By Richard Sands on Aug 14, 2008
Like most things in life, success in social networking usually depends on what you put into it. If you keep your updates frequent and relevant then they’ll be more interesting to others. But putting your life out there can have risks too.
I found out about some of these while talking to a colleague from an IT security consultancy (we use them to independently assess our security practices). However as he explained the security risks with social networking sites are not necessarily technical. Indeed the rapid uptake of social networking applications has led to the biggest current growth in security attacks.
The problem isn't necessarily that social apps themselves are full of security flaws, it’s just that the sort of information that social networking encourages you to share can also be used to access more than you expected. As the David Porter stated in a BBC article on these dangers entitled: Cyber thieves target social sites:
"It is remarkable that people use social networking websites to publish details about their lives, loves, jobs and hobbies to the entire world that they would not dream of sharing with a stranger in a bar, such data is invaluable to identity fraudsters."
A simple example is your personal history. Most social networking sites want to know something about your past (schools, jobs, etc), and by sharing these you make it easier for friends and colleagues to find you. However harmless looking items such as your first school or the town where you were born are also often used as security questions by other sites. At one point I found that of the four security questions I was asked by my online bank, the answers to three of them could be found out from my public profile on one social networking site.
There can be other social engineering vulnerabilities too. For example after landing that job you've been after for ages it's natural to put the news out there. but knowing your name, title, and that you're a new starter at BleedingEdgeInc is enough information for some effective identity theft scams. New starters often need to ask for help and no-one knows them enough to verify whether a caller is who they say they are. So a call to the HR or IT help line of your new company pretending to be you could get access to all sorts of info about the company's systems.
None of these risks are reasons against using social networking apps (and as Brian Krebs warns by not using social networks you can be at risk by letting someone impersonate you!). They are reasons for putting some good basic practices in place. There are many sites out there with sound advice, for example security company Sophos say this about Facebook settings. I find four simple rules help me:
• Don't publish anything you wouldn't be happy to tell a stranger. Assume everything you publish will be public.
• Don’t put information on social networking sites which is also used to identify you on other sites such as security questions. Either give different answers to security questions (when asked for your first school''s name give your first pet’s name, or something like that), or just don’t publish the information in your profile.
• Don’t accept friend requests from anyone you don’t know.
• Limit the visibility of your personal information so it's only available to people you know. Don't just accept the default privacy settings.
I think it's nicely summed up by Paul King in the BBC article I referenced earlier: "There were a lot of benefits to using social networking sites ... and the downsides should not put people off using them...It's about trying to manage risk rather than avoid risk", and managing risk is what what we do all the time. There was a talk at the recent Black Hat security conference with the great title Satan is on my Friends List, so just be sure it's the devil you know.