Social Networking: Latest, Greatest Business Tool or Security Nightmare?
Social networking is a broad term that refers to the building of online communities based on common interests and activities. What started out as a way to use the 'Net to make friends and meet romantic partners' has moved into the business world, with some companies actively promoting employee involvement to raise awareness of their products or services and keep in touch with each other and existing or potential customers. But before your organization embraces the new technology, you need to be aware of the security implications that it brings with it. In this article, we'll address the good, the bad and the ugly of using popular social networking tools (Facebook, Linkedin, Twitter, etc.) in the business environment.
The Evolution of Social Networking
Based on its name, you would think social networking is a leisure time, non-business activity. Of course, if you subscribe to the broadest definition ("online communities of people"), the Internet itself is the ultimate social network. A narrower definition focuses on common interests or activities. Although the term has only fairly recently become popular, social networks have certainly been around since the early days of commercial Internet access, in the form of newsgroups, chat rooms and web forums dedicated to specific areas of interest.
Today's social networking services are generally web-based, and having an account on MySpace or Facebook or LinkedIn has become almost as expected as having an email address. And it's no longer just about teenagers keeping tabs on what their friends are up to; many businesses now have a presence on social networking sites, and professionals of all types sign up to interact with colleagues and potential clients.
Although some companies view social networking sites as time-wasters and block them altogether, more and more companies are recognizing their value as marketing and collaboration tools. Some companies, such as Intel, are actively encouraging their employees to get involved in social media activities on the company's behalf (click here for more info).
All this socializing may be good for business - but is it good for your network? A number of security concerns have been raised regarding popular social networking sites, and there have been security breaches reported. Let us take a look at what the risks are, and what you can do to ameliorate them.
In January 2008, Government Technology web site warned that social networking sites - part of what was then being hailed as Web 2.0 - are extremely attractive to hackers and that "the same technologies that invite user participation also make them easier to corrupt with malware such as worms that can shut down corporate networks, or spyware and keystroke loggers that can steal company data."
The risks associated with social networking fall into a few broad categories:
The risk of having the social networking account itself hacked.
The risk that users will pick up malware through the social networking site.
The risk that a hacker will gain information through the social networking site that will allow him/her to attack your company network (social engineering).
Risks of a Compromised Social Networking Account
In January, a hacker gained access to a Twitter employee's administrative account and was able to use the admin tools to reset passwords on other users' accounts. Then these passwords for the accounts of a number of celebrities (including Barack Obama) were published on a hackers' forum. Subsequently posts were made on those accounts by unauthorized persons. It later came out that the Twitter employee whose account was hacked had used an easy-to-guess password, and that Twitter did not use account lockout policies to prevent a hacker from utilizing dictionary attacks. This allowed the hacker to keep trying until the password was cracked. See the full story here.
A month later, in February, the Twitter account of Miley Cyrus was hijacked and offensive messages about her were posted.
The Twitter case illustrates the dangers of using social media with lax security policies. No matter how strong the password that you, the user, set on your account, if someone with administrative privileges is not so diligent, your account could be compromised.
How could a compromised Twitter account harm your company? Imagine someone hacking into the account of an Apple executive, for example, and posting a message saying Steve Jobs had died. What might that do to Apple's stock? See my blog post on "Why Twitter Needs to be More Secure".
The same thing applies to other social media such as Facebook, MySpace, LinkedIn, and so forth. If your employees have public profiles whereby they represent your company, a compromise of their accounts - especially by a competitor - could bring a deluge of bad PR down on your company's head.
Risks of picking up malware through Social Networking Sites
Social networking sites, like any other web sites, can be conduits for the distribution of malicious software. Your employees might know not to click a link in an email message from an unknown source, but if that link appears in a message from a social networking "friend" or in a tweet from someone the employee is following, it might be a different story. And that could result in malware being downloaded to a computer on your company network.
A problem with many of the social networking sites is that the default settings make users vulnerable, and those who aren't technically savvy may not know that they need to change the settings to protect themselves. For example, by default sites may allow HTML in comments. That makes it easier for social networkers to share links, insert pictures, etc. - but it also makes it easier for an attacker to slip malicious code in or link to off-site content that contains malware.
Social Engineering Risks
Kevin Mitnick pointed out years ago that it is less work to trick someone into giving you a password or other information you can use to break into a system than to spend your time trying to hack into it. That is, it's easier to exploit the human vulnerabilities than the software vulnerabilities. Social networks present another, very ripe venue for social engineering that preys on people's trust in those who present themselves as friends or colleagues.
Unfortunately, most social networking sites do not verify the identities or credentials of those who sign up. You can create a Facebook or Twitter account using any name you want, or you can claim to work for a company when you don't. Although the Terms of Service (ToS) generally prohibit giving false information, it's unlikely that the consequences of getting caught will extend beyond losing access to the site.
In 2008, Lori Drew was convicted in Los Angeles for unauthorized access to MySpace based in part on providing false registration information (the "cyberbullying" case). This set a precedent that criminalizes use of a false persona online, but the jury rejected prosecutors' charges of federal felonies and convicted her only of misdemeanors. Check out the full story here.
Thus it is easy for someone to create a profile, claiming to be an employee of a large company such as Microsoft or Intel, and then seek out "fellow" employees (using the site's keyword search) to befriend. That gives the social engineer access to those people's sites, where he can obtain all sorts of information that may be useful for hacking into the company's network. This would not work in a small business where everyone knows everyone else, but any large company with multiple sites is vulnerable.
Once the fake employee has made "friends" within the company, he can start chatting with them and collect inside information about the company. Or he could set up a fake "company" website (a phishing site) and direct the real employees to it, where he collects their passwords to the company network.
Even without hackers overtly trying to obtain information, employees who use social networking may inadvertently leak confidential data in the form of text postings, photos, videos or audio recordings. At last year's BlackHat conference in Las Vegas (August 2008), Nathan Hamiel and Shawn Moyer did a presentation on how the personal data on social networking sites could be manipulated by attackers.
The add-on applications that enhance social networking sites can pose additional risks of their own. When you download these mini-applications, you have to check a checkbox that allows the application's developers access to your profile information (with the exception of contact information). That information can then be used for targeted advertising or other purposes. Click here for more details.
Developing Policies for Use of Social Media
Companies can benefit from the judicious use of social networking as a business tool without incurring undue risk by developing policies and guidelines to help employees participate in the safest manner possible. Policies should be written in a straightforward way that defines what is and is not acceptable behavior.
A good example of a company that takes social networking seriously is Intel. They provide training for employees in the use of social media, and have made public the Rules of Engagement that they expect employees to follow when blogging, twittering, facebooking, linking in or otherwise participating in social networking on behalf of the company. You can read their Social Media Guidelines here.