by Kris Rowley, System Security Director

     There has been a lot of talk about social networks in the news lately. Social networks are web sites such as MySpace and Facebook to name a couple, where people can go to make new friends, socialize with known friends and share information about themselves. This trend toward online social networks started out in colleges as a way for students to stay in touch with friends at home as well as college friends during breaks or after graduation. This form of socializing has grown tremendously over the past few years. There are now sites focused toward college students, others designed for professional networking, some for the general public and I am sure others for most interest’s people may have. I have mentioned MySpace and Facebook only because they are well known by most people, but they are not the only social networking sites out there. Like most things, this started out a something good. Also, like most things, someone had to spoil the fun.

      I decided to discuss Social Networks this week because someone I know had a Facebook page that was hacked recently. The result was that her site was converted into a porn site. The hacker also sent out emails, from this woman’s email address to people in her address book. Needless to say, the emails were not nice. As a result, she had a lot of explaining to do to a lot of people.

     This incident, in the big picture was not horrible. It was embarrassing and troublesome, but not horrid. News worthy social network stories involve young people who have killed themselves because of cyber bullying, people who have lost jobs because of what they have posted on their own site, public embarrassment of public figures who have had their pictures taken in compromising situations and posted for the world to see. President-elect Obama had his web site hacked. There are many examples of identity theft, cyber stalking, and other criminal activity associated with social networks.

     You may be able to discern at this point that I do not like social network sites. As the Security Director for the State of Vermont, I have reason not to like them. Social network sites such as Facebook and MySpace, for example, are perfect models for the three D’s of insecurity: insecure by design, insecure by default and insecure in deployment

     Security is clearly not part of the business model for the owners of these popular sites. My key messages to you is, if you use these sites or are thinking about using them; assume that what you post is going to be public. If you give out personal information on one of these sites, assume someone will use it against you at some point.

     One of the key advantages that hackers have is that there is an end-user population out there hungry for peer interaction and imbued with trust. I am not going to get into pop psychology, just trust me that this is a true statement. Now, with trust and eagerness for interaction and to “have the most friends on a friends list,” people invite all kinds of people into their site. Hackers love this! And use it against people. 

     Now don’t feel bad if you have fallen for a social engineer/hacker trick. It even happens to people who should know what to watch for and how to protect themselves. These hackers are very good at what they do.

     Trust and eagerness gone awry, was demonstrated in an experiment by two hackers at the 2008 Black Hat briefings. (Black Hats are “bad guy” hackers and yes, they have public conventions….that is a story for another week.) Any way, two White Hat hackers (yep, “good guy” hackers) set up a fake profile of a well known security expert, with his blessing. In very short order, the “security expert” was contacted by the CSO of a security vendor, a Fortune 100 CSO, an information security magazine editor and many others who never questioned whether this was indeed the security expert they thought it was. Nor did they hesitate to share information with someone they thought they could trust. 

     The White Hat hackers did not exploit this misplaced trust, but concluded that if their faux “security expert” had shared a malicious website link or application, those trusting folks would have unknowingly become victims in a heartbeat.

     You may now be asking what you can do to protect yourself. My first suggestion would be to cancel your subscription to the site, however, that is a totally biased suggestion. Short of that, my recommendations are:

• Only invite people you know into your site. Or people that your friends know and trust.
• Don’t give out any personal information that someone could use against you.
• Do not post pictures or text on your site that you would be embarrassed by if your children/parents/spouse viewed or read it.
• Remember, many employers view these sites. Don’t put yourself in a position to lose a job because of what you post.
• The government also checks sites frequently. Do not post threatening content!
• If someone you don’t know starts asking you questions, be careful what you say.
• Do not trust anyone on a social network site!!! Not even your “friends.” Your “friend” might be a hacker posing as someone you know. Talk to your friends via email or on the phone….better yet, in person!
• If you have children who use these sites, monitor them closely! Pedophiles can determine where a child lives or goes to school via clues in photos or by what a child might tell them. 
• Lastly, if you do get hacked or threatened, call your local police or State Police. Most states have a cyber crimes unit that handles these kinds of issues.

Be paranoid! It may save you a lot of trouble in the future.