Monday, February 1, 2010

Evaluating Risk and Accepting Consequences

Look before you click, and don't log in unless you have to.

Companies from small business to major corporations are accessible online to their customers and are becoming actively engaged with them through social media. It seems like opting out of the new digital communication trend isn’t an option if you want to stay competitive as a business or as an employee. Yet the decision to take yourself or your business into social media carries hidden risks. If you think that getting into social media looks profitable, then imagine how appealing it looks to information criminals.

WhiteHat Security, a leading Website Risk Management Solutions company, reports “statistics showing that 70 percent of websites have at least one critical vulnerability, while another 63 percent fall into the high category.” Of these, “Social Networking sites topped the list this time around with 82 percent having an urgent, critical or high severity vulnerability.”

Information criminals are working over-time to infiltrate vulnerable social networking sites and pilfer the endless personal data that is streaming in. Social media has to step up to ensure the services are secure, but much of the security relies on the users. There are now hundreds of ways to market yourself through social media. Which ones do you choose to trust? What precautions do you take? How do you calculate the loss when something goes wrong?

Take a look at this social media landscape and consider which applications you use the most.

  • Consider how many password variations you use, how many links you click daily, which applications send out e-mail notifications and which ones don’t.
  • Which ones would you feel safe checking at work?
  • Which applications list personal information or frequent status updates?
  • Have you stopped using one of these applications, but still have an account?
  • Have you checked it lately to make sure it’s still under your control?

Here’s my social media map, starting from the top: Wikipedia, Blogger, Wordpress, Digg, Youtube, Flickr, Phpbb, forums, Skype, Meebo, Google Talk, Facebook, Linkedin, Twitter, Ustream, and World of Warcraft.

This list isn’t comprehensive, but it shows how your personal information can be spread across the internet. I use a few different usernames, unique password for each site and an authenticator for the last one, as an extra barrier between myself and anyone who wants my account information. (An authenticator is a secure one-time-password generated offline. It can be delivered through a mobile device such as a cell phone or a hardware security token). I try to limit my personal information and keep tight privacy settings, but I know that my information is still out there. Each application that I use creates another vulnerability that could be exploited by a hacker.

Individuals and businesses have to consider the security risks involved in such an open flow of communication and must be prepared for the consequences, both in reputation and in financial losses, of using unregulated social media.

These are a few examples of what can go wrong.

Email Fraud

Phishing is nothing new. A fraudulent e-mail is sent to the user claiming to be from a legitimate source. The e-mail attempts to request personal information from the user, usually information the source should already have, claiming that the user’s account is being suspended or the user needs to update his or her information. While these scams used to be recognizable, more recent phishing e-mails look nearly indistinguishable from the real source and often mimic e-mail notifications from popular social networking sites, such as Facebook. Phishing easily snags personal information and account numbers that can be used for identity theft or to infiltrate other accounts held by the user. The phishing e-mail then goes out to anyone on the users contact list.


Viruses are easily spread through Twitter and Facebook because the sites rely on already established community networks. Often the viruses look for usernames and passwords to other social networking sites, gaining access to even more personal information. When users receive a message from a friend, they are less likely to be suspicious and cautious when clicking links. Malicious links lead users to websites with dangerous scripts that can infect the user’s computer. The Koobface worm tricks users into downloading a Trojan virus and has been plaguing Facebook, MySpace, LinkedIn, and Bebo.

Twitter falls victim too, as compromised accounts give access to large lists of followers and spread viruses easily. Some do not necessarily spread malware, but they hijack the user’s account and leave nuisance spam that can infect other twitter accounts. The most recent occurrence was the annoying Mikey virus. One risk with even these viruses is that the Twitter account will be flagged by the community as unsafe and will be avoided, damaging the image of the company and its social media connections.


A hacker gains access to the company blog through a coding vulnerability and doesn’t do much damage, but puts a few inappropriate links or pictures into the posts and creates fake administrators. The user cleans it up and patch up the security hole, hoping that few people saw the links and that it didn’t damage the company’s reputation. Weeks later, the user discovers that the hackers left behind code that let them break in again. This time they delete large amounts of content, information that is valuable and hopefully backed up elsewhere. Worse, the hackers put malicious code into a few old posts that the user doesn’t notice. Google realizes that the company’s blog isn’t safe for viewers and blocks it from their index, drastically hurting ratings and directing traffic away from the blog.

This happened frequently to Wordpress users in 2009, including Robert Scoble of Rackspace Hosting. Wordpress blogs also fell victim to a worm that spread from blog to blog, copying itself and leaving behind malware and spam in outdated versions of the blogging software. To its credit, Wordpress responds quickly to vulnerability with upgrades to patch vulnerabilities. Any blogging software carries similar risks. The Blog Herald connects readers to news and resources regarding ways to keep bloggers safe and to stay alert of known concerns.

Risks are Unavoidable

Companies can only do so much to protect themselves by using secure coding, backing up information, and teaching their employees to be aware when browsing the internet and using social media. The sites that employees visit on company computers put the business at risk. Not only can employees misclick and infect company computers, but the information that employees publish about themselves and their work on social networking sites can prove to be a vulnerability to the company.

Netragard took a hacker’s perspective on how to infiltrate a company using Facebook. Using a seemingly innocent profile of a new employee, they earned the trust of co-workers through the internet using information gleaned from social networking sites. And once they had that trust? They sent out a false Facebook update that encouraged employees to go to a site and verify their credentials. By doing this, they intercepted the information and gained access to the company network – “including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc.” This sort of vulnerability results in more than an embarrassing incident and could cost the company money and clients. It sounds surprising that people are so willing to give away their information, but that’s exactly what people do, and it’s how social media (and hackers) thrive.

So how will you consider the risks of sharing your own information and what concerns will you express to a company whom you represent through social media?


  1. It's a problem, and that's a fact. In the past week alone, I have received official looking emails from banks (Discover Bank and Citibank) that were both fraudulent, a bogus email from eBay soliciting information, and a phony solicitation from The Haitian Relief Fund (no such fund). Additionally, over the past five years I have had three credit card numbers hijacked and my wife has had two. I don't know if there are more thieves these days, or if the technological revolution we know as the internet is just allowing the same number of crooks to be more effective. Maybe it's a little of both. Whoops. Got to go. I just got an email from someone I never heard of with A PROPOSAL FOR YOU in the subject line. This may be important.

  2. I just read an interesting article on "The Financial Dangers of Social-Networking," which talks about some of the issues you raise.