Viewpoints on Social Networking Websites from Security Risks Standpoint

Social Networking Websites (SNWs) such as Facebook, Twitter, and LinkedIn, have become integral parts of daily online ecosystem. They are crucially instrumental in personal and professional networking, invaluable as sales and marketing tools,  and in keeping society informed of daily incidents in several walks of life. SNWs are interesting for at least two key features: huge number of users and high-degree of trust among users.

However, apart from vulnerabilities arising from SNWs like any other software, personal details exposed on these sites and lack of secure defaults coupled with exploitative misuses of miscreants pose a huge security threat on users of SNWs. In fact, there is no single countermeasure that fits all to protect innocent users from such security risks when using SNWs. In blend with mainstream security gadgets, such as Anti-viruses, Firewalls, Intrusion Detection Systems, and organizational policies and procedures, it is worth-noting and asking ourselves the following seemingly simple but critical questions before we render ourselves digitally-naked on the online stage, where anyone can 'see' us from anywhere, anytime. 

Do you really know who you are going to be friends with?

For some people, amazingly though, being on a SNW means just swelling the number of friends, especially on professional SNWs like LinkedIn where more connections is mistakenly taken as an indicator of shiny professional profile. When the only variable is just the number of friends, we obviously risk connecting to fake identities, real kidnappers, real identity thieves, or even terrorists. A useful piece of advice in this regard is to think a bit before deciding to confirm a friend request. Do you know that person? Why you have to confirm that friend request? Just to add one more 'person' to your network? Would't it make sense to have 100 friends -that you know and trust well  than 1000 friends -you neither know well nor trust much?

Do you know how others may use what you post?

Imagine that you are on Facebook and you update your status. Most people just breath-out their emotions without double-thinking the implications and consequences. One may claim that "whatever my status update says, I am sharing it with my friends". Unfortunately, a significant number of users on SNWs have friends they don't know at all or have never met in person (Ask yourself "Do I really know all my friends?" I am sure you will find a couple of them you never knew or met at all). Given this situation, a status update like "Going for summer vacation to Miami Beach for 3 weeks from tomorrow" could mean "please go and rob my house before i come back" to one of your friends on Facebook whom you never knew/met but is actually a Burglar. Of course, I am deliberately exaggerating the scenario here as more information is needed to go to your house (like your address), which is not that difficult to find from profile information or prior information you posted somewhere in this small digital world.

So you think everything a friend shares(recommends) is safe?

A friend may, out of good will, share with you a web link to something (news, picture, video) that he stumbled up on or got it from other friends. Imagine a current topic that is likely to catch your (and your friends') attention. The moment you login to your Facebook account, you see a link to a video of that current topic and you can't wait to click on the link and watch the video. Unfortunately, the moment you click the link, a malware  downloads to your computer(phone) and this malware steals your login information (such as your online banking credential).  Just to be specific here, on your Facebook wall, if you end up with something like "OMG! Did you see this picture of you?", "Secret details about XYZ's death!", "I am trapped in Heaven. Please send me money", "Are you brilliant than Albert Einestein? Test your IQ", it is an indication of spam. So, ask yourself "Do I really have to click on this?". If you do, the most likely consequence is that your device is infected with a malware or your account is hijacked to impersonate you and infect your friends the same way. In a different occasion, you may end up with recommendations from a friend to add another friend, invitations to join a group or to like some website. As there are legitimate and honest recommendations and invitations, there are also illegitimate and totally fake ones crafted by cyber-criminals that exploit the prior trust built between you and your friends. This gets terrible especially when the recommending friend is someone who you know little about. In some cases, your friend's account might be compromised and the cyber-criminal may impersonate and share/recommend/invite you on behalf of your friend(s). 

You still think applications or games are benign?

It is a common fact that there are useful and harmless applications on SNWs (e.g., birthday reminders, games, card sending apps). But, what is overlooked by most users and is well exploited by cyber-criminals is the rich set of permissions granted by innocent users to such applications. In most cases, users do not notice the kind of personal details they are giving away when installing such applications. To say the least, giving away your birth date, relationship status, email, phone, and the like will be a gold mine for targeted spam campaigns and identity theft. The risk is not only limited to harvesting private information which could be sold to other cyber-criminals. Often times, the applications are packaged with malware that steals your credentials for email, banks, and other critical online services. Even worse, if a malicious app/game is installed on your mobile phone, it may erase your data or impersonate you. Therefore, the general advice in this context is to keep an open eye on the permissions asked by these applications and to refrain from installing them when too much of your personal detail is asked in exchange.

Do you really separate personal life from professional life?

The people, the content, the rules, and the norms are different by design when you communicate and share with your family(and friends) and colleagues. It is important to cluster your community so that you can customize what you share to the appropriate profile of the community. Or even better, you may have separate accounts (although not that easy when there is an overlap of people from different groups in your network). Needless to mention, you don't want to share with your boss a half-naked and terribly drunk photo of you. Some companies checkout your social network profile before they decide to offer you a position and some have even asked the credentials of job candidates to check their details on SNWs (although this is now protected by law in some countries as it is clearly against privacy).

Do you really control your share-meter?

It is okay to once in a while get wild and share success (excitement) stories of yourself and your company. But, in doing so, if you leak private and/or confidential information that may wet the appetite of cyber-criminals, you obviously are suffering from hyper-sharing syndrome. Some companies have enforced policies on what their employees can share publicly (including on SNWs) of the company. If your company has such policies, get the policies right before you find yourself in a court hearing.

Everyday Best Practices to Stay Safe Online

As more and more people are getting connected to and undertaking critical daily activities on the Internet, a lot more risks are emerging posing threats to sensitive and private information we manage online.  In the online security chain, however cutting-edge security gadgets we deploy at different layers, a seemingly benign interaction on the Web could lead to devastating outcomes such as loosing our critical credentials and conceiving malware that compromises our devices.

The most difficult vulnerability in the online security arena is the human vulnerability which is easily exploited by attackers. By sticking to simple measures and staying 'reasonably paranoid' we can significantly raise the bar against attackers and stay more vigilant against manipulations. Although impractical to absolutely quantify, it is repeatedly suggested that most of the attacks can be avoided if people consistently adhere to the following simple but effective measures:

Think Before You Click
Be cautious whenever you click a link on: any page, pop-up dialog, email text, and social media applications. The risk is that after a click, you have lost the control and just because of the single click you did, you might end up with: malware downloaded on your device and steals your credentials, you get redirected to another page with more dangerous attacks, the link you clicked is automatically shared with your friends on social network without you noticing it and hence propagating the infection to your friends, friends of friends, an so on. Clicking on email attachments also requires careful examination even if the email is from someone you know and trust, because the antiviral software of the mail provider may not thwart all attacks (specially the new ones).

Stay Up-to-Date
On a daily basis (if not hourly), the must-to-update list includes antiviral software, operating system, web browser, and browser extensions (e.g., video player, PDF renderer). Most of the current providers, allow doing the updates online and some (e.g. Google Chrome Browser) even allow silent update without bothering you as a user.

Have Strong Password Policy
Passwords should be complex enough to challenge password cracking techniques and memorizable by the owner. A commonly suggested mix requires alphabets (uppercase and lowercase), digits, and special punctuations (e.g., ?, $, &, !) and the length should be eight characters or more. Never imagine using a dictionary word as a password because it is just a piece of cake for password cracker software. Be sure not to use a password that people who know you can guess (e.g., your lover's name, phone number). Studies show that many people are still using the same (and very obvious) password across multiple websites. The disaster with this is obvious. Once you lose your password you risk giving a master key to open all the doors you have locked. Under no circumstance, you have to write down your password somewhere or tell it to any other person. There is one more thing to keep your passwords more robust - change your passwords with reasonable frequency and in situations you are suspicious that your password might have been compromised. There is this analogy about passwords and pants which humorously conveys most of the message "Passwords are like pants. You shouldn't leave them out where people can see them. You should change them regularly. And you shouldn't loan them out to strangers."


Be Cautious of What You Publicize about Yourself
The rule of thumb is that you have to limit the amount of personal information you make publicly available on the Internet, especially via social networks. You never know, your basic information(e.g., email address, phone number, location)may be harvested and used in malicious activities such as spam campaigns and phishing scams. Never disclose any confidential, personal or financial information unless and until you can confirm that and request for such information is legitimate. Review your bank, credit card, and credit information frequently for irregularities and report immediately to your bank in case you observe suspicious activities. Avoid banking or shopping online from public computers (e.g., Internet Cafes) which are likely to be compromised with malware and may have a wrongly configured or unencrypted Wi-Fi connections. Use HTTPs when connecting via Wi-Fi networks to your email, social media and sharing websites. Check the settings and preferences of the applications and websites you are using. Look for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you are required to login or share any personal information.