Social Media Risks: The Basics

Social media sites unfortunately pose many security risks for the unwary. Here's a guide to avoiding scams of all sorts.

You may be a champ at Mafia Wars and Farmville, but what do you know about the security risks of social media sites?

The collaboration and sharing made possible by Web 2.0 technologies also bring along a specific set of risks. In Slapped in the Face: Social Networking Dangers Exposed, security researchers Nathan Hamiel and Shawn Moyer explain how attacks are made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other types of information with little effort.

"Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them," Moyer said, describing the climate as a perfect storm of social engineering and bad programming.

In this guide, we outline the many risks posed by social media sites and social networks, and how to keep yourself and others from falling victim to a scam or security hole.

How common are scams and hacks on social networks?

In 2009, Facebook officials announced they had surpassed 300 million users. Twitter claims to have 6 million unique monthly visitors and 55 million monthly visitors. With that kind of reach, it's not surprising that criminals view these sites as a great venue for finding victims. As a result, security stories about Twitter and Facebook have dominated the headlines in the past 12 months. In one high-profile story from 2009, hackers managed to hijack the Twitter accounts of more than 30 celebrities and organizations, including President Barack Obama and Britney Spears (See: Hackers Hijack Obama's, Britney's Twitter Accounts. Hacked accounts had been used to send malicious messages, many of them offensive. According to Twitter, the accounts were hijacked using the company's own internal support tools.

Twitter has also had problems with worms as well as spammers who open accounts and then post links on popular topics that actually link to porn or other malicious sites. Facebook, too, is regularly chasing down new scams and threats.

Both sites have been criticized for their lack of security, but have made improvements in recent months. Facebook, for example, now has an automated process for detecting issues in Facebook users' accounts that might indicate malware or hacker attempts. The site also recently announced a partnership with security software vendor McAfee aimed at improving security for Facebook users. See: Facebook, McAfee Team on Facebook Security Effort.

What are the most basics risks posed by social media and social networking?

Password sloth is a simple and prevalent mistake by users of social networking sites. As described in Seven Deadly Sins of Social Networking Security, password sloth refers to using the same password on all sites—if that password is discovered via a hack or accidental leak on one site, it provides hackers a way into all the other sites. In a worst case scenario, it might mean a Twitter password hack gives someone the key to your online banking account.

Plain old TMI—too much information. It's a great idea to let your neighbors know you're headed out on vacation so they can keep an eye on your house or apartment. It's NOT a great idea to post those vacation plans on public Internet sites. It's also not a great idea to freely reveal lots of personal details&your birthday, your town of birth, your family tree—as that information can be used for identity theft.

Your personal brand is another thing to consider in your online interactions.

Don't engage in "Tweet rage". Scott Hayes, president and CEO of Database-Brothers Inc., notes that "Posting any content when angry is about as dangerous as sending flaming emails, if not more so. Think twice about clicking 'submit' because the world may be looking at your angry, immature rant for years."

That include present and potential future employers, your parents, your kids, your co-workers. Think before you post.

Another risk to consider is your company's brand and reputation. Can you be sure your employees aren't leaking data, either intentionally or unintentionally, on social network sites? Can you be sure they are not disparaging your brand? According to legal expert Michael Overly, new FTC guidelines that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites, as well as personal blogs, and other sites even if the company had no actual knowledge those statements were being made. See Overly's blog for more information on the new rules.

Then there is a big set of risks that we can put under the general heading of scams. These are active attempts by bad guys to get you to do one of two things: 
- Share information you shouldn't (passwords, sensitive data, company secrets) or 
- Click on a link you shouldn't (because it leads to a website infected with malware).

Give me examples of this type of scam.

In 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid we outline many examples of the types of come-on scammers use, including:

Secret details about Michael Jackson's death! 
People love gossip and celebrity news is always a hit. These scams often claim to have secret information on a celeb and include links that actually lead to malicious sites or that install malware onto a computer.

I'm trapped in Paris! Please send money. 
Known as a 419 scam, fraudsters break into Facebook accounts accounts and then message the victims "friends" asking for money.

OMG! Did you see this picture of you? 
Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user's interest and then directs them to a fake login screen.

Test your IQ 
Facebook members often add quirky applications that allow them to take quizzes and fill out polls. One recently caused members to unwittingly subscribe to a text messaging service that cost approximately $30 a month.

Join State University's Class of 2013 Facebook group 
A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university, but were not.

Tweet for cash! 
This scam takes many forms. "Make money on Twitter!" and "Tweet for profit" are two common come-ons security analysts say they've seen lately.

Ur Cute. Msg me on MSN 
The sexual solicitation is a tactic spammers have been trying for many years via email, said Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. In the updated version of this ruse, Twitter "tweets" that feature scantily-clad women and include a message embedded into the image, rather than in the 140-character tweet itself.

Protect your family from swine flu
Bad guys will always take advantage of what is in the headlines, such as the world's concern over swine flu, to snare unsuspecting users. These days it is even easier for a user to end up clicking on a bad link looking for news because of the prevalent use of the shortened URL (See: New Spam Trick: Shortened URLs).

Mike Smith commented on your post! 
Reading friends' comments is one of the major features of Facebook. But some malicious applications have names such as "Your Photos" and "Post" and begin with a notification that someone has "commented on your post." However, once the user clicks on that notification, they are lead to a harvesting site called "fucabook.com" which looks like a Facebook log-in page and asks users to enter their log-in information in order to "enjoy the full functionality" of the application. It then steals that log-in information and then spams friends.

Amber alert issued!! 
This one is not so much as scam as it is a hoax. Amber alerts are pasted into status updates that turn out to be untrue.

If my company allows access to social media sites, should we have a social media security policy in place?

IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, surveyed companies in 2008 and found most did not have a security policy in place with regard to social media. But the same survey conducted just a year later in 2009 turned up a dramatic increase. Policies might touch upon appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.

"We saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies," said Jack Phillips, IANS co-founder and CEO.

Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives.

Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. He gives security pros tips in 4 Tips for Writing a Great Social Media Security Policy. The include:

1. Don't start from scratch
The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. Instead, said Phillips, use this as an opportunity to draw attention to existing policies.

2. Use social media policies to raise security awareness
"This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips.

3. Use social media access to raise security's positive profile within the organization
While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective.

4. Be prepared for the next phase
As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

New scams pop up all the time. How can employees stay on top of these new threats?

The threats posed by social media and social networks are ever evolving, so it's important to keep users up to date on what the latest and greatest "come-ons" might be as part of a solid security awareness program. In 9 Dirty Tricks: Social Engineers Favorite Pick Up Lines we lay out some of the underlying tactics seen on social networks. And, to help users identify what THEY might be doing wrong, mistakes folks make using social networks are outlined in Seven Deadly Sins of Social Networking Security.

As with many security slip-ups, the mistake, and the lesson that needs to be learned, often goes back to the individual. As Peter Soderling points out in Why a Twitter Hack is NOT a Cloud Security Wake-up Call, many of the hacks that take place on these sites are the result of weak passwords. Check out these tips forHow to Write Great Passwords for great advice to give users when it comes to creating secure log-in credentials.