How tweets about your sick cat threaten our security health

How tweets about your sick cat threaten our security health

Summary: You may think you know the risks of giving away too many personal details in social media. The trouble is others around you may not.

SHARE:

For those in positions of importance at large organisations, or with access to sensitive data, social media is a massive threat.

This is a lesson I learned early on in my time working at US federal agencies. At these organisations there is a deeply ingrained culture of information paranoia. There are good reasons why you don't see the director of the CIA sharing Twitpics of his morning bagel.

While that is an extreme example, there is a lesson about social media's impact on data security there for everyone. Electronic information-stealing techniques that were once the preserve of intelligence organisations have crossed over into the enterprise arena and are flourishing.

This trend has been enabled almost entirely by the information available on social platforms. Driven by corporate activism or good old-fashioned greed, a higher echelon of computer crook is now in operation.

Valuable corporate data

Content to let the haxxorz add to the sea of consumer-facing malware, they take a far more secretive approach aimed at compromising high-value targets. For them, it's not about picking through stolen credit-card numbers, but a chance to steal valuable corporate data.

This boom industry wouldn't be possible without the mainstream popularity of networks such as Facebook, Twitter and their alternatives.

Even if we are increasingly wise to the risks, our less security-conscious friends can be the weak link

To outline this threat, let's consider the following scenario. A cybercriminal has identified a company that they wish to target. Next, a mark needs to be sought out. Thankfully, LinkedIn provides a massive searchable online database.

Here people not only identify their employer, but also lay out in some detail what they do on a daily basis. Finding a person with the desired level of access is relatively easy. Once the appropriate person has been identified, this is the moment the long game begins.

Taking a direct approach, the mark can be friended or followed using a spoofed account featuring someone they think they might know, or might want to know — those pretty, yet unknown, girls who want to follow are doing it for a reason.

Scraping data from social media

Sometimes useful information can be scraped directly off a public-facing Facebook, Twitter, Google+ or LinkedIn page. Even if we are increasingly wise to this risk by now, our less security-conscious friends can be the weak link.

Criminals can sift through all the unsanctioned tagging of the target in pictures, the sharing of nuggets of info or even checkins at locations. Friends and family can often paint a more vivid picture of the targets than the individuals themselves.

Then it is simply a case of waiting for the right information or the right time to launch a tailored social-engineering malware attack. For example, a VP of finance whose friend checks them in on Facebook at the Grand Hyatt in New York City, or posts a Twitpic of them in the lobby, is far more likely to open an email from the spoofed hotel concierge.

The email heralds the importance of the attachment, which is actually a malicious executable that when opened begins to perform long-term monitoring. This type of malware will often move to associated company networks, creating a multiplier effect.

It might sound far-fetched, but the openness of social media means these types of attack are increasing, despite shiny enterprise countermeasures. Consequently, operational security training for employees is a must.

Healthy degree of paranoia

This kind of training needs to shine a spotlight on social engineering and social media for as many staff as possible. Instilling a healthy degree of paranoia is a good thing, as is teaching people to separate their work life from their online one. Serious enterprises with the most to lose could even ban social media at the firewall — it may be Draconian but it removes a point of risk.

It is ironic that something as seemingly meaningless as Joe Blogg's sick rabbit or Dublin stag-weekend photos are undermining countless hours of security policy and technological innovation, but it is unfortunately a fact.

It is mostly unfair to say social media makes people stupid, but it does provide a window for some rather devious and clever people. And, while technology can help prevent some of the dangers, a human solution is key to solving a very human problem.

Topics: Security, Social Enterprise

Adam Kujawa

About Adam Kujawa

Adam Kujawa is a malware researcher at security software company Malwarebytes. He has also previously worked for a number of US federal and defence agencies.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Untrue

    It's totally fair to say that social media makes people stupid.
    Bobarino
    • totally

      I can't tell you how many people put up their party pics on facebook and then call out injustice when their boss gives them a drug test. It's all becoming a public diary more and more.
      kikax
    • Couldn't agree more.

      This "socal media" garbage has certainly dumbed down society.
      IT_Fella
      • The majority of mankind has always been dumb.

        Social media merely puts them in the limelight.
        JoeAUser
        • And its a good thing too...

          because The Jerry Springer Show and Judge Judy can only show off so many stupid people a year!
          mlashinsky@...
    • lol

      I disagree, when used correctly, social media can be a very powerful tool. I was very much against using twitter because I thought the same thing as you: "Only a bunch of self-obsessed losers use Twitter!" Then I realized that it is actually a great way to stay informed about your interests or your career field. Now I use it regularly to keep up with new trends and information I might otherwise be unaware of. At the same time it's a forum to share interesting information with other people.

      As far as Facebook and the like go, while it is often used for the wrong purposes, I have seen numerous occasions where people interact in discussions about things they might not ever have the chance or opportunity to talk about with people all over the world. You have to take the good with the bad and while you could easily say that social media makes people dumb, I for one think it makes me smart, when used correctly that is.
      Adam Kujawa
  • I think you had a key point....

    There was a key point that you kind of glossed over, but should have been emphasized in bold, italics, underline, flashing neon, larger print, etc.

    SEPARATE WORK LIFE FROM PERSONAL LIFE

    This is something that we don't do enough of, either online or offline but is extremely important for your mental health. Now, yes we do have the standard office parties and such where your spouse is expected to attend and there will be situations where one will interfere with the other. But outside of these things we should strive to keep them separate. This is especially true if you are running your own business, as we all need downtime from work to recharge. By keeping them separate you end up eliminating the issues in this article by simply doing what you should already be doing anyway.
    cmwade1977
    • worker machine

      When you boil it down, work life is your personal life. If this wasn't so, you could say one isn't a person when they are working. If your work isn't personal, than you must be a machine. Is this why the world is so screwy?
      at0m1k
      • Social media is a two way mirror.

        Thanks for the comments guys! I think what cmwade1977 is trying to say is that you need to realize that social media is not a personal diary where you can write your secrets but rather an outward facing portrait of who you are that can be seen by anyone. I don't believe you should be a robot at work, you should have fun and be yourself but at the same time, posting pictures of you boozing it up all the time or even doing illegal drugs might look bad on you, especially if you keep your account public.

        The purpose of this article is to talk about how, beyond it being used as a method to check out a prospective employee, it can be used my malicious actors to gather intelligence on you. You might even think "Oh, that would never happen to me, I'm just a nobody" well think again. A few months ago, a guy was prosecuted for trying to blackmail some people into giving him nude photos of them with personal information and nude photos he found in their e-mail. How did this guy get into their e-mail accounts? It wasn't from hacking or password cracking, he just went on their social networking sites, gathered info and used it to obtain their passwords by answering their security questions, it was that easy.

        Bringing it back to the topic of the comment, you could always use your social networking profiles as a way to see what other people see of you, like a two way mirror. Do you want to be perceived as the drugged out party guy that only posts pictures of themselves in less than reputable positions, or do you want to appear as a professional, put together person?
        Adam Kujawa
  • Umm, Freud?

    There are good reasons why you don't see the director of the CIA sharing Twitpics of his morning bagel.

    Is "bagel" code? The CIA Director and his "bagel" seem to have shared a lot.
    m0o0o0o0o