By Joan Goodchild, CSO (US)

You may be a champ at Mafia Wars and Farmville, but what do you know about the security risks of social media sites?

The collaboration and sharing made possible by Web 2.0 technologies also bring along a specific set of risks.

“Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them,” says Shawn Moyer, a security researcher.

In 2009, Facebook officials announced they had surpassed 300 million users. Twitter claims to have 6 million unique monthly visitors and 55 million monthly visitors. With that kind of reach, it’s not surprising that criminals view these sites as a great venue for finding victims. As a result, security stories about Twitter and Facebook have dominated the headlines in the past 12 months. In one high-profile story from 2009, hackers managed to hijack the Twitter accounts of more than 30 celebrities and organizations, including President Barack Obama and Britney Spears. Hacked accounts had been used to send malicious messages, many of them offensive. According to Twitter, the accounts were hijacked using the company’s own internal support tools.

Twitter has also had problems with worms as well as spammers who open accounts and then post links on popular topics that actually link to porn or other malicious sites. Facebook, too, is regularly chasing down new scams and threats.

Both sites have been criticized for their lack of security, but have made improvements in recent months. Facebook, for example, now has an automated process for detecting issues in Facebook users’ accounts that might indicate malware or hacker attempts. The site also recently announced a partnership with security software vendor McAfee aimed at improving security for Facebook users.

What are the most basics risks posed by social media and social networking?

Password sloth is a simple and prevalent mistake by users of social networking sites. Password sloth refers to using the same password on all sites–if that password is discovered via a hack or accidental leak on one site, it provides hackers a way into all the other sites. In a worst case scenario, it might mean a Twitter password hack gives someone the key to your online banking account.

Plain old TMI — too much information. It’s a great idea to let your neighbors know you’re headed out on vacation so they can keep an eye on your house or apartment. It’s NOT a great idea to post those vacation plans on public Internet sites. It’s also not a great idea to freely reveal lots of personal details and your birthday, your town of birth, your family tree—as that information can be used for identity theft.

Your personal brand is another thing to consider in your online interactions.

Don’t engage in “Tweet rage”. Scott Hayes, president and CEO of Database-Brothers Inc., notes that “Posting any content when angry is about as dangerous as sending flaming emails, if not more so. Think twice about clicking ‘submit’ because the world may be looking at your angry, immature rant for years.”

That include present and potential future employers, your parents, your kids, your coworkers. Think before you post.

Another risk to consider is your company’s brand and reputation. Can you be sure your employees aren’t leaking data, either intentionally or unintentionally, on social network sites? Can you be sure they are not disparaging your brand?

Then there is a big set of risks that we can put under the general heading of scams. These are active attempts by bad guys to get you to do one of two things:

•Share information you shouldn’t (passwords, sensitive data, company secrets) or
• Click on a link you shouldn’t (because it leads to a website infected with malware).

Here are some examples of the types of come-on scammers use:

Secret details about Michael Jackson’s death!
People love gossip and celebrity news is always a hit. These scams often claim to have secret information on a celebrity and include links that actually lead to malicious sites or that install malware onto a computer.

I’m trapped in Paris! Please send money.
Known as a 419 scam, fraudsters break into Facebook accounts and then message the victims “friends” asking for money.

OMG! Did you see this picture of you?
Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user’s interest and then directs them to a fake login screen.

Test your IQ
Facebook members often add quirky applications that allow them to take quizzes and fill out polls. One recently caused members to unwittingly subscribe to a text messaging service that cost approximately $30 a month.

Join State University’s Class of 2013 Facebook group
A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university, but were not.

Tweet for cash!
This scam takes many forms. “Make money on Twitter!” and “Tweet for profit” are two common come-ons security analysts say they’ve seen lately.

Ur Cute. Msg me on MSN
The sexual solicitation is a tactic spammers have been trying for many years via email, said Graham Cluley, senior technology consultant with UK-based security firm Sophos. In the updated version of this ruse, Twitter “tweets” that feature scantily-clad women and include a message embedded into the image, rather than in the 140-character tweet itself.

Protect your family from swine flu
Bad guys will always take advantage of what is in the headlines, such as the world’s concern over swine flu, to snare unsuspecting users. These days it is even easier for a user to end up clicking on a bad link looking for news because of the prevalent use of the shortened.

Mike Smith commented on your post!
Reading friends’ comments is one of the major features of Facebook. But some malicious applications have names such as “Your Photos” and “Post” and begin with a notification that someone has “commented on your post.” However, once the user clicks on that notification, they are lead to a harvesting site called “fucabook.com” which looks like a Facebook log-in page and asks users to enter their log-in information in order to “enjoy the full functionality” of the application. It then steals that log-in information and then spams friends.

Amber alert issued!!
This one is not so much as scam as it is a hoax. Amber alerts are pasted into status updates that turn out to be untrue.

If my company allows access to social media sites, should we have a social media security policy in place?

IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, surveyed companies in 2008 and found most did not have a security policy in place with regard to social media. But the same survey conducted just a year later in 2009 turned up a dramatic increase. Policies might touch upon appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.

“We saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies,” said Jack Phillips, IANS co-founder and CEO.

Specifically, just under 10% of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34% in 2009, with another third responding that they had either created or implemented a policy for social media use. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives.

Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception.

Possibly Related Posts:

• IT Budgets on the Rise
• Veering into Virtualization
• BUSINESS AS USUAL: Picking up where you left
• IT Outsourcing Reaching Out to Reach Further
• Forecast 2012

 Print This Post