Websense sees social media identity theft as a growing threat for 2012. Eric Doyle argues that it is a present and growing danger
A recent missive from Websense anticipates a hacky new year in 2012. Like any predictive lists, particularly those with a marketing slant, the points made may be disputable or contentious but there is a lot to be learnt from this Web “sense”.
There is more than a grain of truth in what the company predicts – in fact many of the grains have been germinating for some time. The over-arching messages is that the hacking war is getting personal.
Social engineers at work
Websense’s first prediction reads: “Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.”
The statement is amplified by an explanation that a compromised account allows access to your “friends” – possibly breaking trust, allowing them to be manipulated or both. By this Websense means that if you have a friend in a business that cybercriminals wish to access, they can possibly tease useful information out of that friend by manipulating the bond of trust that has been built up over time. It can also ruin the friendship.
Social networking is the new social engineering channel.
People joining a social network rarely give any thought to the security implications. If they do, it is easy in the daily cut and thrust to make ill-advised comments or to express thoughts in words that may be ambiguous. And there’s always someone who will shout, “Please, sir, Johnny said a bad thing”.
As a journalist, I have to be careful what I say. A recent post I made about “hackers” brought remonstration from a reader who took exception at me bad-mouthing coders in general. In my “private” social networking life, I have frequently indulged in light-hearted badinage which could be misconstrued and used against me.
Big Brother is watching
By networking with friends and acquaintances, or even strangers, on an equal footing, we are all in a textual version of the Big Brother TV series.
Everything is recorded, everything is available for public scrutiny – well, maybe not everything but most things – no matter how tightly the privacy settings are screwed down. If you’re being social something will leak out be it from your pages or from your responses to other people.
Hijacking is probably the least you have to worry about. Simply by trawling Facebook, Linked-In, Google+ and all the other social and public entries on the Internet, it’s surprising what hackers can find that will assist them in impersonating you, in making contact with you, or just amassing a store of information about you that could help them crack your passwords.
Anyone can find lists of friends of Facebook friends’ friends simply by following links – an arduous way to unearth useful contacts but if there’s a chance of money in it someone will try it.
A marketable resource
Having netted a dossier or two on a number of individuals, the trawlermen have something to sell. Possibly to other more-ingenious hackers but possibly as a service to less likely miscreants.
Anyone who’s been involved on an interviewing panel knows the problems that Human Resources (HR) departments face when making an appointment. This is especially true for high profile jobs. One of the standard questions political parties ask of prospective employees is: “Is there anything in your past that might be used against you or to embarrass the party if you were elected?”
In the age of social networking, this can be a tough question to answer. Just one forgotten tweet and the Twitter bird can come home to roost with disastrous results. It is just a small step to look towards online detective agencies who can screen what is known.
As far as I can see, this has not been tested in court but it’s at the very least considered “bad form”.
Anyone can join Facebook in any of the networks it embraces or create a vast network of contacts in Linked-In. It is quite likely that HR people will befriend other HR in other firms. They also befriend colleagues at work so somewhere in the interlinks a prospective candidate for a job could possibly be tracked down from a previous or current employment. Even current employees looking for a promotion could be screened (probably without a great deal of effort).
It’s a hazardous path to embark upon because, if found out, it could be regarded as a breach of the Data Protection Act as a misuse of personal data. It could also lead to court through claims of discrimination if an employer based its recruitment decisions on a job seeker’s social habits.
It would also be interesting to see the response of the data owner – no, not the individual, but the social network operator that often appears to care less for their user’s privacy than for that user’s value as a marketing target. Background searches would be seen as an underhand manipulation of their resource and would be deemed to be an illicit use of the site for commercial purposes. The punishment for such an abuse would be expulsion.
So any HR worth their salary would never, ever stoop so low. Would they?
Maybe not. At the Security B-Sides conference last April, Stephen Bonner, Barclays head of Information Risk Management, gave a light-hearted talk on “How Not To Get Hired For A Security Job”. On the subject of social media, he said, “We all know that Human Resources are not supposed to look at the Internet for information about job applicants – but most of them do.”
Websense is right to point out its spin on social networking but that is only the tip of a very treacherous Zuckerberg – sorry iceberg.