The Security Risks of Social Net

Document Sample
The Security Risks of Social Net Powered By Docstoc
					The Security Risks of Social Networks
What your employees do online on their own time can still create all kinds of trouble for your business.

Online social networks are great places to meet and network with people sharing similar business interests. But
MySpace, Facebook and similar Web 2.0 sites can also pose serious security threats to users and their companies.

Many businesses view social networking sites as a kind of online cocktail party -- a friendly, comfortable place where
one can establish contacts, find buyers or sellers, and raise a personal or corporate profile. But the cocktail party
metaphor isn't entirely accurate. In fact, users would be better served if they thought of social network services in the
context of a loud glass house; a place with endless visibility and each occupant talking through a highly amplified

Since most people access social network sites from the comfort and privacy of their home or office, they can be lulled
into a false sense of anonymity. Additionally, the lack of physical contact on social network site can lower users'
natural defenses, leading individuals into disclosing information they would never think of revealing to a person they
just met on a street -- or at a cocktail party.

Staying safe on a social networking service means recognizing these factors, and working knowledgeably within a set
of simple guidelines.

Social Networkers risk losing their identities. Those frequenting these sites expose
themselves to risk from identity thieves and hackers.
A new study by the US National Cyber Security Alliance (NCSA) and enterprise software firm CA focuses on online
behaviour and the possibility of cyber-crime threats such as fraud, identity theft, computer spyware and viruses tied in
with the use of social networking sites. The study indicates that a large percentage of users are adults with 53 per cent
of adults over the age of 35. The complete CA/NCSA survey on social networking, as well as more safety tips for users
of social networking sites, can be found on the web site. ®

What security implications do these sites present?

Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of
personal information. When deciding how much information to reveal, people may not exercise the same amount of
caution as they would when meeting someone in person because

     •    the internet provides a sense of anonymity
     •    the lack of physical interaction provides a false sense of security
     •    they tailor the information for their friends to read, forgetting that others may see it
     •    they want to offer insights to impress potential friends or associates

While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because
of the accessibility and amount of personal information available on them. The more information malicious people have
about you, the easier it is for them to take advantage of you. Predators may form relationships online and then
convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation. The personal
information can also be used to conduct a social engineering attack (see Avoiding Social Engineering and Phishing
Attacks for more information). Using information that you provide about your location, hobbies, interests, and friends,
a malicious person could impersonate a trusted friend or convince you that they have the authority to access other
personal or financial data.

The most prominent threats fall into two categories: technical and social. From a technical perspective, these social
networking sites are, in reality, Web sites that allow hundreds of thousands of people to post content: on-line profiles,
videos, and/or commentary. With all of that information coming in, malicious users are constantly trying to post
malware, specifically browser exploits, to these sites. If successful in loading content containing a browser exploit,
attackers can take control of browsers by convincing other users to view their content or profile.

Beyond browser exploits, an attacker can post a script on a social networking site that will run inside the browsers of
those who view the content. This variation of a cross-site scripting attack is what the so-called Samy worm did in
MySpace in October 2005. The author of this worm updated his profile with a script. Whenever any other user read his

Livewire: July 2007
profile, this script would run in that user's browser, adding the Samy author as a friend in MySpace. The script would
then add a copy of itself to this user's profile. When other users read any of the script-infected profiles, they too would
be added as a friend to the Samy author and have their profile updated. Within an hour, the Samy author had
hundreds of thousands of friends in MySpace.

How can you Protect Yourself and Your Business

     •    Be Discreet - Limit the amount of personal information you post, Avoid posting information that would make
          you vulnerable or expose you to unwanted visitors or the possibility of identity theft or malicious threats. This
          includes personal and business names and addresses, phone numbers, job titles, birth dates, schedule details,
          daily routines and business or family information. It's far better to communicate in generalities than to reveal
          information that unscrupulous individuals may someday use against you.
     •    Remember that the internet is a public resource – Picture social networking sites as billboards in
          cyberspace. Police, college admissions personnel, employers, stalkers, con artists, nosy neighbors—anyone
          can see what you post. Only post information you are comfortable with anyone seeing. This includes
          information in your profile and in blogs and other forums. Also, once you post information online, you can't
          retract it. Even if you remove the information from a site, saved or cached versions may still exist on other
          people's machines (see Guidelines for Publishing Information Online for more information).
     •    Be wary of strangers - The internet makes it easy for people to misrepresent their identities and motives.
          People on the Internet are not always who they seem to be. The CEO you're chatting with in Delhi, may
          actually be a 14-year-old kid in New York -- or a prisoner in Romania. Criminals scan social networking sites
          to find potential victims for all sorts of scams, from phony lotteries to bogus employment and business
          opportunities to investment fraud. Until you can independently verify someone's identity -- using the same
          business tools that you would turn to to screen a new hire or confirm a prospective business partner -- never,
          ever reveal personal, business or financial information. As a general guideline, consider limiting the people
          who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about
          the amount of information you reveal or agreeing to meet them in person.
     •    Exercise Caution - Think twice before clicking on links on such sites or downloading attachments in emails.
          They may contain viruses or spyware that could damage your computer or steal your personal information—
          including your online passwords and account numbers. Protect your computer. Use a spam filter, anti-virus
          software, anti-spyware software and firewall.
     •    Be skeptical - Social network sites are full of useful business information, as well as to substantial amounts
          of useless disinformation. Don't believe everything you read online. People may post false or misleading
          information about various topics, including their own identities. This is not necessarily done with malicious
          intent; it could be unintentional, a product of exaggeration, or a joke. Treat anything you see online -- stock
          tips, advance news, personnel gossip and so on -- with a high degree of skepticism. Take appropriate
          precautions, though, and try to verify the authenticity of any information before taking any action.
     •    Check privacy policies - Some sites may share information such as email addresses or user preferences
          with other companies. This may lead to an increase in spam (see Reducing Spam for more information). All
          major social network services have specific privacy guidelines that are published on their Web sites. Take the
          time to read and understand these documents, since they include the types of information that they will
          reveal -- or sell -- to other parties (including spammers). Also, try to locate the policy for handling referrals to
          make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send
          email messages to anyone you refer until they join.

     “Social network sites are potentially useful business tools,
                 ...but only if you approach them with an adequate amount of caution and common sense.”

This article has been derived from the following sources:,289625,sid14_gci1247616,00.html
More information:
Learn what new tactics can prevent cross-site scripting.
Find out how hackers can spread vulnerability exploits through Social Networking Sites.

Livewire: July 2007