General security

Social Media & Security Risk

Irfan Shakeel
September 4, 2012 by
Irfan Shakeel

Social media is the two way communication in Web 2.0 and it means to communicate / share / interact with an individual or with a large audience. Social media marketing and social networking have now become an essential part of brand management planning for an organization. Social networking websites are the most famous websites on the Internet and millions of people use them everyday to engage and connect with other people. Social networking websites like Twitter, Facebook, LinkedIn and Google Plus seem to be the most popular websites on the Internet.

The usage of these websites depends on the purpose of the user, for example an organizations might use these websites to create a positive image of a brand or to communicate with the clients / customer base and to simply show their presence on the famous websites. Unlike organizations, an individual may also use these websites for several other purposes, for example to find a job, to build a network with professionals, to connect with like-minded people, and for fun. So my point is that the usage depends on the purpose, and let's suppose you can use these websites for a good purpose as well as for a bad purpose.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Since social networking websites are very famous, hackers and spammers are also active on these websites and might use them to gather confidential information. Yes, social networking websites play an important role in gathering relevant information of an individual and organization. The privacy and security issues related to social networking websites are not new and it is not very easy to fight these problems because of the large number of users, but they are still important to discuss. So what are the some security risks that an organization and individual might face because of social networking websites?

There are so many ways that a hacker might use them for a bad purpose, but in general social networking websites are famous for:

  • Information gathering (intelligence gathering)
  • Phishing
  • Fraud
  • Spamming

In simple words, these websites are good for hackers to hack. In this article I will discuss how and why social media websites are dangerous, and how an attacker might use them (I will discuss some examples).

Information gathering is the first and an important step of hacking (in my view, the success ratio is directly proportional with the information), and the social networking websites have the information which is required. For example: It was very common to hack an email account by using a social engineering technique, and the technique was to click on "forget password" and try to recover this account by providing some relevant information of the person, information which could be fetched from the social networking websites. You can even judge the secret answer by the activity of the person.

The practical example of this scenario is the study called "Getting in Bed with Robin Sage", which was conducted by Thomas Ryan, a security specialist, and the results of this study showhow dangerous a social networking website could be.

Robin Sage (R1) is the fictional identity that was created for this study. The researcher chose a picture of a very beautiful girl (logic is simple: to attract the opposite gender) and to connect with more and more people, created a fake profile on the famous social networking websites: Facebook, Twitter and LinkedIn. To give them a real and professional look he completed her profile with job and educational information (this was fake too). In the 28-day study, "Robin" contacted hundreds of people, most of them belonging to government sectors such as the DOD and military intelligence. With this completely fake profile, Ryan was able to get email addresses, bank account numbers, invitations to conferences, and even a job. The most important aspect of this study is that Robin was offered to review confidential information and papers written by professionals.

According to a news report, 83 million Facebook profiles are fake (R2), so who has created these fake profiles and for what purposes? Each purpose might be different, for example an individual might create a profile to spy on another individual, but what if a number of fake profiles belong to an organization? The IT department of an organization is responsible to take care of this and to fight with the situation, which leads to a loss to the organization and can harm the reputation of organization.

Phishing is another a dangerous attack which is very common in social networking websites. It seems that hackers usually target individuals for their phishing attack, but what if they target an accountant or any other person who is responsible to manage the finance of organization? In both cases it is very dangerous because the capital factor is involved. A phishing attack can easily lead to a very dangerous situation, as a smart hacker can compromise the complete computer network of an organization, lets take an example:

From an attacker's point of view: If I want to hack into the network of ABC company, then it is good to connect with the employees of this company; I have added so many people to my friends list and I usually talk with them about their company, job responsibility, etc, and by doing a little social engineering I can get the information about their network, softwares and hardwares that have been installed to protect the network, and other important information. This first step of information gathering can be done easily and as a result I can get valuable information, and by the process of this evaluation I can get my victim (the one who opens the door for me to enter into the organization's network).

The second step of this attack depends on the attacking vector. Since I have the email address (the official email belonging to the organization) of the victim, I can send the malicious file (might be a backdoor), but it is not a good idea because most of the employees are already aware of this technique and even the firewall can block this email. So the second option is to exploit the trust that a victim has in a social networking website! Yes, people think that social media website like Facebook and Twitter are very secure and even most small business organizations do not have any policy to secure their assets from a social networking website. The second option is very good to go, now how can I force victim to get my malicious file? The answer is very simple: by doing a social engineering technique.

This is a very simple situation that I have discussed, but the situation might be worse than this. Let's suppose the attacker might use a website that has a cross site scripting vulnerability and by doing this the attacker can open a remote session with the victim computer. There are so many variants of this attack but the most popular one is to spread malware.

Social networking websites are a haven for spammers and hackers to spread their malware, and even affiliate marketers are active on these platform to make a big amount of money. There are many real life examples that can be discussed in this category but the main point is that "the hackers use click-jacking vulnerability to make a message (video, images) viral and the best target is Facebook."

The example is the shocking video of a young girl:

Image Source: http://nakedsecurity.sophos.com/2012/07/06/public-high-school-antics-clickjack/

As Sophos blog (R3) reported, this is a scam and whenever a user clicks on this link it redirects to a website that has a video, but when someone clicks on the play button (which has the hidden like button), the link will be shared on the victim's wall and hence everyone will participate to make it viral.

This is just a simple example but you can face a similar situation everyday on Facebook and other websites because this is very common method.

Social Media: a Security Risk For Organizations

As I have discussed in detail how a social media website can create an undesirable situation for a security professional, in this section I will discuss the top risk (how and why) and the method of protection. It is understood that a business can't neglect social media usage because it is a powerful tool of marketing and brand awareness, but a business should care about the protection of their assets (even a fan page is an asset and security of this fan page is important for a business). There was a time when social media websites were blocked on the organization's network, but now organizations encourage their employees to maintain their strong presence and to participate in the social channel of the organization, so the point is simple: the blockage of these channels is not the right solution.

The biggest threat is not to care about this aspect of security risk. A business has to create policies and procedures that should be the responsibility of an IT department, and for a big company a social media security policy should be the part of overall security policy. The next step is to give the information to each and every employee of the organization by using conferences or even a simple training session to increase awareness. Let's summarize the steps of protection:

  • Social media may create a security risk (accept it)
  • Create a policy of protection
  • Social media security policy should be part of a business security cycle
  • Give training and awareness

One more thing from an organization's point of view is to continuously monitor employees' social media activities, but this method needs to be discussed and debated because in some cases it seems to violate the privacy policy. After training, the IT department can test their employees by using fake profiles and it is even a good practice to monitor the employees (whether they are following the security policy or not).

The dark side of social media is not only for organizations, even an individual home user is not secure, so the best prevention is to create awareness. My suggestion for bloggers is to create a blog post on this topic and encourage guidelines, for example:

  • Use two-factor authentication whenever possible
  • Always look at the address bar of the website
  • Do not add strangers to your friends list (even if stranger has many mutual friends, because reverse social engineering is a technique that hackers are using on Facebook)
  • Use Anti-virus and anti-spyware applications on social media websites whenever possible
  • Always check the URL of a status before opening it
  • Do not use so many applications on the social networking websites or simply avoid unnecessary applications
  • Be active in the security community to learn about the new threat
  • Keep your browser up to date because an out-dated browser is good victim
  • Keep all the necessary protection software up to date

Conclusion

The Internet is the safe place for only those people who aware of the risk and the security, and can take steps to protect themselves, so the best solution is to learn. Social media is a good service because it lets you to share what actually you want to share, but it can also be used for negative purposes, and in both cases you are responsible for your security. Protection and preventative techniques are not very difficult, but you need to be careful while you are on the Internet. Let's make the Internet a secure place by sharing this information.

References

  1. http://en.wikipedia.org/wiki/Robin_Sage
  2. http://www.guardian.co.uk/technology/2012/aug/02/facebook-83m-profiles-bogus-fake
  3. http://nakedsecurity.sophos.com/2012/07/06/public-high-school-antics-clickjack/
Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.