How tweets about your sick cat threaten our security health

Summary:You may think you know the risks of giving away too many personal details in social media. The trouble is others around you may not.

For those in positions of importance at large organisations, or with access to sensitive data, social media is a massive threat.

This is a lesson I learned early on in my time working at US federal agencies. At these organisations there is a deeply ingrained culture of information paranoia. There are good reasons why you don't see the director of the CIA sharing Twitpics of his morning bagel.

While that is an extreme example, there is a lesson about social media's impact on data security there for everyone. Electronic information-stealing techniques that were once the preserve of intelligence organisations have crossed over into the enterprise arena and are flourishing.

This trend has been enabled almost entirely by the information available on social platforms. Driven by corporate activism or good old-fashioned greed, a higher echelon of computer crook is now in operation.

Valuable corporate data

Content to let the haxxorz add to the sea of consumer-facing malware, they take a far more secretive approach aimed at compromising high-value targets. For them, it's not about picking through stolen credit-card numbers, but a chance to steal valuable corporate data.

This boom industry wouldn't be possible without the mainstream popularity of networks such as Facebook, Twitter and their alternatives.

Even if we are increasingly wise to the risks, our less security-conscious friends can be the weak link

To outline this threat, let's consider the following scenario. A cybercriminal has identified a company that they wish to target. Next, a mark needs to be sought out. Thankfully, LinkedIn provides a massive searchable online database.

Here people not only identify their employer, but also lay out in some detail what they do on a daily basis. Finding a person with the desired level of access is relatively easy. Once the appropriate person has been identified, this is the moment the long game begins.

Taking a direct approach, the mark can be friended or followed using a spoofed account featuring someone they think they might know, or might want to know — those pretty, yet unknown, girls who want to follow are doing it for a reason.

Scraping data from social media

Sometimes useful information can be scraped directly off a public-facing Facebook, Twitter, Google+ or LinkedIn page. Even if we are increasingly wise to this risk by now, our less security-conscious friends can be the weak link.

Criminals can sift through all the unsanctioned tagging of the target in pictures, the sharing of nuggets of info or even checkins at locations. Friends and family can often paint a more vivid picture of the targets than the individuals themselves.

Then it is simply a case of waiting for the right information or the right time to launch a tailored social-engineering malware attack. For example, a VP of finance whose friend checks them in on Facebook at the Grand Hyatt in New York City, or posts a Twitpic of them in the lobby, is far more likely to open an email from the spoofed hotel concierge.

The email heralds the importance of the attachment, which is actually a malicious executable that when opened begins to perform long-term monitoring. This type of malware will often move to associated company networks, creating a multiplier effect.

It might sound far-fetched, but the openness of social media means these types of attack are increasing, despite shiny enterprise countermeasures. Consequently, operational security training for employees is a must.

Healthy degree of paranoia

This kind of training needs to shine a spotlight on social engineering and social media for as many staff as possible. Instilling a healthy degree of paranoia is a good thing, as is teaching people to separate their work life from their online one. Serious enterprises with the most to lose could even ban social media at the firewall — it may be Draconian but it removes a point of risk.

It is ironic that something as seemingly meaningless as Joe Blogg's sick rabbit or Dublin stag-weekend photos are undermining countless hours of security policy and technological innovation, but it is unfortunately a fact.

It is mostly unfair to say social media makes people stupid, but it does provide a window for some rather devious and clever people. And, while technology can help prevent some of the dangers, a human solution is key to solving a very human problem.

Topics: Security, Social Enterprise

About

Adam Kujawa is a malware researcher at security software company Malwarebytes. He has also previously worked for a number of US federal and defence agencies.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.