Social Media Security

From IT Security For Libraries Wiki
Jump to: navigation, search


The Types of Malicious Activities Occurring on Social Networks

  • Scams
  • Stalking
  • Malware
  • Phishing
  • Impostors
  • Spamming
  • Clickjacking
  • Cyberbullying
  • Malicious scripts
  • Hacked accounts
  • Malicious tagging of user content
  • Hacking into anonymous data to extract personal user information
  • Sybyl Attacks that involve the creation of false I.D.s to carry out malicious activities

It is possible for a hacker or someone else to take your facebook page or twitter user.

  • Make sure you review which apps have access to your social media profiles once in a while.
  • If your library uses social media in your business, make sure you set up accounts (or use your personal accounts) to monitor your official account.
  • Be very cautious in how you handle your account credentials (who you give them to, how they are secured, etc.). The list of people with access should definitely be very short. Use an OAuth-based service or application to allow employees to tweet to your account without having to give them your account password. This is how most Twitter clients work today, for example.
  • If you are large enough, talk to your provider ahead of time to understand how to report problems, and who to report them to. The last thing you want to be doing is hanging out waiting for a help desk person to see your request in the queue. Make contact, get a name, and establish a validation process to prove you are the owner of the account in an incident. You’ll also use this process if an employee goes rogue.
  • Do you own your social identity?
You should, well, if this is what's important to you.
You can work to OWN it yourself on ALL sites.
Google yourself. Know what's out there.
Make your own site.

People are using social media sites to spread malware and every manner of evil. They're using it to fill social media sites with evil, e.g. chat bots, captcha crackers, malware, spam, control botnets, blackhat SEO, etc… People are more trusting on social sites because it is assumed those we are connected with are our friends. Evil doers take advantage of this. E.g Set up a botnet that watches twitters trending topics to generate new domains. Using social media sites allow evil doers to hide in plain site. Their posts are but one or two of billions. Social media sites are full of trusting people and don't yet have the rather effective spam/evil filters now found in email. Things are spread easily here because most people use these sites for sharing links and other things. People tend to assume what is being shared is ok. It's the one on one communication that looks innocent, but may not be. They're also stealing logins and asking for money from friends. They can use people or bots to chat up friends and ask for money or get them to click on things that will cause trouble. As we all use these sites more, they will target us in new and inventive ways. It will be largely up to the admins at the sites to shut the evil doers down.

  • What if one day twitter/facebook/whomever just takes it away?

•Ignore any links embedded in email messages that appear to come from a social networking service. Instead, connect to the site directly by typing its URL or using a bookmark. This will help avoid phishing-style incidents. •Use HTTPS for as many interactions with the social networking site as possible. These settings can be enabled on Twitter and on Facebook. On LinkedIn you can manually change the URL include “https” on some pages. Alternatively, install a “force HTTPS” type browser extension. •Review the list of apps and sites that you granted access to your social networking accounts. Deauthorize the services you no longer use; it is usually easy to authorize them again when the need arises. •Don’t include in your social networking communications potentially sensitive information about other people. For instance, some parents don’t like revealing the names of their kids online. Understand and respect your friends’ privacy preferences. •Be skeptical of job postings on social networking sites until you confirm that you’re interacting with an official representative of the company where you’d be applying. Avoid responding to offers that sound too good to be true, such as high-paying work-from-home gigs. •If a friend asks you for money using chat or messaging functionality of a social networking site, confirm that you’re interacting with the person you know, rather than an impostor or a bot that compromised the account. This could be a variation of the stuck-in-London scam. •Be careful clicking on links that use unusual URL-shortening services or those that promise to display shocking or embarrassing videos. If such links bring you to a site that doesn’t feel right, close the browser tab without clicking any buttons on the page to avoid clickjacking attacks and other scams. •Don’t download any tools or software updates when prompted to do so after clicking a link you obtained from a social networking site. This could be an attempt to propagate malware. •Don’t use public social networking sites to discuss sensitive company matters, even if you believe you’re interacting with people working for the same company. You might be communicating with impostors or potentially broadcasting to the whole world. •When sending private messages using a social networking site, assume that some day they may become public. The data might be revealed due to your own error or because the service provider may end up leaking the information inadvertently or through dubious practices. •Use social networking services in a manner consistent with your employer’s policies. When encountering a suspicious situation on a social networking site that may involve your employer’s data or computer systems, let your IT or security staff know. While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).

Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level. (Lenny Zestra)

"Own Your Space" the  official guide to Facebook security:

5-40% of web sites user accounts are fakes, used for spam or spreading malware (where's that citaton?)

As Jaron Lanier <a href="">put it</a>: You think you're the user, but you're the used, or you're the product, and then you end up doing all this stuff to control your online presence, and your online reputation, and people become obsessed with that. But the real representation of you is the one you can't access, which is the one that's used to sell access to you to third parties. ... When [users] contribute to services like Google+, or Facebook, or other social networks, what's happening is they're working for the benefit of someone else's fortune by creating data that can be used to grant or deny access based on pay to these third parties, the tawdry third parties...

To put that another way, you're not the customer; you're the product being sold [<a href="">Source</a>]