Social Networking:
Security and privacy issues you should know about

Everyone is looking for ways to increase contact with potential customers and clients. Face to face, telephone and email contacts have been the norm, but now there is a new choice creeping into business. The same social networking tools that students and Generation Xers use are finding their way into businesses. Given the rising popularity of social networks in the private and business environments, its little surprise that there has been an increase in breaches of security on sites as huge as MySpace and Facebook, not to mention sites that are supposed to be geared specifically towards businesses. I will review information about how the networks are dealing with the breaches in security that have occurred and let you know how to protect yourself and your company.

　

Using social networking sites
When you use a social networking site at home, you are connecting to a site with equipment you own. Certainly the information you store on your PC at home is important, but when you connect at work, there are additional issues to consider. First, the PC you are using is not yours. Second, that PC may store or have access to sensitive and / or proprietary information that belongs to the company. Third, there is the opportunity for items displayed on your PC at work to be subject to corporate usage rules that, if violated, might result in legal action or dismissal. However, if the same content was viewed at home, those consequences would not exist. So why is that a big deal? Well, with over 350 million members combined on these social networks, all it takes is one single person to cause major damage. Graham Cluley, Chief Technology Officer at UK tech security firm Sophos says that when it comes to privacy and security issues on social networks, "the sites most likely to suffer from issues are the most popular ones." This is the same reason that the publicity in the past regarding Microsoft Operating Systems and Applications being constantly bombarded with security flaw vulnerabilities. They have the largest market share worldwide, so they have the biggest target on their backs!

Security and privacy

Every company and IT department is always concerned with security and privacy. With the growing number of specialty social networking sites for business and for personal use, it can be difficult at times to stay up on all the site names, let alone on security and privacy as they relate to those sites. "Security" and "privacy" are two words rarely used without each other when dealing with computers. Yet security and privacy issues are entirely two different things. Security deals with scenarios where a hacker gains unauthorized access to a site's protected coding or written language. Privacy issues usually deal with those involved in unauthorized access of private information. In the second case, privacy issues have to include security breaches. Internally, whether at home or at work, your privacy can be breached and someone can gain access to your personal information or your employers confidential information by doing one thing: Watching you type in your password. If it is this cut and dried, then it must be the same when dealing with social networks, right? Wrong! Both of these breaches are usually intertwined on social networks. Why is that? Because anyone who breaches a social networking site's security network opens the door to easy access to private information belonging to any user on the site. There are ways to limit the damage though. The potential harm to an individual user comes down to how much a user engages in a social networking site, as well as the amount of information they're willing to share. By example, to pick on Facebook (insert your favorite site here), the user with 500 friends and 50 group memberships is more likely to be subject to a security or privacy issue than someone with 10 friends and no group memberships.

Are the problems real?
They sure are! Just as the "I_Love_You" worm propagated through email a few years ago (show of hands, who remembers?), MySpace had the now infamous "Samy" XSS worm that effectively shut them down for a few days in October 2005. "Samy" was named after the creator or the virus, and by all accounts was relatively harmless. It added the words "Samy Is My Hero" to the top of every affected user's MySpace profile page. While unnerving, no ones identity was stolen and no private information was leaked. The real reason that social network security and privacy lapses exist are a result of the vast quantity of information the sites process each and every day. Add to that external links to sites within those pages that are not under the control of the site and the results can be disastrous.

The Devil is in the features
The whole reason for these sites is networking. You can look for old friends, make new friends and grow your contacts for business or pleasure just as you would by going to an exposition, technology fair or a club. How do you make these connections? By using the features that the site offers. These features may include but not be limited to messages, invitations, photos, open platform applications etc. These are the paths often used to gain access to private information, especially in the case of Facebook. Adrienne Felt, a Ph.D. candidate at Berkeley, made small headlines in 2008 when she exposed a potentially devastating hole in the framework of Facebook's third-party application programming interface (API) which allows for easy theft of private information. By exploiting that API, Felt and her co-researchers found that third-party platform applications for Facebook gave developers access to far more information (addresses, pictures, interests, etc.) than needed to run their application. In the case of Facebook, this potential privacy breach is actually built into the framework of site and according to Felt the flaw renders the system almost indefensible. But even when the flawed API was publicly exposed, "Facebook changed the wording of the user agreement a little bit, but nothing technically to solve the problem," says David Evans, Assistant Professor of Computer Science at the University of Virginia. That means if a nefarious application developer wanted to sell the personal info of people who used his app to advertising companies, he or she could.

Social networking sites monitored
Not only are companies considering restricting / monitoring the use of social networks by their employees, so are governments. The BBC reported on March 25, 2009 that social networking sites like Facebook "[C]ould be monitored by the UK government under proposals to make them keep details of users' contacts. The British governments Home Office said it was needed to tackle crime gangs and terrorists who might use the sites, but said it would not keep the content of conversations. In Ohio, a part-time teaching aide at Springboro High School, near Dayton, Ohio, was photographed in her basement posing with three cheerleaders, friends of her sons, holding Smirnoff bottles. The photo was discovered by the high schools resource officer, as they routinely visit the students pages on social networking sites. The teaching aides conviction of allowing minors to possess alcohol was upheld based on the photos posted on the site. These are not isolated incidents, either. A quick search on your favorite browser for "myspace leads to arrest" will return page after page of arrests from San Francisco to Evansville to Boston, and lots of places in between. Stories about criminals using these sites and what parents should do to keep their kids safe have long been fodder for network news and news magazine programs. The United States Government maintains a site called OnGuard Online that has very useful information about many social networking sites. It can be viewed at http://www.onguardonline.gov/topics/social-networking-sites.aspx and the main page also has very useful information about scams.

Solving the problem
The problems that plague and will continue to plague social networks security and privacy issues will only be resolved if users take a more careful approach to what they share and how much. For those in the business world, this means controlling what sites your employees can access. Users continue to post ever-increasing amounts of personal data on social networks without batting an eye. Because you are "behind the screen," the fact that you're communicating with a machine instead of an actual person (or people in the case of social networking) makes sharing a lot easier. People think they are anonymous. Graham Cluley of Sophos says, "People should just exercise common sense online, but the problem with common sense is that it's not very common. If you wouldn't invite these people into your house to see your cat, you certainly wouldn't let them see pictures from holiday." In the end, the only tried and true solution to social network privacy and security issues is to limit your presence altogether. It can be broken down into a few simple rules:

1. Don't post anything you wouldn't mind telling a complete stranger, because in reality that's the potential for access.
2. Be careful who you add as a "friend," because there's simply no way of verifying a user's actual identity online.
3. Friends on social networks should know that real friends should know personal information already, negating the need to post it online.
   

Breach-free social networks?
Will there ever be a truly security breach-free social network? Probably not, at least as long as people are involved. With any complex system, there will be vulnerabilities. That is just a fact. The more complex the system, the more lines of code involved and the more lines of code there are, the higher the potential for a flaw to exist in that system. While social networks have a great potential for use in business, people really need to understand that their use must be evaluated carefully to fully understand the threats they present. The comments made here about particular sites describe well-published events, so feel free to take a look yourself! As with all topics discussed here, we to stay up to date and provide you with the latest information available on technical subjects that are gaining momentum. As always, feel free to contact me with questions!

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE, a member of the Network Professional Association and the Microsoft Partner Research Panel, . The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents 2009 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden

 

This page last edited on Thursday, June 03, 2010