The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

The Business Forum Journal

 

Social Engineering in Social Networks
 

By Joseph Vaughn-Perling
 

 

LinkedIn IPO’d a year ago, SINA in China, Twitter, Google+, and with the Facebook IPO there is much focus on the economic value of social networks.  In setting value, part of the assessments must include what value is at risk. Social networks incorporate significant risks which are often ignored by the people who use them.  One of these risks is the usefulness these networks provide to those who would engage in social engineering.  Furthermore, increasingly these networks are used to authenticate users to other systems and web sites. Fortunately there are also some ways to defend against this.  The effectiveness of each social network’s capability of addressing these risks is a good metric for evaluating their exposure.

Much of this value is in the usefulness of the social network to meet our goals.  We can define “social engineering” as the act of manipulating a person to accomplish goals not in their own interest but instead in the interest of the social engineer.  The vulnerability to social engineering and the ability of the network provider to mitigate that vulnerability are the forces at play on the collective consciousness of that which comprises the value of these networks, the individuals within those societies.

The risks can be loosely categorized as Financial Risk, Personal Risk, Social Risk, and Corporate Risk, and then we will examine some ways to mitigate these risks.

Financial Risk.

Social networks can be easily used to provide fraudulent background information which can be used for a variety of malfeasance and perhaps the most nefarious of these are by scam artists seeking your money.  Not only is the information posted about oneself on a social network not fact checked, its authenticity can be artificially enhanced to appear more credible.  One method commonly used by miscreants it the practice of “clickjacking” to increase the number of “likes” or “follows” or “+1”s for their fraud.  A particular "likejacking" virus can make use of most any interaction with your browser to increase the “likes” of a Facebook listing.

Increasingly, social network providers are also identity management providers.  People can use their Facebook, or iCloud or another credential to connect with many other websites or applications.  This makes the security of anything in any of these other sites to be necessarily worse than the security of the social network.  Simply put, an intrusion to either of the social network, or the other site may compromise the identity credential.  The larger the grouping of single-sign-on applications for the credential, the more vulnerable it may become depending on the protocol and protections used by the provider.

This increases the risk of identity theft exponentially with each new authentication supplicant to the social network’s system which is brought into the network.  It also increases the value of the threat to attackers as more and more value is brought under the same authentication mechanism.  Different network providers have implemented security differently, and not all of the protocols are compatible or offer similar security.

Personal Risk

Social networks provide ample opportunity to disclose very personal details about the life and activities of an individual.  This can include such elemental data as the individual’s current location, information or news about your family, your interests, travel plans, even daily itinerary.  From this information, additional information can be easily inferred.  If your interests and activities include golfing, yachting, luxury travel, equestrian activities and attending cultural events… then you can assume that your wealth level can also be ascertained. 

Additional information can suggest particular times of vulnerability for an individual.  Death announcements, medical information, travel details all can point to times of increased risk and change in the life of an individual.  Generally, for social media which require advertising for their revenue, the more vulnerable an individual becomes due to information disclosures, the more valuable they become to the social media site as they are more easily targeted by those marketing to them.  This misalignment of interests between people and the websites they use to communicate is the source of most of the problems for their safety.

For the section of people who rely on their fame for their fortune, there are vastly more vulnerabilities.  There is now a market for school yearbooks are bought and used to infiltrate the lives of famous people by impersonating people they may have known during their earlier years and infiltrating their social circles in order to discover and sell personal information about them to tabloids.  Few of us have such problems, but in fact all of our reputations may be at risk by the use of social media against us to some extent.  Because of this, there is a side business of Search Engine Optimization (SEO) firms to manage the digital reputation of individuals and businesses.

Social Risk

A variety of purely social risks are inherent from unintended disclosures which may be made through social media.  When interacting with a social media site, the social media provider may have an incentive to track activity and purchases in order to better target advertising and so are able to sell that advertising more dearly.  This incentive runs counter to the natural incentive for the individual who may have some desire to connect with a community, or get a good price, or even to understand whether a purchase may be advisable.  The searches are tracked, the particular advertisements one clicks on, and the words we write are all tracked in order to create a picture of who we are and more importantly, what we are likely to buy.  To the extent that people live slightly in their own future through their aspirations hopes fears and desires, they provide to the advertisers insights into what they would be most likely to purchase.

This information also has other social uses.  The individual motivations may or may not be innocent.  Social media information is often used in hiring decisions and other decisions a person’s society makes about them, dating, and even casual acquaintances which spark our curiosity might generate a search.  Certainly whenever we contemplate adding a person to a circle of trust in a social media site, we learn a bit about them and use this to determine whether additional association is desirable.

Additionally, a social media may engage in its own social engineering.  In May 2012, Facebook initiated an organ donor status to encourage its users to claim that they are organ donors.  There is social pressure for joining causes of all types which are somewhat effective in reshaping what we see as social good.

Corporate Risk

Perhaps the greatest risk is the risk to corporations.  As centers of value, there is a corresponding center of threat for social engineering.  One of the most noteworthy victims of social network social engineering was the RSA breach.  The attack against RSA was launched by use of spear phishing using information discovered about its employees using social media.  Identifying individuals within an organization and their role within that organization is made more easy by use of social media.  An attacker can discover the members of your company’s IT organization responsible for the asset of interest to them, and then find out about the interests and activities of these people in order to craft a message to them with the most likelihood of being opened and its instructions followed.  This can be as innocuous as clicking on a link to a website that has hidden malware on it, or reading an attached file to an email.

Even the more secure cloud media is vulnerable to social engineering.  This week a web security company’s CEO was hacked through his use of Google+, gmail, AT&T mobility and their own internal security policy due to a social engineering attack.  Social engineering targets the week element of security, the people who use it.  Often these people can be overconfident or simply have a moment of weakness.  Either way, a determined social engineer can wreak carefully architected security implementations.

This sort of attack also damages a corporate brand.  Further brand damage can occur when bad things written about a corporation in social networks hardship which can only be partially mitigated by marketing efforts from within the social network. 

Information Leakage

Additional risk to social engineers arises through analysis from within the social network by the social network itself.  Undergoing an initial public offering for a company brings not just new money but also new reporting requirements for the company.  This means new data collection and collation.  The combination of new money and new reporting can be a great catalyst for changes.  There is a risk in the robustness of a social network company struggling with these issues, as there is with any change.  A certain level of analysis and monitoring of its users is permitted by governance in order to handle issues such as fraud, however the more information over which a social network claims ownership, the greater their responsibility for it, and the greater the vulnerability to the society the network serves

Defenses

Mitigation of these risks in some cases will depend on the social media provider.  There are many differences between social media offerings.  Some social media sites provide configuration capabilities that can limit the exposure of information that may increase risks to individuals and groups.  Configuration options that create “walled gardens” within the site to constrain information distribution to known groups provides benefits to the extent that the levels of trust within each group or subgroup are adequately governed.  There is little that can be done to prevent breaches of trust or betrayal, though some sites offer means to detect it after the fact.  The extent to which monitoring and fine grained authorization configuration are simply and easily provided to its users is perhaps the best measure of an effective social media site from the perspective of the users.

Some mitigation can be effective with all social media exposure by redrafting IT security policies to incorporate social media usage within a company.  Or for individuals, by understanding the risks, and constraining behavior appropriately. 

There are some specific areas which can assist with this IT policy or behavior modification.  These can become the core of your new IT policy structure, or your personal governance:

-        Understand what you are clicking.

-        Use good password security, including password recovery procedures (or disabling password - recovery).

-        Trust selectively.  Just because something says it is from someone, does not mean that it is from them.

-        Protect your contact information.  It can be used to impersonate you, or to gain other details of your identity.

-       Protect your groupings.  Trust has layers and levels. Do you trust a person you never met as much as a close friend?  Are they in the same trust grouping?  Does the social media provider have only one group, if so than consider having multiple accounts.

-       Assume that anything you submit is permanent and visible to everyone.  Take care with what you associate to yourself.  You are the sum of your actions and people will trust you or not depending on what you do and what you write.

-        Do only what is necessary.  Refrain from adding extraneous bits to what you do, each addition degrades the security. 

-       Do no harm.  “Going negative” on other people or companies may provide the target of your ire with evidence against you for any manner of counter attacks against you or the company you represent.

Another mechanism some corporations use is to create “honey pot” users of social media sites which appear as attractive social engineering targets in order to detect when there is a social engineering attack against them.  This requires some effort on the part of the corporation but can be a valuable early warning system to detect and deter such attacks as well as enhancing the social engineering awareness campaign of the company.

Awareness is the best defense, and an educated user base will be highly resistant to social engineering.  Awareness campaigns can never be relaxed and require continuous reinforcement.  The more successful awareness programs are mandatory and are tracked within a company.  Personal accountability must be enhanced as well as a culture of security within an organization.

Every individual using social media is well served by practicing limited trust principles and consider the potential audiences of all information shared.  Email is a very insecure communication mechanism; social media is inherently more insecure.  Some protections are available from configurations available within the social media environment, however the EULAs often provide for the social media provider to make changes with or without notice and also may confer partial or total ownership with information shared on their networks.

Another defense is the use of multi-factor authentication.  Some common mechanisms for this are the Token-on-Demand features delivered to a mobile device, or pin code on a token.  These mechanisms will be helpful in primary authentication, but do not do anything to help how the service is used once authentication is completed.  This defense is resistant to social engineering, but since the weakness social engineers exploit is the human factor, nothing can be as good as education and awareness.

In the final analysis, as regards the use of social networks the intelligent user takes care to balance against the risks they present.  Society is dynamic and innately personal, but not at all private.  Every word that issues from each of us becomes part of our “permanent record” for all the universe to examine.  We are the sum of what we do, and what we say, as well as what is said about us by others.  When exposing ourselves to the world, we offer new avenues for adventure to the vast audience of all participants of society.  Within that society are those that love us and those that would prey upon us, and many who would pass idly by.  Take care that all of these are in mind with each of those words and deeds, being care-free reminds of Janet Joplin’s sage advice: “Freedom's just another word for nothing left to lose.”


Joseph Vaughn-Perling is a Fellow of The Business Forum Institute and is currently the Security and Authentication Capability Manager for British Telecom Global Services.  He holds a B.S. degree in Psychology & Cognitive Science from the University of California Los Angeles and studied Law at the University of San Diego Law School. Prior to joining British Telecom he was LAN/WAN Technologist for William O’Neil & Co. publisher of Investors Daily; and was Senior Consulting Engineer, (Global Security, Security Development & Legal Dept) at Infonet Services Corporation. Joseph is a Certified Information Systems Security Professional (CISSP) and a Certified Checkpoint Systems Engineer (CCSE) He is a recognized Network Design Architect for fault tolerant globe spanning networks and applications and Member of the Board of Directors for International Networking companies.


Contact the Author:  ~  Click Here


Return to


The Business Forum Journal


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Editorial PolicyNothing you read in The Business Forum Journal should ever be construed to be the opinion of, statements condoned by, or advice from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content of what we publish, nor do we accept any responsibility for the claims, or any of the statements made, within anything published herein.  We merely aim to provide an academic forum and an information sourcing vehicle for the benefit of the business and the academic communities of the Pacific States of America and the World.  Therefore, readers must always determine for themselves where the statistics, comments, statements and advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk.  We accept absolutely no liability whatsoever, nor take any responsibility for what anyone does, or does not do, based upon what is published herein, or information gained through the use of links to other web sites included herein.                                     Please refer to our: legal disclaimer
 



Home    Calendar    The Business Forum Journal    Features
Concept     History     Library    Formats    Guest Testimonials
Client Testimonials      Search      News Wire     Why Sponsor
Tell-A-Friend     Join    Experts   Contact The Business Forum


 


 

The Business Forum
Beverly Hills, California United States of America

Email:  [email protected]
Graphics by DawsonDesign
Webmaster:  bruceclay.com
 


© Copyright The Business Forum Institute 1982 - 2012  All rights reserved.