Social Networking Sites and Security

Thank you Defense Human Resources Activity (DHRA) for this great article.

Social networking sites such as Facebook, MySpace, Flickr, and Linked-In are very popular means of communication with family, friends, and colleagues from around the corner or across the globe. While there are many significant benefits from the responsible use of social networking sites, you need to be aware of very significant risks as well. The atmosphere of feeling as if you are in a trusted environment greatly increases your vulnerability. There are three main reasons why you need to be very careful in how you use these sites.

Target of Hackers, Spammers, Identity Thieves: During the past two years, social networking sites have replaced email as the primary vehicle for hackers, spammers, and identity thieves to do their dirty work. All the information on Malware is applicable to the use of social networking sites. What makes social networking sites so attractive to the hackers and crooks is that they can send you messages that appear to come from your "friend." If you receive a message from a friend that looks a bit fishy or asks you to click off the site to perform some action such as watching a video or seeing a photo, be suspicious. Call or send a note to your friend to confirm that the message is legitimate. If it turns out that a hacker has gained control of your friend's computer, you'll be doing your friend a favor.2 Here are three examples of scams that have spread on Facebook:

  • Friend in Distress Scam: You receive a message in your inbox from a friend saying that they are in a dire situation -- such as stranded in a foreign country -- and need money wired to them. You don't realize that your friend's account has been hacked and that the message was actually sent by scammers. If you wire money to the scammers, you have no way of recovering the money after you learn that your friend is actually safe and sound. 
  • Phishing Friends: You receive a message from your friend saying "You look awesome in this video," or "You look funny in this video." A link to an outside website is provided to view the video. Clicking on the link opens a window that says you need to download an updated version of Flash in order to view this site. Agreeing to the update actually installs a virus on your computer. The virus is designed to monitor your Internet activity and potentially steal personal information. Victims of this virus have had a particularly difficult time removing the virus and in some cases just decided to scrap their computers completely. 
  • Viral Wall Post: This scam takes advantage of your fear that the pictures and information you post on Facebook could be made very public. You receive a post on your Facebook wall from a friend saying something like, "hey do u realize your face book picture is all over the place?". The wall posts vary, but all invariably link to an outside website that supposedly has your photos. Facebook warns that clicking on the link will allow hackers to gain access to your personal account and to post the same message, seemingly coming from you, on your friends' walls.

Target of Espionage: Foreign or domestic organizations engaged in spying to gain access to protected information use these sites to identify individuals employed by the target organization. If they get names of people working for the target organization, they use social networks to look for indicators of financial stress (serious medical problems in the family, multiple children in college at the same time), disgruntlement with their employer, or disagreement with U.S. foreign policy, and other indicators that one might be susceptible to recruitment. Once a potentially susceptible target individual is identified, they look for ways to set up an "accidental" meeting to establish a relationship with this individual (identify favorite hangout, outside activities).

Privacy Issues: You need to be careful about what information you post on these sites. Many employers access these sites as part of their screening process before hiring new employees. They may also access these sites when investigating any improper or inappropriate behavior. A good rule of thumb is not to post any information you would not want your mother or your boss to learn about. Also, don't post any information you would not want a robber to know about, such as the dates you will be out of town on vacation and the recent valuable purchase you are so proud of.

Here's some good advice on how to reduce your vulnerability. 

  • Familiarize yourself with the privacy settings of the social network(s) you use. Tweak them as much as possible to restrict how public your profile may be. 
  • Even with good privacy settings, be aware that your profile and conversations can often be seen by "friends" of your friends (i.e., complete strangers). 
  • Take a look at the personal information listed on your profile (or what you are thinking about listing) and make sure you are not giving out more information than you would want a stranger to know. 
  • Think twice about talking about your work or posting photos from work, particularly if you are a government employee, a government contractor, or a member of the U.S. military. 
  • Be selective when choosing friends. People are sometimes judged by their friends, and you don't want the "wrong" friends. While you don't want to be rude, it may be advisable to decline requests for friendship when you don't actually know the person. 
  • Be extremely wary of messages from strangers, and even from friends, that direct you to another website via a hyperlink. Many applications embedded within social networking sites require you to share your information when you use them. Attackers use these sites to distribute malware. 
  • Consider your online "appearance." Make sure you don't look (or sound) like someone who would be a good target for burglary or espionage. For example, try not to publicize when you will be leaving your house unattended. Instead, talk about your vacation after you return.

References

1. David Hubler, "Social Media Opens New Door to Cyberattacks, Panel Says," Government Computer Newss March 24, 2010. Accessed March 24, 2030 athttp://gcn.com/Articles/2010/03/24/Social-media-cyber-attacks.aspx.

2. Ken Sudol, "Potential Dangers of Social Networks," Ken Sudol & Associates website, accessed June 2010 athttp://ksa.securityinstruction.com/index.php?option=com_content&view=art....

3. "BBB Warns: "Your Facebook Friends Could Actually be Hackers, Scam Artists, and ID Thieves," Better Business Bureau, Jan. 5, 2009. Accessed June 2010 athttp://www.bbb.org/us/article/8556

4. "FBI Cyber Education Letter to Users of Peer-to-Peer Systems," FBI Cyber Investigation website, accessed May 2010 at http://www.fbi.gov/cyberinvest/cyberedletter.htm.