Hugh Thompson, who is the program committee chairman of the annual RSA Conference, also teaches a class on software security at Columbia University in New York. Two years ago, a few of his students looked into an online forum in which software developers share troubleshooting advice. These students wrote a basic source-code scanner that connected login names on this forum to LinkedIn and Twitter, thus identifying these developers and extrapolating which companies had vulnerabilities in their systems.
Their motive was harmless, but the students showed how hackers could execute this. “The data could be fused,” Thompson says.The lynchpin, of course, was social media, as content available on these popular user-generated sites was wielded for other purposes. Never before has more information about individuals and companies been publicly available, and the culprits are Facebook, Twitter, LinkedIn and other social networks. Few people are complaining. Facebook, for example, accounts for 18 percent of the time Americans spend on the web, according to Nielsen.
But the interconnectedness of information on the web presents security risks around every corner, from trivial to serious, not only for individuals, but also the companies that employ them. For example, social media sites can be used by companies to gather information on their competitors, leveraged by hackers to mine data to target a single company, and employed by identity thieves to collect information on that can be used to guess or recover passwords. Public information on individuals and organizations, in large part because of social media, is readily available, and for its malicious use requires little expertise.That is because social media has changed the way people communicate and unlocked channels previously unimagined. Social interactions in a community depend on trust – trust that what one shares will not be abused. However, the ability and desire for public self-disclosures through online social networks are outpacing the awareness of the risks, say experts. For instance, in 2010, Facebook users uploaded 2.5 billions photos per month.
“Relationships in the social fabric have become automated,” says Joe Gottlieb, the CEO and president of Sensage, a data warehouse software provider. “To me, that is a very impactful trend.”
Last November, “socialbots,” which researchers from the University of British Columbia at Vancouver released onto Facebook, made off with 250 gigabytes of personal information belonging to thousands of users. Or take the case of the GhostNet Chinese spy ring, uncovered by University of Toronto researchers in 2010, where malware networks were organized and operated through Web 2.0 programs, such as Twitter and Google Groups, to steal sensitive documents from the Dalai Lama, governments and corporations.
In the past, email provided one doorway for phishing attacks. With social networks, phishing now come from several routes. The growth of “personalization tooling,” as Thompson calls it, drives the cost of creating one more personalized email to zero.
This data can be used explicitly and inferentially. Thompson describes an IT industry analyst who estimates the sales figures of small companies. Since these figures aren't public, the analyst searches LinkedIn for former sales employees of these companies, many of whom include in their profiles the sales growth they drove during their time at that company.