Image via Wikipedia
Many company associates use social networking sites. Let me say it again, many company associates use social networking sites. Really? Yep. What sites you may ask? LinkedIn, Facebook, and MySpace (yes, even them).
While I’m writing this, I can quickly do a search based on those explicitly noted as being associated to my company and I can tell you more than 20% of the current employee base has associated themselves with us via the social networking profiles.
Ok, let’s switch perspectives…
A study posted last year found that two major social networking sites were the target of 91 percent of U.S. based phishing attempts last year. Symantec found that 68 percent of the 50 most-frequent potential infections reported by customers involved malware that tried to get access to things like stored usernames, passwords and financial data.
So, the law of probabilities tells us that if you belong to the 20 plus percent of associates that use social networking sites, you would have been exposed to one of these attempts in the past year. Social networking sites have been mostly hit by annoying worm, adware, and phishing attacks. Most of these are automated and not targeted attempts to harvest information. However, even a low level of success to a “You won’t believe this funny video of you” Trojan yields quite a bit of information.
Attacks are now migrating from this widespread approach of malware to some very targeted social engineering attacks. The top social networking sites all offer a means by which a false account can be set up and then request access to a “group” (e.g. your company). Association into that group often provides you with a level of information to begin creating profiles or users or an organization. You then get one (or a few) of the people in that organization to accept you as a connection and you now have more detailed information on those associates and possibly their area of the company. Take it a step further where those associates (and now even a few others) have their privacy settings set rather loosely then you can see information about users to whom you aren’t even explicitly connected to.
A very similar approach was taken on a blog site that users of a particular corporation all used. Someone impersonated an employee, over a matter of a few months established a profile and even had made “friends” with other associates within the company via the site. The person represented themselves as an IT associate and to be working on projects which they had gleaned from other information on the site. Ultimately the user created a web page, utilizing the corporate identity of the company, and set it to seem like a password reset page. They then casually talked up the tool as being a convenient way to set or change passwords and then sat back and let the word spread. A high percentage of site users used the page and thereby compromised their account information. Even after this was exposed, many of the associates, through interaction on the site, truly thought they were dealing with a fellow associate.
Image via Wikipedia
LinkedIn has specifically addressed this kind of false associations by using a “social defense” model. You can’t just randomly send messages to people ala Facebook. To gain access to another site member, LinkedIn requires you to contact someone you both know for an introduction. Thus, a third party has to vouch for you and confirm that you are who you say you are.
What precautions should be taken to limit exposure of information?
- Smart password management – Your passwords, everywhere you use them, are important. There is considerable effort put in to protecting the systems which use and govern your passwords at your company. Create strong/complex passwords for systems outside of corporate systems to help keep your information safe. A word of caution here, don’t use the same password for all systems either. Yes it may be very convenient, but this goes to the “weakest link” example. If you use a website that has poor programming or security practices and your name, associations, employment, etc are harvested from that site and you utilize the same password for your bank account, outside email, and your corporate login are now exposed. Also be judicious with the use of password reset tools. Don’t use questions with simple or obvious answers as it makes it quite easy for someone else to guess the information, reset your password, and gain control of your profile. Another article dedicated to this issue alone is in the works.
- Utilize the security controls provided by the site – The major social networking sites allow for you to limit who has access to view all or part of your information. I would highly recommend not leaving those settings at default and set everything to the most restrictive view settings possible. In most cases this is a setting which allows “only my friends or connections” to view information on your profile. Therefore you have limited much of the information to people which you have explicitly given permission to view. Be leery of the options to allow “friends of friends” to view information and certainly don’t leave it set to “publically available”
- Stick with who you know – While sometimes used in this way, please don’t use social media sites as a popularity yardstick. This often involves accepting invites from complete strangers and inviting any and everyone to be a “friend/contact” so you have a large number of associations. This increases the risk of an indirect attack via email/posting/app as well as targeted attacks as it makes it easier for the anonymous attacker to masquerade as a “friend”.
- Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.
- Be skeptical - Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take proper precautions, though, and try to verify the authenticity of any information before taking any action.
- Use and maintain anti-virus software – Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date. The newer suites of these software products are often called End Point Protection suites. They include more products that help provide a better overall protection to your system.
An associates phone rings. The person identified herself as working for the accounts receivable department. She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer. She asked if he could provided the model and serial number for her records. (Before we go any further, how many of you reading this sit “near” and HP printer?)
