Data Scraping
Social media is a platform for sharing. But this information sharing has progressed beyond sharing just with friends and family to sharing with the whole world, which is less social. Corporate sharing has moved beyond just employees interacting with the general public, which can be good or bad. Corporate sharing via social media can attract more customers, followers, and business, but malicious users can turn all that available data against your company. Knowing who is using the information you share, and to what purpose that information will be used, is difficult. This is the erosion of your true social circle.
With a personal profile, an employee can receive random requests to become “friends.” These requests do not all come from friends; these “friends” could be spammers or malicious users trying to gather information about the employee. The same problem is occurring with corporate social profiles. Generally, corporate social profiles are meant to be shared with everyone. Fanpages are being created constantly. Your “friends” and “fans” have access to all the information that you post, however.
A targeted information gathering attack might target the marketing person who runs the corporate blog. Becoming friends on the corporate site might lead to the malicious user convincing that marketing person to become friends on her personal social network profile. You can find a person’s LinkedIn profile with a generic Google search. Once the malicious user gets access to the marketing person’s personal social profile, he has enough information to create a fake profile, or enough data to try and guess the password the marketing person might use to connect to corporate e-mail or the corporate blog. This could lead to a compromise of your internal corporate network.
With the advent of location-based services, we are seeing a rise in physical insecurity based on social media usage. A recently popular site, Please Rob Me (http://pleaserobme.com), takes advantage of the Twitter location feature. Imagine what a stalker following you on Twitter could do or what a deranged ex-boyfriend or ex-girlfriend could do who is able to follow you to corporate networking events you post about attending on Facebook? All this information can be easily scraped up by a malicious user, potentially leading to some disastrous activity for you or your company network.
Information disclosure on social media sites like Facebook, Twitter, LinkedIn, and MySpace can be the downfall of information valuation. With this information completely in the open, how users authenticate may have to change. No longer can a bank authenticate customers by asking the name of street they grew up on or their dog’s name; this data is on social media profiles. The ability to share and provide information can completely undo your network security requirements. Social media does not encourage people to be security conscious. Social media encourages
Lack of privacy
Information sharing
Giving away answers to security questions
Social engineering
Malicious people are attracted to social networks because gaining trust is easy and because of the amount of data available for social engineering. Relationship building is easier through social media, which can lead to phishing attacks. With these sites, once you trust a new “friend,” you may accept a request for an application your “friend” is promoting. Your marketing person may now install that application without knowing he has just downloaded malicious code to a corporate computer. There are no external third-party audits of these applications before they appear on Facebook. Your computer can be easily infected by a virus or spyware. Without education about the risks of information gathering and theft from social media profiles, employees can unknowingly open backdoors into your company. Here are some of the challenges companies face with users connecting and sharing on these social sites:
Widespread display of personal information, much of which is used for authentication.
Almost anyone can view data. Search engines index profiles. And by tricking people into accepting friend requests, access to all the information in those personal profiles is easy to attain.
Insecure applications being installed. Once a trust relationship is in place, malicious users can get people to click a malware link or install a Trojan application within social sites to gain access to network computers.
No privacy restrictions. Users are often unaware of all the privacy settings social networks are now implementing and do not restrict access to their data as a result.
Weak passwords. Users still use children’s names or pets’ names as passwords, and by allowing people to see your personal data on your profile, you create an opportunity for a malicious user to discover those common passwords.