Hugh Thompson, who is the program committee chairman of the annual RSA Conference, also teaches a class on software security at Columbia University in New York. Two years ago, a few of his students looked into an online forum in which software developers share troubleshooting advice. These students wrote a basic source-code scanner that connected login names on this forum to LinkedIn and Twitter, thus identifying these developers and extrapolating which companies had vulnerabilities in their systems.
Their motive was harmless, but the students showed how hackers could execute this. “The data could be fused,” Thompson says.
The lynchpin, of course, was social media, as content available on these popular user-generated sites was wielded for other purposes. Never before has more information about individuals and companies been publicly available, and the culprits are Facebook, Twitter, LinkedIn and other social networks. Few people are complaining. Facebook, for example, accounts for 18 percent of the time Americans spend on the web, according to Nielsen.
But the interconnectedness of information on the web presents security risks around every corner, from trivial to serious, not only for individuals, but also the companies that employ them. For example, social media sites can be used by companies to gather information on their competitors, leveraged by hackers to mine data to target a single company, and employed by identity thieves to collect information on that can be used to guess or recover passwords. Public information on individuals and organizations, in large part because of social media, is readily available, and for its malicious use requires little expertise.
That is because social media has changed the way people communicate and unlocked channels previously unimagined. Social interactions in a community depend on trust – trust that what one shares will not be abused. However, the ability and desire for public self-disclosures through online social networks are outpacing the awareness of the risks, say experts. For instance, in 2010, Facebook users uploaded 2.5 billions photos per month.
“Relationships in the social fabric have become automated,” says Joe Gottlieb, the CEO and president of Sensage, a data warehouse software provider. “To me, that is a very impactful trend.”
Last November, “socialbots,” which researchers from the University of British Columbia at Vancouver released onto Facebook, made off with 250 gigabytes of personal information belonging to thousands of users. Or take the case of the GhostNet Chinese spy ring, uncovered by University of Toronto researchers in 2010, where malware networks were organized and operated through Web 2.0 programs, such as Twitter and Google Groups, to steal sensitive documents from the Dalai Lama, governments and corporations.
In the past, email provided one doorway for phishing attacks. With social networks, phishing now come from several routes. The growth of “personalization tooling,” as Thompson calls it, drives the cost of creating one more personalized email to zero.
This data can be used explicitly and inferentially. Thompson describes an IT industry analyst who estimates the sales figures of small companies. Since these figures aren’t public, the analyst searches LinkedIn for former sales employees of these companies, many of whom include in their profiles the sales growth they drove during their time at that company.
Privacy and social networks are inherently at cross purposes, and security factors into this equation. The more information one shares, the more they and their friends get out of it – in an endless feedback loop. The business model of online social networks depends on this for advertising revenues.
“When you post on Facebook, you should assume anyone in the world can look at it,” says Joel Winston, a former Federal Trade Commission official and now the chief privacy officer of ID Analytics, a San Diego-based company that addresses identity fraud.
More than a year ago, ID Analytics did an in-house study of the use of social media and found that 24 million American adults keep public profiles, Winston says. “That information can be harvested by thieves to get past security questions,” he says. “The whole goal is to get enough information to impersonate you.”
But, one can only stay so safe. Even after hiding any number of identifiers – high school, employer, birthplace – personal information useful to miscreants can still be determined by browsing one’s network.
“It’s not your information that makes you vulnerable, but other people’s information,” says Markus Jakobsson, the principal scientist of consumer security at PayPal, the online pay portal.
Exacerbating the situation, traditional web technologies, like anti-virus and firewalls, are being circumvented. Greater awareness and common sense help, and according to Martin Roesch, the founder of Sourcefire, employers can implement “next-generation firewalls” to monitor the web apps their employees use. A security overhaul, he says, isn’t necessary.
However, the wrapper has been splitting at social networks’ gateways – password and password-reset questions. “This idea of asking for biographical information was a good idea 20 years ago,” says Thompson. “But today, through social media, you are more knowable to a stranger than you’ve ever been.”
Addressing this issue, PayPal’s Jakobsson spent years designing Blue Moon Authentication for RavenWhite, a software company he co-founded. Rather than querying the biographical information that floats around the web, questions are preferential in nature. Upon setting up an account, users choose three images of things they like and three they dislike. These preferences are unlikely to change when asked in the future, and they concern ordinary topics people do not express publicly on social networks.
At Facebook, security engineers say they’ve largely solved the problem of spam on the site. Now, they’ve turned to authentication, which has evolved tremendously over the years. Tapping into the company’s unique database, Facebook engineers designed a program of social authentication, wherein users must identify their friends in three different photos.
“This helps us distinguish between you and an Eastern European who is hacking into your account,” Facebook engineer Christopher Palow says.
It would be impossible for that Eastern European hacker to correctly name your friends, but your ex-girlfriend or ex-boyfriend could. In that case, Palow said, Facebook’s response is a new account-recovery mechanism. Here, if one’s account is breached, the victim must contact three designated friends over the phone or in person, and those friends must login to Facebook, get authenticated themselves and access a unique code, which they then tell the hacked user. He or she enters all three codes at the same time; a waiting period, allowing Facebook to blast emails and text messages for verification, follows.
Sure, it seems like something out of a spy thriller. But it goes to show how cherished that information is in modern times, and to what lengths Facebook believes people might go to get it.