Threat Management

Boundless information: Mining social networks

Social media sites are filled with valuable assets that must be protected, reports Jim Romeo.

A man named Joe Parrish had a Facebook page with 27 friends listed. Not long ago, he posted a comment on his wall about a recent visit he had with his sister.

Sounds harmless, right? In fact, there are innumerable similar messages posted everyday on many different social media sites throughout the web. Only problem here is that Joe Parrish is an inmate at the state's Pocahontas State Correctional Center within the Virginia Department of Corrections (DOC), serving a 16-year sentence for involuntary manslaughter. Parrish was able to update his page by relaying information to family members, who colluded with him in posting the information. When DOC officials became aware of the activity, they had the page removed. But the fact is that social networking remains fertile ground for the many with a criminal mindset – even for those who have been caught.

“Social networks create a new type of communication structure – one that encourages openness, sharing, collaboration and cooperation,” says Ed Amoroso, senior vice president and chief security officer of AT&T. “These are wonderful goals, but unfortunately sometimes create special challenges for security teams. The security goal should be to ensure that proper controls are in place for emerging social networks – beyond the ‘friend model' we see in many common systems, and that these controls maintain the original collaborative objectives.”

Take a look at the U.S. Secret Service's 10 Most Wanted list, and you'll find a common pattern: fraudulent activity. This most often occurs not with a loaded gun, but in the form of a nonviolent crime where someone, often in a far-off nation, used their ability to capture information from some infrastructure to steal personal information or assets. For example, the wanted list describes a Hong Kong man who parlayed his knowledge of a health care company to steer claims payments directly to his own account in Asia.

Distant danger

Peruse the list and you'll find clever criminals who take money, Social Security numbers, and detailed personal information out of the pockets of thousands of people without ever setting foot outside of their apartment, often in a country located halfway around the world from most of their victims – and without ever using force.

“It is increasingly easier for hackers to obtain personal information online that is voluntarily posted by individuals,” says Theodore Theisen, director of information security, forensics and data breaches for Kroll, a security consulting firm. “With the increased personal information available, hackers subsequently have much more information that can be used to socially engineer their way into corporate networks. As a result of all of this information, there is an increase in spear [targeted] phishing attacks.”

The worst part of this is that victims may never know anything is going on at all. “An additional risk is that, in general, there is no transparency into failed login attempts on social networking websites,” says Theisen. “If a hacker tries to brute force their way into a social networking website account, there would be no way of knowing these attempts were being made. If similar or same passwords are being used by individuals to login to their social network accounts as their enterprise account, the hacker is much closer to being able to obtain unauthorized access to your business.”

Just last month, a new variant of the Ramnit virus was discovered stealing login credentials of more than 45,000 Facebook users. Computers are infected through drive-by download attacks, which occur when users simply visit a malicious website and become infected without taking any action.

The danger, says Aviv Raff, CTO of Seculert, whose research lab discovered the attack, is that the miscreants could now parlay the personal information they've gathered to launch further targeted attacks. Users should not use the same password for Facebook and other online services, such as Gmail, Raff adds.

Michael Logan, president of delivery and operations for Axis Technology, a Boston-based provider of data masking software and solutions for enterprises, says social networks encourage the sharing of information in an unfiltered and unsecured manner, and this presents a Pandora's box of problems that seems to frustrate security professionals.

“This presents new risks for enterprises that they don't know how to manage,” he says. “The typical reaction is to shut down access to social networking sites. However, business people are not willing to do this since they see exciting potential in social networks.”

The current trend is for social networking sites, like LinkedIn and Facebook, to provide more security- and privacy-related features, he says. However, these sites don't want to make it harder for their users to “share” with their social network. The result is a set of capabilities that are a compromise and can be confusing to users.

Logan says personal information, often thought to be a wonderful facet of social networking engagement, may be a haunting enigma when it comes to security breaches.

“Employees and managers need to be aware of what will happen to information they share,” he says. “Most social networking sites have privacy policies that are opt-out based. This means you basically share everything unless you explicitly tell the site you don't want to share it. Most enterprises would prefer an opt-in strategy, where you only share information based on choices you explicitly agreed to. The risk is that many people will have to make a mistake and share some information they did not want to before they learn how to opt-out, and this process could be painful.”

Data hygiene

Such information formerly was mainly paper based and, people believed, held securely. “Many years ago, the places where personal information was available were few and far between,” says John Eggleton, head of risk products at WorldPay at The Royal Bank of Scotland. The birth of the internet has shown that one's information can be stored and accessed instantly at the touch of a button, and includes much more detail than in the past, he says. Plus, data is now stored in multiple locations and accessible via the internet. “As much of this information is freely available, it is much easier for anyone to build a robust picture about us without actually needing to know us.”

The fidelity of information that abounds on social networking channels and pipelines is where the problems begin. “Data leakage is primarily a social engineering threat,” says Michael Sutton, vice president of security research at Zscaler, a SaaS security provider based in Sunnyvale, Calif. “People have become accustomed to sharing often intimate personal details online, assuming that the information is safely housed in a trusted environment, with trusted individuals. Of course, this is not always the case.”

While social networks may permit users to determine with whom information is shared, it is important to remember that data is shared among accounts, not people, Sutton says. “Accounts can become compromised. Even though a request may come from a ‘trusted source' within the social network, that source may actually be an infected PC, not a known individual.”

As a general rule, when it comes to social networks, if one wouldn't share the information on a public billboard, don't share it on Facebook, says Sutton.

Further, social networks are struggling to keep up with the inspection of online content, he says. “It has become a cat-and-mouse game as attackers continually look to bypass implemented security controls, and network owners attempt to implement new controls to detect the latest scam,” Sutton says. “Users cannot assume that social networks have succeeded in protecting them from attack, and users may take steps to implement their own security measures to inspect all content.”

So, will security managers ever be able to combat and safeguard against the threat that social network hacks pose to enterprise networks? 

Management conundrum

Social networking is nothing new. The phenomenon was not created last week, last month or last year. It seems that as one door closes shut for the criminal mindset another swings wide open, and security managers struggle to keep up.

“Cyber crime will continue to happen whether social networks are there or not,” says Scott Emo, head of software blade product marketing at Check Point Software Technologies, a Redwood City, Calif.-based provider of protection against internet threats. “Security managers are responsible for the safety of their enterprise networks.” He recommends a multilayered approach to defend against malware. A comprehensive security architecture should include firewall, intrusion prevention system, anti-malware, URL filtering, anti-bot, data leakage prevention and other technologies, depending on the infrastructure of the network, he says.

Kroll's Theisen agrees that security managers will always struggle to entirely eliminate the scheming of this lurking criminal mindset. “This is especially true when the security managers and professionals have no control over what personal and business information end-users post online within social networking websites over which they have no control,” he says. “ Because of this, it is important to provide social engineering awareness training to all employees and clearly articulate what personal/business information should not be posted on social networking websites.”

Exploit by organized gangs

Jim Kardaras, a senior vice president with the FINPRO practice of Marsh, an insurance broker, cites organized crime rings as the primary culprit in new methods to abscond with ill-gotten gains. Bigger and bolder action, and intervention by legislators at the federal level, may be warranted, particularly when resources aren't plentiful to combat the ever-impending threat of criminals exploiting social networking mediums to violate the masses.

“Many small and midsize companies and government entities lack the rigorous security programs of larger companies,” says Kardaras. And companies cannot rely too heavily on their banks for protection against account fraud, as business accounts are currently not covered by the laws that provide zero-liability protection.

“Until some legislative reform to give company accounts a better backstop in the event of fraud, smaller to midsize businesses, in particular, will continue to be victimized by online crime, and without any straightforward means for recouping losses, outside of insurance.”

This article originally appeared in SC Magazine Spotlight on Social Media.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.