Social Network “in-security”

Pierluigi Paganini November 17, 2011

In recent years social networks have succeeded  in the historic feat of bringing to the web a growing number of users. Jupiter users, the elderly, individuals and businesses all within the large network, many, too much, share the total awareness of what happens when they put their credentials or when attracted by a novice or by a video click on a link.

Or this behavior often blind managers of the major social platforms do not provide useful information because it can spread real awareness of the threat they face. Social networks have a primary purpose, they are designed to stimulate the sharing of personal information, more data a person discloses, more useful he is to the entire business.

Recent events have demonstrated that social platforms implement policies very strict in terms of security, consider for example that they don’t encourage users to choose strong passwords, they don’t encourage users to change passwords periodically exposing them to serious risk. 80% of the users reuse the same weak credentials in different context, business and economic usage included.

Consider that around 5 millions of FB accounts were compromised during last year and the numbers is expected to grow. This means that the entire trust chain can be compromised decreeing the end of the business model behind the Social network.  To contribute to the growth of the risks of using social networks is the massive use of mobile computing. The perception that a mobile device can be exposed to the same threats of a desktop pc is virtually nothing in common use. Some studies of the major antivirus software companies show that the user ignores even the possibility of “infecting” a mobile device. If we project this conception in a work context, the entire security infrastructure could be undermined by what is the weak link in the chain, the undisciplined use of a social network perhaps even through a mobile device.

Another possible threat that affects social networks is the social engineering. Unprecedented growth of user base, ease of finding information about the victims through common search engines expose each user the possibility of being defrauded. The crime industry is well aware of the problem and potential revenues to the point that it is organized by providing real services for the collection of information relating to a potential victim of an attack. The social networking platforms have a huge quantity of information and knowledge for this reason  cyber criminals are interested to it.

For this thriving industry specific applications are designed to collection information, to aggregate profiles sharing particular attributes, systems able to analyze the social behavior of the victims identifying vulnerabilities  with the study of customs, traditions and relationships. The new frontier of social engineering. An example? Suppose we want to circumvent the user X, deputy manager for the project Y of a famous company. Knowing him relationships, creating new ones with fake profiles and managed ad hoc building for them a false reputation may soon come into possession of confidential info related to the project Y.

Begin to make you an idea of the potential dangers? Another threat is carried by hackers who are able with various kinds of raids to insert malicious code directly into the social network through links or apps. Most of the time the user is redirected to sites designed to access personal information of the victim.  Incidents of hacktivism and cybercrime are growing, according official statistics because the increase over last year of similar events is about 300%.  The numbers are alarming but they represent only the tip of the iceberg of the phenomenon being referred to official cases and then analyzed. Most often  Cybercriminals use a technique called typosquatting, registering domains such as faecbook.com, fcaebok.com and so on in the hope of catching unwitting users.

These typosquatted domains are malicious in nature and pose a direct threat to your computing assets.  Websense, a leading content filtering company, has found that over 62% of active domains based on the most common misspellings of Facebook directed the user to malicious websites.  Consider the traffic volumes and the number of users involved in order to imagine the speed and capacity of spreading all kinds of malware.  This is called typosquatting. Cybercriminals are registering domains such as faecbook.com, fcaebok.com and so on in the hope of catching unwitting users.

These typosquatted domains are malicious in nature and pose a direct threat to your computing assets.  Researchers at Websense, a leading content filtering company, found that over 62% of active domains based on the most common misspellings of Facebook directed the user to malicious websites.  In a business context the above exponentially increases the risk of exposure. Social networks are a logical choice, the need to expose themselves in a market without borders, characterized by instant communication and the possibility to create an unlimited number of new relationships and then to run their business.

But the main risk in this case is the total absence of policies on the use of social media. Employees must have a thorough knowledge of the instrument, its potential and its risks, it is necessary to establish the objectives and parameters of a social initiative for the company, otherwise it goes against a disaster foretold. You must determine who is authorized to use social media on behalf of the company and what it is it allowed, what information can be managed in this area and what not at all.

What are the conclusions? … Social networks are essential carrier in today’s scenario, however we still have much to do in terms of user education. The cybercrime refines their weapons and before the threats  become unmanageable we must face the problem of security in depth.



you might also like

leave a comment