Privacy and security in Social networks - part II

Introduction

This is the second article in a series about privacy and security in social networks. If you have not already read part I, we strongly recommend that you read this first. You will find part I here.

Dangerous playgrounds

Dangers involved in using social networks are highlighted in news articles and by various types of experts on a regular basis. There are numerous examples of people who have suffered from their social network presence. Should we therefore conclude that one should avoid participating in these communities at all costs?

In our view, this is not a viable solution. The advantages – personal and professional – by using social networks are too big to disregard. However, using social networks in a sensible way is highly encouraged.

This part of the series will examine some of the dangers that are involved in using social networks, offer examples of how “the bad people” may attempt to trick you, and suggest some precautions that we view as wise to take when you engage in social networks.

There are several different types of risks you are exposed to when you participate in social networks. We shall examine some.

Who is there?

Unlike communication face-to-face and by telephone, communicating through social networks restrict how you are able to verify that the person with whom you communicate is the one she claims to be.

There are at least two different scenarios that you should be aware of:

1. One of your real friends’ accounts are compromised

This can happen for example if he used a weak password, which someone managed to guess and thereby is able to impersonate your friend on the social network. Or your friend’s password was compromised through other techniques, e.g. a password-stealing program that was installed on the computer. Exactly how someone can take control of your friend’s account/password is beyond the scope of these articles. Suffice it to say that it is possible under certain conditions.

If this happens, you find yourself in the following situation:

• someone that you do not know seems to be your friend and will receive all the information you (think you) send to your friend,
• all the information you previously sent to your friend may be available to this imposter.
  (This situation may vary between different social networks, as they have a different approach to how/which previous communication exchanges are stored.)
• information that you receive and trust as it appears to originate from your friend, may be used to trick you to perform action you would not do in other circumstances, for example click on links that you receive and open files that your receive.

2. You are contacted by someone who is not who she appears to be

One of the advantages of social networks is that you are able to contact and communicate with not only your existing friend next-door, but also older friends that may have moved away from your location, and completely new friends from all over the world, who share your interests.

When/if you are contacted by someone who claims to be for example a 17 years old girl from another country, you are wise to keep in mind that “she” may be a 37 years old man, who lives in your neighborhood.

Communicating with people you do not know may be interesting in itself, but you should be careful. As you get to know the person over a period of time, you are most likely more able to determine if he/she is of the correct age/gender that is claimed. Initially this is very difficult.

Most of us would be careful to divulge personal information to a person if we knew she pretended to be of another age and gender than her real. Such a person automatically looses credibility. In social networks anyone can pretend to be whom they wish.
You should therefore never part with any types of personal information to unknown persons at an early point in time during your friendship.

This is discussed in more detail below.

Abusing your personal information

1. Your personal information is yours!
2. You decide with whom to share your personal information!
3. You know that shared information will not be abused!
4. You are sure that information shared with friends or published publicly cannot harm you later!

Or are these statements not fully valid?

Unfortunately they may all be untrue if you engage in social networks without taking some wise precautions.

Each and every day there are news items about someone who feels that personal information has been abused.

One typical example is images that you uploaded for your friends to view. Suddenly they are posted on public web sites available for everyone to see. These images may be of a personal character and if they are displayed out of context – or worse: in a staged context that is not to your liking – they may be very uncomfortable to you.

You should be particularly attentive to the fact that the Internet never forgets. Any information that you publish on the Internet may be there forever. It is extremely difficult – often impossible – to retract information, including images, that you publish on the Internet. Even though you publish in an environment that you perceive as “secure” – “your” part of your social network – the information may be misused by others in different contexts. Someone that you thought was your friend, may turn out not to be, or even though he was a friend at some point in time, this is not necessarily true forever.

Images and statements that you publish now may “haunt” you years ahead. A typical example is party pictures, which seem innocent and funny at this point in time. They may not be that cool when you apply for an important job and your prospective employer finds them somewhere on the Internet.

Images of you (partly) nude or in other provocative positions are another obvious example.

My home is ready for burglary

Some social networks are often used to inform your friends (and others) about your whereabouts and what you are doing.

You should be aware that this information may be also useful for someone who does not have good intensions.

A status message informing that you will be on vacation on a remote island in the sun the next four weeks is useful for your friends who then understand why you no longer are available (and they might even envy you). It is however also useful for a burglar who operates in your neighborhood, to know that your house/flat is empty and ready for intrusion.

Communication with partners infected by malware

Much-used applications of any type are potential targets for authors of malicious software (malware).
In recent years the most popular social networks have also been targeted. In particular Facebook and Microsoft’s Live Messenger have been focused upon by malware authors.

Malware that infect computers of which the owner is a user of social networks, typically performs actions like posting messages to persons on the contact/friend lists. These messages often include links to web sites that are either infected with malware or attempt to trick the visitor to download malware through social engineering techniques.

One typical characteristic of such messages is that they do not correspond with the normal way your contact/friend would communicate. They may typically be in English while you normally use another language in the social network.

Good intentions turn bad

Another variant – more difficult to defend against – is if your friend has been tricked to forward to you a message or link that has malicious content.

In this case the message itself is from your friend and has his normal characteristics. The content behind the link (which he may not even have checked yet) is however malicious.

Social engineering emails

As we have seen above, persons with malicious intent may gain several opportunities to perform their malign deeds if they have access to the credentials belonging to social network accounts.

One way to obtain these is through “phishing” emails; i.e. attempts to trick the email recipient to part with personal information which enables another to take over his identity (in this case his social network account).

These phishing attempts are typically requests to confirm something or change the account credentials. Another variant tries to pick your curiosity and claims that you can find the persons who have blocked you on a social network.

The recipients in these “phishing” attempts are encouraged to visit an (allegedly) official web page and perform the steps the message encourages. Unfortunately this web page is controlled by the person with bad intent, who is then able to get an(other) account at her disposal, and/or perform other undesirable actions.

Below is an image of a typical bogus email of this type. All the links in this email lead to web pages that are not associated with Facebook at all.

Meeting virtual friends in real life

Occasionally you may get an invitation from one of your social network friends to meet her in Real Life.

If this is a person who you do not know from any real-life setting, remember the fact we stressed above:

On the Internet anyone can be who they want.

There are tragic stories of youngsters meeting a person they thought was their friend from a social network setting, who turn out to be an abuser.

If you plan to meet a friend from a social network for the first time in real life, it is strongly recommended that you do not meet him/her alone. Bring one of more friends or an adult if you are a young person.