Social Insecurity: Analyzing the Security Implications of Social Media

  • XConnect is a media partner for SecTor, a security conference for IT professionals interested in the latest research and techniques. The conference takes place October 18-19. We’ve got the hook-up for discounted tickets. Most of the XConnect community works with new media and technology on the customer-facing side of things. Mat Power, a Security Analyst with CGI, will be bringing you the opposite point of view, the network security perspective, as he provides the best coverage of the event on behalf of XConnect.

    Social media has become one of the biggest influences on our day-to-day lives in the past decade. It seems that wherever you look someone is checking out their friends most recent updates on sites like Facebook, Twitter and relative newcomer Google+. The corporate world too, has jumped onto the social media bandwagon, in an attempt to reach out to a greater number of consumers. After all, Facebook alone has more than 800 million users worldwide and continues to grow larger every day. Why wouldn’t they? There is just one problem – security. Social media certainly has its place, but consumers and corporations alike have all but ignored the privacy and security implications of using these sites. [Side note: less than a month until Anonymous tries to take down Facebook.]

    There are several security threats to be concerned about when dealing with social media. One of the most obvious issues that almost everyone who has ever had a Facebook account will be familiar with is something that social networking sites share with e-mail: spam. While spam is certainly irritating and can reduce productivity, there are bigger threats you need to be aware of. Account hacking, malware and social engineering, brand attacks and information leaks can all lead to a loss of productivity, customer trust, or even a loss of confidential data vital to your business.

    Many of you will have had your own account hacked or have heard of a friend who has had theirs hacked by now. Hacking accounts for popular social media sites has become a fairly common activity. A quick Google search shows numerous links to pages regarding hacked Twitter or Facebook accounts or tips on how to prevent your account from being hacked. While having your personal account hacked is certainly inconvenient, it’s not nearly as big a deal as a corporate account hacked. Pfizer, the world’s largest pharmaceutical research and development company, shows us why protecting your various accounts is important.

    The Pfizer attack is an important example of exactly what can happen when you don’t ensure anyone with access to your social media site is using a strong password and ensuring they don’t share their credentials with anyone else. In one simple hack, Pfizer was made to look incompetent and not worthy of the trust of their customers. What if that was your business and you were asking customers for financial information, or something else of importance? Could you really expect them to continue providing you with that information after an incident like this? What’s worse is that this could have gone a lot further. According to a study by BitDefender, not only are social media credentials easy to find online, 75% of people use the same password for social media as they do for their e-mail accounts. Is it really a stretch to believe that they are using the same password for their corporate domain account?

    Another significant security risk involves malware and social engineering. While the two aren’t always connected, one of the easiest ways to spread malicious software is through social engineering. Imagine someone who you believe is a friend you trust, posts a message on your wall or sends you a private message with a link. The Koobface worm is one example of this type of social engineering at work. There are plenty of similar examples of malware that spread on social media sites. Aside from the loss of productivity due to time spent removing malware, a malicious program can have severely negative effects on a computer leading to data loss and computers being rendered completely inoperable without a fresh image being put onto the machine, leading to significantly more productivity lost.

    Brand attacks are a relatively new form of attack to me. It hadn’t occurred to me that people actually take the time to do this sort of thing (though I truly shouldn’t be surprised). Essentially it involves several people posting numerous messages on a corporation’s social media page/site with negative implications. For example, say you organized a large group of people to go on McDonald’s Facebook page and post messages related to the negative health effects of their food products or links to statistics with obesity rates climbing in Canada due to fast food intake. Not good, right?

    This is exactly the type of attack that Nestle had to deal with in March 2010. Not only did the attack occur, the person at Nestle responding to the posts did so in a rather juvenile and completely unprofessional tone, talk about a PR nightmare! While the unprofessional tone in these responses was unfortunate at best, this may be the most difficult type of attack to deal with for Nestle or any other business. Facebook doesn’t really offer a great deal of help or assistance, aside from providing the ability to delete or turn off comments altogether. Of course, those actions often only serve to fuel the fire and people will find other places on the Internet to lash out at the business in question. These steps may be necessary if things get out of control, however, it’s important that a business has a strong social media policy, detailing, among other things, when it’s appropriate to delete a comment or turn off the ability to post comments on your pages.

    Finally, there is also the potential for confidential information to be leaked through your social media site. This could be a disgruntled former employee posting confidential data on a new product yet to be released, which is why you should always remember to disable all accounts when someone leaves your company. It could also simply be a mistake, as was the case with Sony earlier this year. The PS3′s root key is vital in Sony’s efforts to combat piracy, someone with this key can sign any hacked version of their games and the PS3 will treat it as the legitimate copy. Granted, this key had already been leaked, re-leaking it on Twitter had serious implications on Sony’s case against George Hotz, one of the people involved with the initial leak. Additionally, it caused Sony to appear foolish, which of course only serves to undermine the trust consumers have for their business.

    Ultimately, we live in a world that continues to become increasingly reliant on computers and the Internet. There will always be security issues to look out for. But with a little education your business can work to minimize these risks. Will businesses continue to flock towards the social media scene in order to capitalize on the vast user bases? Absolutely. It would be counter-productive to ignore the potential that social media provides a business. That being said, social media can do as much harm as good for your business and as more and more security and privacy issues arise with social media, some even caused by the social media companies themselves, social media may not be a lasting social and marketing tool.

    See you on November 5th!


    October 7th, 2011 | admin | Comments Off | Tags: , , , , , , , , , , ,

About The Author

Comments are closed.