Social Engineers have a field day when it comes to any social media site that is talking about security. If you read the news at all, you have heard about Facebook’s recent barrage of security announcements and the feelings many have on their “security”. Social Engineering attacks are on the increase in the social media world and this is a serious problem.
Many have claimed that Facebook is cavalier about security and their attitude is one of not viewing it as important. Then some major news organizations posted a private IM of the CEO of Facebook, Mark Zuckerberg and a friend.
Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Friend’s Name]: What? How’d you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don’t know why.
Zuckerberg: They “trust me”
We have all joked with our friends online and said things we would not want repeated. And if all the “ammo” against Facebook stopped at this IM I would actually feel sorry for him, but the facts are that Facebooks security policies continually get worse and worse and eventually will lead to many more compromises in the future.
How do we know?
Just a few hours ago a story was released that has some very damaging information regarding Facebooks security policies.
We can boil the story down in one word: Simplify.
Too many users said their increased security was too complicated, so the answer? Make the security rules more simple. Dumb them down. Make them not so hard to comply with.
Why not? Its only users personal data.
And this is only 3 days after Alert Logic found a massive flaw in their security protocols.
The purpose of this blog post is not fully to blast Facebook and their inherent lack of security but to talk about what we can learn from this.
There are 3 lessons I think we can glean from this story:
1) Anytime you put your personal information in the hands of someone else, you better trust them. Before you handed your wallet to someone you would probably have some level of trust with them. Why? Even if there was no cash or cards, you might have your license or ID in the wallet. You don’t want someone you don’t know getting your DOB, address, full name – yet when you trust someone online that you don’t really know, with this data you are asking for trouble.
2) Simplification is not always better. We are not saying that for security to work it must be complicated. Yet there has to be a level of complexity to the security protocols. If your password protocols and user education programs are so simplistic that anyone can guess it is obviously not going to be effective.
3) If you must use social media sites, research. Even with Facebook there are 3rd party apps that can help you to secure up your account. Do not just trust in the fact that everything is secure because they “said so”.
Social media has its place and it can be useful, but as you hopefully have discerned through our other articles, it is a danger too. It allows for social engineers to gather information on people, sometimes information that we don’t even tell our closest friends.
It allows the social engineer to plan a pretext that will work based on that knowledge. Then launch an attack that will have the maximum effect on us.
These things are a reality and until the users demand more serious security protocols these companies are not going to provide.