Social networking sites are fraught with controversy in security circles, no two ways about it. I've heard friends call it a “privacy abomination," and I know a considerable number of people who refuse to use it for security reasons. (This is ironic, considering the biggest risks posed by social networking sites are most easily averted by the technologically savvy!)
But there are even more security-conscious people who use all the most common social networking sites. If you search for any of the biggest names in the industry, you're likely to find them on the popular networks.
Would the big security players play these reindeer games if the risk was something that couldn't be mitigated? Simply put, no. Those of us reading this article undoubtedly have a grasp of the basics of what not to post, and we know that malware has been circulating around these sites for years. And to a certain extent, nothing has changed with those basics. There are a couple of wrinkles that have been added in the past few months which we need to be sure people are aware of so they can change their behavior accordingly.
The first is the use of status updates as legal defense. Blog posts and status updates have been used as reason to fire employees for years – e.g. someone calls in sick but lets her Facebook pals know she's at the beach, or blogs to badmouth a company or her fellow co-workers.
In November of this year, a Facebook status update was used as an alibi in the case of a 19-year-old New Yorker who was accused of committing a robbery. Facebook was able to confirm that the update was added from a computer at his father's residence at the time in question. This is not something that security people necessarily need to teach the people under their care, as the old rule about being careful what you post still covers this. This is mostly important for people who deal with legal queries. One must now consider a wider variety of factors in forensics, including what a person is tweeting or blogging.
The second change is a new kind of scam. It might seem obvious that it is a bad idea to enter one's credit card, in any capacity, on a social networking site. But this is exactly what Facebook users are being asked to do by makers of certain game applications. These games have a variety of “cash” which cannot be earned in sufficient quantities within the game, but must be purchased either by going to external (and often malware-laden) advertisers' sites or by purchasing them with a credit card. One doesn't need to purchase things to play these games, but the things which are available for purchase make a game easier to play or otherwise more enticing. More than that though, the games are designed to entice you to bring other players in to join you and potentially be enticed to purchase items.
There has been no allegation yet that the credit cards are being used for additional malicious purposes, just that the tactics used to encourage people to participate are less than savory. But those who opt out of entering their credit card directly to the game site in order to purchase “cash” can find themselves at the mercy of sponsor sites, which are unscrupulous. This is very much an “adware” type of scenario. Users could get access to software “for free” by agreeing to viewing ads, but these programs would often send personally identifiable information back home and be almost impossible to remove.
As with most things malware these days, the social engineering tactics have changed little, they have just been applied to a new medium.