The use of social media services by people of all ages and social classes (using their own devices or those rented from internet cafes), and even by businesses and other organizations, is growing very rapidly. There has been a significant increase in interest regarding the commercial potential of social media. The exploitation of personal information entered into social media is beginning to cause alarm worldwide. An international approach is urgently needed to seriously address these issues, as security and, above all, privacy are a global problem.
Social networks can serve a growing number of purposes, such as: sharing information (photographs, music, videos, documents, projects, etc. among “friends”), establishing or maintaining contact between people (individuals or organizations) with similar interests (in business, politics, culture, studies, leisure, pleasure, health, sports, etc.), interacting with other people to play interactive games and/or live out fantasies (for example, in the case of Second Life), communicating information, creating personal profiles, etc. Facebook profiles are, in fact, public.
Craigslist, Mocospace, Twitter, Friendster, Second Life, LinkedIn, Bebo, Hi5, Skyrock Blog, Tickle, Match, eBay, Orkut, and other similar Web 2.0 sites allow people to meet and share common interests, but they also raise privacy and security issues, such as making your relationship actions visible to the entire social group and allowing anyone to read information shared by any member. Furthermore, they are a source of vulnerabilities and generate significant security threats to users and their companies, as they spread malware (the preferred vehicle being downloads, and some agents include botnets (initially controlled by IRC and now via social media), spyware, keyloggers, and rootkits). They also enable identity theft/fraud, scams, hoaxes, phishing attacks, custom scripts, adware, malicious banner ads, and more. They traffic in personal information (such as name, ID number, address, phone numbers, customer databases, date of birth, social security number, photos, purchase history, credit card numbers, etc.). They also enable the creation of personal behavioral profiles by monitoring users' emails to friends, family, and the rest of the world. Furthermore, data mining applications allow for the identification of more complex and sophisticated behavioral patterns. The risks associated with third-party applications, such as facial recognition of friends of friends, targeted advertising, marketing tools, relationship correlation tools, etc., must also be considered. Social media cannot be used in production environments where security is critical. Establishing connections between social media and industrial processes in combination with programmable logic controllers (PLCs), sensor-actuators, robots, machinery, SCADA systems, etc., is currently an aberration.
Some of the identifiable risks on social media are:
(1) Fake profiles. There is an increase in new fake profiles used to: (i) Initiate identity theft, phishing attacks, and scams. A scam refers to an attempt to defraud people for financial gain through fraudulent websites and emails. It typically involves deception based on promises of a donation (Nigerian scam), lottery prizes, or fake products or services that require sending money or providing bank account numbers. A hoax is a deception that does not involve financial gain; for example, a mother impersonating her daughter to harass her until she commits suicide or leaves home or quits her job. (ii) Accepting friend requests allows greater access to information. As a countermeasure, avoid accepting friend requests from strangers. This is difficult to prevent on Twitter unless you block followers (which is not considered socially responsible) and don't feel obligated to reciprocate with strangers.
(2) Too much information. The value proposition of social networks is sharing information. On LinkedIn, the default settings for external access aren't too bad. On Facebook, the defaults are very open, and on Twitter, privacy is not expected at all. As countermeasures: (i) Check your profile's privacy settings. On Facebook, select "friends only" in "settings." Read the free guide to privacy settings. On LinkedIn, check the default settings (account and settings). (ii) Sensitivity. Keep in mind that anyone could be watching (your parents, your bosses, the government, your community).
(3) Deception. Identify thieves, attackers, and corporate spies. All URLs (websites) can be equally dangerous, as a malicious TinyURL can be created from any URL. Malware spreads ten times faster on social media. As a countermeasure, be suspicious of unexpected messages and unknown hypertext links that may encourage deception and spam. Look out for unexpected changes in patterns and wording. Do not rely on a single source of information. Use security tools such as firewalls, antivirus software, intrusion detection and prevention systems, vulnerability management and patching across all ICT components, IAM identity management, etc.
(4) Identity theft – account hijacking. This relies on weak password policies, such as using weak passwords that are repeated everywhere and mixing personal and work passwords. Sometimes attackers use keyloggers; the solution is to use on-screen virtual keyboards and biometrics. As a countermeasure, use separate accounts for business and personal use with different passwords. Use different passwords for each account, and include special characters in the middle of the passwords. Keep passwords eight to twelve characters long and change them frequently, always using different content. Two useful password management programs are: (i) KeePass (ii) OnePassword
(5) Threats from within. Data theft is used as “insurance against dismissal.” There is misuse of computers and networks for personal use. Human resources issues such as absenteeism, harassment, etc. As a countermeasure, have standard security policies or rules regarding internet use. Also, foster communication between executives and IT managers. Use workflow-based risk management.
Data Protection and Privacy on Social Networks:
It's clear that nothing is truly free (you can't get anything in the context of social media for nothing). Social networks reveal personal information and network behavior. You should think about tomorrow when you act today; sometimes things aren't common sense. You must be aware of the costs and consequences associated with leaving information and images on social networks, as it will be impossible to remove them even if you delete the information from your profile or website. Older versions will always be accessible to others, for example, due to caching mechanisms of search engines and websites. You can sign up for many social networks for free, but you must provide personal information to participate. The beneficiaries of the personal information obtained from users are: (i) Website operators. They make money through advertising; the more users they attract, the larger the audience, the more valuable the ad space, and the higher the ad revenue. (ii) Companies that want to sell your information (even if you think it's unimportant today, it could be useful to them tomorrow). They want to advertise and sell their products, and they want to know the user and their loyalty, preferences, and interests. They may want traceability and then tell your friends about the products you buy as another form of advertising. Various entities can access your personal information: (i) Colleagues. They may want to know more about you than just your studies and grades. Your profile can be a valuable resource. (ii) Current or future employers. They may want to know what kind of person you really are beyond your resume and interview. (iii) Parents. (iv) Sexual predators and pedophiles. Many spammers buy from social media sites.
Considerations Regarding the Disclosure of Personally Identifiable and Behavioral Information on Social Networks:
It is advisable to be sparing with your personal information. If you are socially active on social networks, you should strictly only provide the information you are legally obligated to share. If you have a username, avoid including your real name or date of birth. Never share your password with anyone. Your profile should not include your last name, phone numbers, home address, date of birth, the name of your school or sports team, or travel plans. You should not provide your social security number, family financial information, credit card numbers, or bank account numbers. Sometimes a social network may require you to provide your date of birth because the laws of some countries prohibit collecting information from children under 13. You should adjust your privacy settings so that your date of birth is not visible on your profile. If you wish to display your birthday, only show the day of the month, not the year. Although you generally should not provide the name of your school online, some social networking websites do reveal it. Social media participation should be limited to school groups, as this can provide an extra level of protection and privacy.
Use privacy settings to share only the information you want and limit your audience. Default settings usually allow for very high sharing; you should review them to limit this level of disclosure. Adjusting privacy settings can be a multi-step process: access the privacy settings page of your preferred social network and explore how to protect the privacy of your personal information. Some sites offer the option to set different privacy settings for different parts of your profile page. Read the privacy policy, and if it seems excessive, look for another social network.
Final Considerations
Our research group has been working for over ten years in the field of security and privacy protection on social networks. We have developed guidelines, usage policies for organizations, protocols, mechanisms, and cryptographic and anonymity services in this area. We have conducted audits and forensic analyses of social networks, assessing the level of risk, proposing countermeasures, and inferring the degree of privacy and security breaches.
This article is part of the activities carried out within the LEFIS-APTICE (funded by Socrates, European Commission).
Literature
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2009.
- Areitio, J. “New Approaches in the Analysis of Systems for Detecting, Preventing, and Managing Attacks and Intrusions”. Conectrónica Magazine. No. 123. January 2009.
- Areitio, J. “Identification and Analysis of Information Security Services and Mechanisms”. Conectrónica Magazine. No. 97. May 2006.
- Tinm, C. and Perez, R. “Seven Deadliest Social Network Attacks”. Syngress. 2010.
- Patches for some Twitter vulnerabilities/bugs can be found at the following URL: - Attacks on Twitter, see URLs.
- Dhanjani, N., Rios, B. and Hardin, B. “Hacking: The Next Generation”. O'Reilly. 2009.
- Fry, C. and Nystrom, M. "Security Monitoring. Proven Methods for Incident Detection on Enterprise Networks." O'Reilly. 2009.
Author:
Prof. Dr. Javier Areitio Bertolín – E.Mail:
Professor at the Faculty of Engineering. ESIDE.
Director of the Networks and Systems Research Group. University of Deusto.
