Web surfing is no longer a solo affair. Facebook, Twitter, and other social networks have quickly become an integral part of the online culture, and with them comes a whole new array of potential security threats. In this article, I’ll identify some of the key dangers of social networking and offer a few easy steps that you can take to stay safe online.
Social networking is built on the idea of sharing information openly and fostering a sense of community. Unfortunately, an online network of individuals actively sharing their experiences and seeking connections with other like-minded people can be easy prey for hackers bent on social-engineering and phishing attacks. It’s important to be aware of the threats, and to maintain a healthy skepticism in your online interactions.
Be Careful What You Share
For starters, even in an open community of sharing, you should observe some boundaries. As President Obama warned students in his address to schools earlier this month, “be careful what you post on Facebook. Whatever you do, it will be pulled up again later somewhere in your life.”
The core truth of that statement can be applied to any social networking site, and possibly even to the Internet as a whole. As a general rule, refrain from posting things online that you will regret later. Odds are good that someone, someday, will stumble across it, and it may come back to haunt you — especially if you are planning to run for public office.
Sending a message like this is sure to end up in disaster for someone — probably you.
Aside from simply abstaining from posting embarrassing or inflammatory comments online, take two fundamentals to heart: Remember who your friends are, and know that a friend of a friend can be an enemy.
Remember Who Your Friends Are
When you write a Twitter tweet or post a Facebook status update, you have to keep your audience in mind. More and more these days, we hear stories of people who have forgotten that their boss is part of their network and have said things online that have gotten them reprimanded, even fired.
The consequences of inappropriate online comments have become so common that they have earned an entry in the Urban Dictionary: Facebook fired. Saying something as obvious and seemingly innocent as “I’m bored” in a status update during work hours can have dire consequences if the wrong people see it.
With services like Twitter, or the recent changes to Facebook that allow anyone to view and search updates, you really have no way to hide.
Friends of Friends May See Your Post
So, you’ve thought it through. You want to shout to the world what you really think about your boss’s forcing you to work overtime and making you come in on the weekend. You’ve checked and double-checked, and you’ve determined that your boss is not in your network, so you let loose on the keyboard and speak your mind.
Unfortunately, you’re not out of the woods just yet. Being outside of your network, your boss can’t see your post directly, but if one of your Facebook friends who are connected with your boss comments on your status update–even just to say “I sympathize”–your boss may be able to click on the link through the common friend and see your post anyway.
Go ahead, be social–share your trials and tribulations with your growing network of adoring followers. To be safe, however, do so with one rule in mind: Don’t ever post anything online that you aren’t comfortable with everyone seeing, because eventually they probably will.
Marrying privacy and social networking may seem unintuitive. How can you be social and open, yet protect your privacy? Well, just because you are choosing to share some information with a select group of people does not necessarily mean that you want to share all of your information, or that you want the information you share to be visible to all.
Facebook in particular has suffered from a number of issues related to privacy concerns. If you have used Facebook for a while, you may have noticed ads with your friends’ names or photos associated with them.
Facebook provides separate privacy controls for Facebook ads and third-party applications and ads
Facebook does provide privacy controls for you to customize what types of information should be available to third-party applications. If you look at the Facebook Ads tab of the privacy controls, though, you’ll notice that it offers no way for you to opt out of the internal Facebook Ads. It merely states that “Facebook strives to create relevant and interesting advertisements to you and your friends.”
What Do Quizzes Reveal About You?
For many users, one of the primary attractions of Facebook is the virtually endless selection of games and quizzes. Part of the lure of the games and quizzes is the social aspect. In the games, friends can compete against one another; through the quizzes, you can learn more about your friends while being briefly entertained.
The ACLU exposed problems with how much information these quizzes and games share, though. When a Facebook user initiates a game or quiz, typically a notice pops up to declare that interacting with the application requires opening access to information; the notice also provides the user the opportunity to opt out and cancel, or to allow the access to continue.
Facebook quizzes warn users that continuing will open access to information from your profile–as well as to that of your friends.
The permission page clearly tells the user up front that allowing “access will let [the application] pull your profile information, photos, your friends’ info, and other content that it requires to work.” One might wonder, as the ACLU has, why any game or quiz application would “require” access to your friends’ information in order to work.
Canada Says ‘No Way’
Facebook’s privacy, or lack thereof, has also run afoul of the Canadian government. The Privacy Commissioner of Canada has determined that Facebook’s privacy policies and practices violate Canadian privacy regulations, and has recommended a variety of changes that Facebook should make to be compliant.
One of the major concerns involves the permanence of accounts and account data. Facebook offers a way to disable or deactivate an account, but it doesn’t seem to have a method for completely deleting an account. Photos and status updates might be available long after a user has shut down a Facebook profile. And like the ACLU, the Canadian government is concerned about the amount of information shared with third-party application providers.
Control What You Can
While the concerns of the ACLU and the Canadian government run a little deeper, Facebook does in fact offer privacy controls that restrict or deny access to information. Since Facebook is a social networking site designed for sharing information, many of the settings are open by default. It is up to you to access the Privacy Settings and configure the options as you see fit.
Facebook’s Privacy Settings allow you to determine who can access or view your information.
For each of the available settings, you can choose to share information with Everyone, My Networks and Friends, Friends of Friends, or Only Friends; if you prefer, you can customize the settings to fine-tune access further.
Hijacking and Phishing
Social networking, by its very nature, is about socializing, which means users are letting their guard down and sharing information. They’re expanding their professional networks, connecting with old friends, and communicating in real time with pals and peers. And for bad guys who favor social-engineering and phishing attacks, taking advantage is like shooting fish in a barrel.
Beware Friends Seeking Money
Most people know enough to not respond to e-mail requests from exiled Nigerian royalty promising millions of dollars if only you will help them smuggle the money out of the country. Anybody who doesn’t know better probably shouldn’t be on the Internet; such people are a danger to themselves and others.
But what if your good friend from high school whom you haven’t seen in 18 years sends you a message on Facebook explaining how their wallet was stolen and their car broke down, and asks you to wire money to help them get home? You might not be as apprehensive–but you should be.
Attackers have figured out that family and friends are easy prey for such sob stories. Using other attacks or methods, they gain access to a Facebook account and hijack it. They change the password so that the legitimate owner can’t get back in, and then they proceed to reach out to the friends of the hijacked account and attempt to extort money from those friends through social engineering.
How do you resist such techniques? Assume that a relative or friend close enough to ask you for money would probably have your phone number, and that Facebook or e-mail would not be the first choice for contacting you in an emergency. If you get such a Facebook message or e-mail plea, and you aren’t sure, pick up the phone and call the person directly to confirm.
What’s Behind That Tiny URL?
Another threat that has emerged as a result of social networking is the tiny-URL attack. Some URLs are very long and don’t work well in e-mail or in blog posts, which created a need for URL-shortening services. Twitter, with its 140-character limit, has made the use of URL-shortening services like Bit.ly a necessity.
Unfortunately, attackers can easily exploit a shortened URL to lure users into accessing malicious Web sites. Because the shortened URL is a random collection of characters that has nothing to do with the actual URL, users cannot easily determine whether it is legitimate.
Tweetdeck can show a preview with details about the URL behind the shortened URL.
Tweetdeck, a popular application for Twitter, provides a ‘Show preview information for short URLs’ option, which offers some protection. The preview window shows details about the shortened URL, including the actual long URL it leads to.
If you aren’t using Tweetdeck for Twitter, or if you need to deal with shortened URLs on other sites and services, maintain a healthy dose of skepticism and remain vigilant about what might lie behind that obfuscated address.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice, and reviews on information security and unified communications technologies on his site at tonybradley.com .