I love social media. When my Aunt got a new puppy, she posted a poll to help her decide what to name it. It was fun to be part of the decision process. In fact, in my small-but-decidedly-not-close extended family, just knowing about the new puppy is a miracle.
And Twitter has helped me many times – finding an answer to technical questions, getting a Google Wave invitation (within 2 minutes of asking!), and finding specific technical skills for obscure IT projects. As I said, I love social media.
So, what’s the primary problem with social media security? A lack of awareness among social media users. So many people use social media without thinking about the ramifications. Will my Aunt’s new puppy name become the ‘forgot password’ question on her bank’s website? When you post vacation pictures on Facebook, are you providing opportunity for thieves to break into your house? When you twitter “I’m at the San Fransisco airport” for a business trip, are you giving away competitive intelligence? Unfortunately, the answer is often: “I didn’t think about that”.
Facebook, Twitter, and LinkedIn have grown in popularity faster than organizational security policies can adapt. And the “friendliness” of sites like Facebook can give users a sense of unjustifiable trust. After all, you’re sharing your personal information with only your 200 or so closest friends. Who cares if someone finds out your favorite color is blue, or your favorite vacation spot is Hawaii?
We must realize that it isn’t all about Facebook. Attackers are using social media sites to glean private information that may be useful elsewhere. They don’t care about your favorite vacation spot – unless that information is a question asked by your banking site to prove who you are. And most users will assign the same password to all their sites – social media, banking, whatever.
What’s the answer? Here is a list of simple things you can do to protect your private information:
- Obvious (but not easy): use a different password on every site. If this is too daunting, then at least group your passwords into types of sites. For example, one password for social media, another password for banking, etc. Someday I hope for a robust SSO solution, but that day hasn’t arrived yet.
- DO make sure all passwords are strong (at least 8 characters – longer is better, no dictionary words, a variety of character types).
- Be careful about posting pictures that imply you are traveling, particularly if your home is vacant. You can still post vacation pictures – just do it after you return.
- DON’T install every Facebook app your friends send. Anyone can write a Facebook or Twitter application (I’ve even written one!).
- DON’T answer “25 things about me” and other similar surveys. These often have answers to questions such as “where were you born?”, “what is your pet’s name?”, “what is your mother’s maiden name?”. Do these questions sound familiar? They are often used by banking sites to retrieve forgotten passwords.
- DON’T click links blindly – even from online friends. Koobface (an anagram of Facebook) tricks users into clicking a link that downloads a Trojan from a malicious web site.
- DON’T accept friend requests or visit profiles of people you don’t know. The Mikeyy Worm spreads through Facebook and Twitter simply by visiting infected profiles.
- Consider using the Firefox browser with the no-script add-on. Noscript disables scripting languages from running on your PC without permission.
- As a business, adopt an overall policy on social media use. Here is a great source of several security policies, including a sample social networking policy and a sample facebook usage policy.