When it comes to social media, privacy advocates get the most attention.  Headlines such as Security Experts Concerned With Facebook, Foursquare Location Features, Want to escape online past? Change name: Google CEO, and Germany: Would-Be Employers Can’t Do Social Network Checks all discuss how your personal information can be used in ways you did not intend.  What about the privacy of your information when it is deliberately stolen via social media?

The Issue

One such incident is occurring now on Facebook and Twitter.  From Reuters:

Facebook and Twitter users are complaining about their accounts being compromised and being used to spam friends with suspicious “free iPad offers.”

In the scam on Facebook, you receive a Facebook e-mail from one of your friends, such as the following from PCWorld:

Today, these types of scams are generally used as a worm to spam the e-mail to another group of people in hopes to drive you to an outside website.  The only information stolen is probably your friends and your contact information.  Take another recent Facebook scam from Appolicious: Rogue Facebook app is the latest Justin Bieber tech scam:

Facebook has the right set of security protocols – before granting access to an application Facebook let’s the end user know what that application can do.  As with many phishing scams, the end user does not understand what they’re approving when they grant rogue applications access.  In the bieberflirting example, the user is granting access to the basic information, the ability to post on your wall and therefore replicate the scam, and access information at a later date.  Everyday they can repost spam on your wall to try to get more people to join in.

At some point, these rogue applications are going to move from spam and replication to stealing your bank information.

The Recommendation

While I can appreciate the media reaction to many of Facebook’s privacy practices, more attention needs to be paid to these types of rogue applications.  Bank phishing scams such as “Your bank account is locked out” used to catch many people until the media educated end-users about the scam.  While most people realize when they install the free iPad application that the application is spam their users, there are many applications that spam the end-user in a less obvious way.  Too many people ask, “how did my account get hacked?”  The account wasn’t hacked in the traditional way, but hacked by convincing you to install a rogue application.

The blame can’t be entirely on the end user.  Facebook should make it abundantly clear when you allow asked to “Post to my Wall” that it could be used to spam users.

Today this is a nuisance, tomorrow this could be a significant source of identity theft.

The following appears on Page 610 of the book:

Are you struggling with how to simplify and effectively govern user access to information resources? Attend this KPMG & Aveksa webinar to learn how an access change management control framework can enable your organization to streamline the access delivery process while ensuring compliance.

Topic: Streamline Access Delivery and Ensure Compliance Through a Simplified Access Change Control Framework

Recording date: Wednesday, April 14, 2010 1:00 pm

Panelist Information:

Jay Schulman – Managing Director, KPMG
Deepak Taneja – Founder, President and CTO, Aveksa

Duration: 56 minutes

Playback

Jay Schulman: Phishing with Asterisk PBX

As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks.

Release Date: 6/4/06

Blackhat Video

iTunes Link

Hackers may find new connections

By: Eddie Baeb April 29, 2002

Web services and wireless networks promise great convenience and new areas for profitable business ventures.

They are also heightening security concerns. As these technologies allow businesses and consumers to connect in new ways, they open more doors for hackers. While no network can be 100% secure, experts say that taking basic precautions and emphasizing security to employees will help to prevent a disaster.

“It’s just like securing your house or car,” says David Black, a Washington, D.C.-based manager with the security technology division of Chicago-based Accenture Ltd. “You ought to provide enough protection to make somebody else a more tempting target.”

Internet hacking has increased at a breakneck pace and will likely escalate as more companies share proprietary data online with their business partners.

Last year, 52,658 Internet hacking incidents were reported to the CERT Coordination Center, a federally funded Internet security research center at Carnegie Mellon University in Pittsburgh. In 2000, CERT recorded 21,756 incidents, up from 9,859 in 1999.

Security experts say many businesses are in denial about security, wrongly believing that only high-profile companies or financial concerns like banks need to worry about hackers.

Or managers may invest in new technology but get so distracted by other priorities that they don’t think seriously about securing it. Sometimes they treat new technology like a new toy, says Jay Schulman, a Chicago-based manager of risk and advisory services with KPMG LLP.

“When most people get a new toy, the first thing they do is plug it in and say, ‘Cool.’ Then they walk away,” says Mr. Schulman. “It’s natural. You’ve only got a half-hour to play with it, then you’ve got to get back to your priorities.”

A future priority for many businesses is adopting Web services, which allow systems to communicate with other systems over the Internet, and companies and individuals to make their digital assets available to anyone via the Web.

For example, Microsoft’s .Net Passport allows individuals to store one password, along with their credit card and shipping information, for use at multiple Web sites. Or a car rental agency might link its inventory and booking system into an airline’s Web site.

Some Web services will be public and unsecured, but most business-related services will be intended for an exclusive audience. Security relies on encryption to scramble messages and access based on authentication, such as user names and passwords.

Security was a big consideration for Lincolnshire-based benefits consulting firm Hewitt Associates LLC when it launched a Web service last year. The service shares benefit information with two companies that provide 401(k) investment advice. In addition to standard encryption and authentication, Hewitt developed a password validation system to verify that incoming traffic is from an authorized partner.

“We’re in a business dealing with personal information like salaries and 401(k) balances,” says Timothy Hilgenberg, Hewitt’s chief technology strategist. “We had to look very closely at security.”

For Hewitt, rewards outweighed risks. The company can offer its clients’ employees real-time access to their benefits information from an adviser and employees can change their investments instantly via the adviser’s Web site.

“This is a value-added service. We’re extending our offerings by partnering with others,” says Mr. Hilgenberg. “In the near future, people are going to have the expectation that your system is communicating with others.”

But companies that use Web services shouldn’t abdicate security responsibility to the company whose server hosts their data, says Bob Emkow, manager of technology risk management for Chicago-based Grant Thornton LLP. In fact, Mr. Emkow says, companies that offer Web services must be more diligent.

“You have to watch constantly to catch any changes,” says Mr. Emkow. “You have to change passwords. As interconnected networks become the norm, the big issue becomes how to manage risk.”

Managers should begin by doing homework on potential partners.

“The first thing you need is full disclosure. Who takes the heat if there’s a problem? How do they know if there’s been a security breach?” says Russ Cooper, who edits an online newsletter for TruSecure Corp., a Herndon, Va.-based Internet security firm. “You need to do all the due diligence you’d do if you were entering (any other) partnership.”

While security has always been a concern for companies considering Web services, it sneaked up on businesses using wireless network connections.

Wireless networks broadcast radio signals through the airwaves from an antenna called an access point, and computers equipped with a wireless card pick up the signals and interface with the network.

Many companies leapt into wireless networking because it is cheap to install, saves the time and hassle of dealing with wiring, and lets employees work from different locations.

Unfortunately, standard encryption was sometimes faulty, so amateur hackers could easily intercept network traffic. Since many companies treated these networks as internal devices — not realizing that access points often beam radio signals far beyond the office walls — hackers could do an end-run around firewall security.

KPMG’s Mr. Schulman, who specializes in wireless, says even though a wireless network may be used internally, it is still an external device.

“People need to treat wireless as an untrusted device,” he says. “They need to treat it like the Internet.”

That means, at a minimum, using standard encryption. Also, companies should move the wireless network outside of firewalls, as they do with the Internet. That way, a hacker who accesses the wireless network must still get past a firewall to reach other critical internal data.

But security problems are just growing pains, contends David Armour, manager of the advanced systems and wireless engineering group for ITQ LATA LLC, an IT company in Albuquerque, N.M. Second-generation wireless technologies are improving security, and wireless can be secure now if properly implemented, says Mr. Armour, who is developing a wireless network for the Chicago Department of Buildings. “But people need training to handle encryption and authentication.”

Experts say the best defenses are preaching the importance of security to all employees, ensuring that IT employees are especially well-versed and planning responses to hacker attacks.

Accenture’s Mr. Black sums it up: “Security is more than technology; it’s a people and process issue.”

©2002 by Crain Communications Inc.