a user to download a malicious application masquerading as a legitimate one.
- Phishing: By creating a mock login page, hackers can attempt to deceive users into divulging their login credentials. Once the hackers have the login information, they can then access the user's profile, gaining access to their network of friends and other personal information.
- Bruteforce: Hackers can repeatedly attempt to guess a user's password. This technique can be especially effective against users with easy-to-guess passwords, like “password” or “12345.”
Hackers communicate with each other in online hacking forums, selling services to teach other hackers how to use the above methods to breach the accounts of unsuspecting users.
If users don't take the appropriate precautions to protect their social networking profiles, there can be nasty consequences – not just for the user, but also for their employers, families and greater communities.
This spring, MilitarySingles.com, a dating website for members of the military, was compromised by hackers, resulting in the publishing of names, email addresses and passwords for more than 150,000 of the site's members. This breach was likely caused by uploading a malicious file masquerading as a .JPEG attachment through a PHP application on the website.
The pervasiveness of PHP applications on the web, combined with the tendency of social media users to increasingly reveal private information, can create a serious security risk. In the case of MilitarySingles.com, the personally identifiable information of members of the U.S. military was accessed, giving hackers access to the email accounts of military members and, arguably, access to potentially damaging secrets.
For the above reasons, it's important for social media users to take the following precautions:
- Take advantage of privacy restrictions: The less visible your personal information is, the more difficult it is for hackers to obtain. Ensure that information is only available to those you choose to connect with over social media. Most people, for example, fail to consider a simple defense mechanisms:
- Don't use your real name.
- Remove your information from Google search crawlers.
- Turn off a social network's information sharing functionality. For example, Facebook's “Platform” should be turned off so your browsing history cannot be tracked.
- Connect only with people that you know: By whittling down your “friends” to those only that you know personally, you will minimize your risk of becoming a victim.
- Implement restrictions on social media if necessary: The MilitarySingles breach shows that carelessness on social media sites can have potentially dire consequences. Organizations should take necessary precautions to ensure that members are protected from potential breaches via social media, even if that means restricting them from participating.