Home  |  Services  |  About Us  |  Contact  | 

 

Brad's TechTips - Social Networking and Security Risks

[<< Full list of security tips.]
 


Download or view as PDF
Download or view as PDF (400 KB)

revision 3 - updated June 15, 2012

The popularity of social networking sites has increased at astonishing levels. There is no arguing the usefulness of sites such as Facebook, Twitter, LinkedIn and a myriad of others. They can be used for professional networking and job searches, as a means to increase sales revenue, as a tool to keep the public informed of breaking news or as a way to reconnect with friends from way-back-when.
 
However, as with any tool or application, it is always important to keep a close watch on its security implications. Each of these tools comes with its own set of security concerns which can put your information systems and/or personal data at risk. This white paper will look at some of these risks and identify possible solutions to help protect you, your personal information and your company data.
 
Of the three social networking sites mentioned, Facebook is generally considered the most casual; Twitter and LinkedIn are typically used for professional purposes. Facebook's interactions are through Friends, LinkedIn has Connections and Twitter creates Followers.
 
Facebook
Some of the most popular features of Facebook are the ability to add Friends, update your status, post photos and run applications such as games, travel planners and news tickers. A "Friend" is anyone on the Facebook network who you allow to see various levels of personal information, such as job, birth date, photos, group membership, comments and lists of other Friends. You can play online games with other users and post updates on your daily life.
 
   Updates and Photos
   At the top of the user's Facebook profile or Wall is the Update field, which allows the user
   to post a sentence or paragraph regarding any topic at any time, as well as post photos and
   videos. (See Screen Shot 1.) LinkedIn has a similar field, but it does not allow as much text,
   and it's not possible to attach photos or videos to the update.
 
 
   *****
 
   Screen Shot 1 - A Facebook Profile Status Update
 
  Screen Shot 1 – A Facebook Profile Status Update
   Users must be aware of how the information they post can be used by others.
   (Note: This profile update was exaggerated for effect.
    The author neither received oxycontin nor set his alarm code to 1234567890.)
 
   *****

 
   Here are some examples of updates that are typical of those that my own friends have posted:
 
        1.  "Just received a job offer. Hooray!"
        2.  "I'm tired of all the rain."
        3.  "Having a great week in Paris with my family."
        4.  "So excited that Mona can finally babysit for younger sister Lisa.
              Looks like we'll have Saturday nights out now."
 
   Although these might seem relatively harmless, the third and fourth points should raise some
   concern. You have just told all your friends, and potentially all their friends and strangers
   depending on your privacy settings, that you will be away from home for a full week and that
   you have young children alone at home. This is comparable to putting a sign on the main road
   that shouts "Empty House" for passers-by to see. Even if you have a burglar alarm or neighbors
   keeping an occasional eye on the home, you still don't want to create the temptation for
   strangers (Friends of Friends) to consider helping themselves to that wonderful, new 52" flat-
   screen TV you just purchased, or for pedophiles to make phone calls or pay a visit to your
   children.
 
   To protect your privacy and restrict who can see your updates and different levels of personal
   information, select the Account Settings option from the drop-down list at the top-right of your
   Facebook page (next to the Home link), and then select the Privacy Settings option.
   Review each option carefully, as there are many. For example:

   1.  Under "How to Connect," you can control who can contact you or send you Friend requests.

   2.  Under "Profile and Tagging," you can control who can see your posts and you can enable
        an option to review and approve tags or posts that link to you before they are officially
        made visible.

   3.  Under "Apps, Games and Websites," you can control which aspects of your personal
        information can be made available to others through apps and games that you use on
        Facebook.

   4.  Under "Limit the Audience for Old Posts," you can control the visibility of your old posts.
        For example, old posts are likely to be categorized as visible to the general,
        Facebook public, but you may want to consider restricting these only to Friends.


   Two other methods to enhance security, both referenced in Screen Shot 2, include:

   1.  Restrict the audience of your status updates and photos that you publish to only those that
        need to know. You can do this directly in the update field. Allowing an update to be visible
        as "Public" means that anyone with a Facebook account can see your post.

   2.  Do not include your location if it creates a security risk. For example, if your entire family
        is in Paris, then you might not want that to be known because it sets up your house as a
        target for burglars.

      Screen Shot 2 - Location Awareness and Visibility
      Screen Shot 2 – Control location awareness and public visibility.

 
 
 
   Twenty Things You Didn't Know About Me

   Not long after I joined Facebook, I received a message from a Facebook Friend who had just
   created a list called "Twenty Things You Didn't Know About Me." I was invited to read it,
   create one for myself and then notify others in turn. The list had questions I needed to answer
   so that my Friends could learn a little bit more about me.
 
   I had some initial concern as this seemed very much like a chain letter, and I never forward
   those. Yet, it also seemed harmless enough; I wasn't being asked to send money or forward
   a false virus alert.
 
   I decided to give this a try and went through the bullet points. Here are some of the items
   that the list instructions suggested to identify about myself:
  1. What was my most embarrassing moment?
  2. Have I ever played hooky?
  3. What was the name of my elementary school?
  4. What was my favorite pet's name?
   In ordinary conversation with family, friends and colleagues, these are questions that we aren't
   typically afraid to answer. But look more closely at the last two questions, and now think about
   the way that you may have set up your online bank account, Amazon.com profile or the
   access to your work's Human Resources system.
 
   When setting up online accounts, in addition to creating a User ID and a password, you often
   provide answers to a set of "secret questions" that you need to answer if you forget your
   credentials. If you can answer the questions, you will receive the password (or a new one)
   and have full access to the system which likely contains very personal and sensitive
   information. Now consider what "secret questions" are often asked: "What was the name of
   your elementary school?" "What was the name of your favorite pet?"
 
   By providing the personal information asked in these Facebook questionnaires, you may
   unwittingly be providing an easy channel for identity theft. Is it worth compromising your
   online bank account for the bit of amusement that Facebook provides? Probably not. If you
   still want to have fun with these questionnaires, then by all means do so. But be very careful
   about the type of information that you provide and how that information can be used if it falls
   into the wrong hands.

 
   Applications
   Facebook offers thousands of applications that its users can install and run. These applications
   include calendars that allow Friends to be reminded when it's your birthday, tools to send
   Friends online greeting cards, quizzes on myriad topics and much more. (See Screen Shot 3.)
 
    *****
 
   Screen Shot 3 - A Typical Facebook Application
   
Screen Shot 3 – A Typical Facebook Application
    Even though applications provide warning messages, many users
    still install and run them, unaware of what they may do to your system.
 

   *****

   Although the applications on Facebook may look harmless, and in fact most probably are,
   there are always some that may deliver malicious content to your computer. This holds true
   not only to Facebook, but also to other social networking sites and to the Internet in general,
   when downloading from the Web or opening attachments in email messages. Therefore, make
   certain that your computer has a proper and functional firewall, as well as up-to-date
   antivirus/antimalware software, and only install or run these applications if they are from a
   trusted source or approved by your corporate IT department.
 
   Protect your privacy and computer systems and limit which applications can run. To do so,
   select the Account Settings option from the drop-down list at the top-right of your Facebook
   page (next to the Home link), and then select the Privacy Settings option. Once there,
   select "Apps, Games and Websites" to control which aspects of your personal information
   can be made available to others through apps and games that you use.
 
   So What Else Can You Do To Protect Yourself?
  
In addition to the steps described in the previous sections, here are four additional ones
   that you can take to enhance your security:

   1.  Be attentive to personal information or posts that are visible to "Friends of Friends."
        Although you may trust your real friends and family, you cannot know all of the individuals
        who they in turn have friended. These can number in the thousands. Referring to the
        example of posting that you are on vacation and your house is empty (Screen Shot 2),
        consider the hundreds/thousands of strangers that now know this fact because you set the
        update visibility to "Friends of Friends."
 
   2.  Check both your system settings and your Facebook App settings on handheld devices such
        as Apple iPhones/iPads. These devices are location-aware and may automatically advertise
        your location through these Apps if you have not specifically disabled the feature.
 
   3.  Logon as a different user and view your profile. Despite all of your best efforts to keep
        your postings limited to your desired audience, you may still have missed some settings
        since there are so many and not all options are intuitive. Therefore, ask someone who has a
        Facebook account and who is NOT one of your Facebook friends if you can view your profile
        through his/her account. In that way you can see what information is visible to someone
        with no Facebook connection to you. (Alternatively, if all of your real friends are also
        Facebook friends, then consider setting up a secondary Facebook account that you can use
        just to check on your profile. I did this for myself and was surprised at what I had missed!)

   4.  Review Facebook's Privacy Settings and Account Settings from time to time, since they
        are liable to change without notice.

Twitter, Facebook and LinkedIn: The Risks of Disclosing Confidential Information
Twitter is an online application that allows you to post brief comments ("tweets") on any topic. Other users on the Twitter network can become a follower of your tweets, such that they receive the updates whenever you send them.
 
Twitter has many valid uses. Police departments use them to alert the public to safety threats and television news stations announce or learn of breaking stories. Companies can alert customers about software updates and restaurant chefs even shout out the specials of the day. (See Screen Shot 4.)
 
*****

Screen Shot 4 - Twitter Updates
Screen Shot 4 – Twitter Updates
Users can post a "tweet" on any topic, as well as receive the tweets of those they are following.
 
*****
 
Twitter, Facebook and LinkedIn users must be very careful about the personal information that they tweet and how it may be used. Employers must be especially attentive to the information that is posted and how it can affect their organization. For example:

1.  "The boss just laid off 32 employees. I hear there may be more coming on Wednesday."

2.  "Rumor has it that the Acme Widgets acquisition fell through."

3.  "Working to troubleshoot a major software bug we just found."

4.  "I just posted a funny video of myself frying a rodent at the restaurant where I work."

Each of the four statements can have serious public relations and financial consequences for the company whose employee tweeted or posted the information. The impact can be even more serious if that company is publicly owned or is a government/state/municipal agency. The first two statements will create a public perception that the company is doing poorly or will continue to experience loss, and shareholders may begin to sell off their stocks, reducing the value of the company. The third statement will raise concern amongst the company's customers who have purchased the software, possibly tempting them to investigate competitors' solutions. And the fourth statement, which actually occurred to a well-known, nationwide fried chicken company in 2008, will certainly give customers second thoughts about going to visit the restaurant, even if the video wasn't real.

Unfortunately, there is no simple solution to manage these issues. Certainly a company can implement technical barriers to prevent any use of Twitter, Facebook or similar applications, but then the company may have lost a valuable sales and marketing tool in its effort to protect its security or privacy.

Alternatively, the company could (and should) have an Acceptable Use Policy, a document that details how these applications and the Internet in general can be used. The policy also defines consequences for failure to comply, which might be as simple as a written reprimand or as heavy as termination of employment and legal action. You can find some excellent Acceptable Use Policy templates at the System Administration, Networking and Security (SANS) Institute (http://www.sans.org/resources/policies/#template), but just know that you will need to customize them to fit your company's culture, HR needs or regulatory compliance requirements.

Beyond Acceptable Use Policies, however, companies will still have a difficult time restricting what employees do at home. Employees will have their own Twitter and Facebook accounts, set up Web sites like AcmeWidgetsSux.com and put all levels of derogatory and inflammatory comments, whether true or not, onto those sites. Although the company may have legal recourse when this occurs, the damage may already have been done and the cleanup can be a very expensive and involved undertaking.
 
Facebook, Twitter and LinkedIn: Spam and Hoaxes
Whether you use Facebook, Twitter, LinkedIn or any online site for social networking, online banking or day-to-day purchases, be aware of emails that claim to be from these sites but are actually hoaxes and may contain malicious content. I have received numerous emails that allege to be from my bank, yet are actually sent by a spammer in the hopes of obtaining my online username and password. Similarly, emails claiming to be Twitter and Facebook invitations are now commonplace. (See Screen Shot 5.) The messages may even contain an attached ZIP file that recipients are asked to open to see who invited them. The attachment actually contains a mass-mailing worm, which can cause damage to both your computer and your reputation.
 
*****
 
Screen Shot 5 - An Example Of An Email Hoax
Screen Shot 5 – An Example Of An Email Hoax
The message claims to be from a LinkedIn connection, inviting the recipient to also connect on Twitter. Yet, the sender and the recipient do not actually know each other, and their respective addresses and names were likely gleaned from a spam database. Hovering the cursor over the link near the bottom of the message reveals the URL to the actual spam site; it also contains information that identifies the individual who received this message.
 
*****
How is it possible to identify the legitimate messages from the hoaxes?
  1. Use an up-to-date email client such as Microsoft Outlook 2007 or 2010 which has spam filtering enabled and checks for "phishing" messages. (Phishing messages are falsified emails that use these tactics to obtain your username, password or other personal information.) Gmail and other Web-based email systems may have protection, but you should also have a recent and updated Web browser.
     
  2. Never open an attachment unless it's from someone you know, and you are expecting to receive it. If you have any doubt, then contact the individual and ask if he/she actually did send it.
     
  3. Use up-to-date anti-virus/anti-malware software on your computer to block any harmful files that you may have accidentally opened.
     
  4. Always use common sense on the Web and in email; take an extra moment or two to think about what you've received or are about to do. For example, would Twitter really email an invitation in a zipped attachment? Not likely.
URL Shortening (Obfuscation)
Another form of hoax involves the obfuscation, or shortening, of URLs in email messages or on Web sites such as our favorites: Facebook, LinkedIn and Twitter. The posting of hyperlinks is obviously not specific to these sites, but the frequency with which we let down our guard when using them is a big concern.

Often times, the links that we want to post can get very long, making them unwieldy or impossible to type in the small space allotted by the network sites. To get around this, third-party services such as TinyURL (http://tinyurl.com/) or Bitly (http://bit.ly/) will "encode" the URL into a much shorter version.  For example, the URL of this article, http://www.fieldbrook.net/TechTips/Security/SocialNetworking.asp, has a length of 64 characters but can be shorted by TinyURL to have only 25 characters: http://tinyurl.com/m34rkp. Which URL would you rather type when you have a limit to the number of characters that you can enter?

Although the benefit of URL shortening is obvious, there is also a security risk associated with it, in that the shortened URL really does not tell you the true destination of the link. You only find out once you get there, which may be too late if that site happens to contains drive-by malware or content which should not be viewed by "sensitive" eyes. Therefore, make certain that you click on shortened URLs only if you trust the sender. Never click on them if they are contained in spam messages or on sites that you have any reason to consider suspicious.

Also consider obtaining a third-party browser or mail client add-on that will reveal a URL's full path so that you know where your browser is actually directing you. Examples of Web sites or software that will perform this task can be found at http://longurl.org/ and http://www.longurlplease.com/.
 
Conclusion:
Social networking sites can be valuable sales and marketing tools, as well as fun diversions. Inherent in these applications are security risks that can put an individual or a company in a compromising position or at serious risk. Aside from not using these sites at all, end-user education combined with documented policies and procedures is the most fundamental protection that exists. A well-informed user will not only help to maintain security, but will also educate others on these issues and establish best practices which can be standardized and updated as applications mature or as new applications come along.
 
And last but not least, please feel free and secure to become a fan of Fieldbrook Solutions and/or the National Information Security Group on Facebook and LinkedIn!
 
***  
About the Author:

Information about Brad Dinerman can be found on the About Us page of this site.