Image via Wikipedia

When you take a photo of yourself in your house and then post it via Facebook or twitpic, you assume that no one will really know where you are taking that picture. Well, you may be wrong. Social media security is in a very nascent development stage. There are a number of theats already to social media such as malicious applications in Facebook or trojans in shortened URLs that the average user does not know about or where to turn to for advice.

A new threat could be giving up your location when you post a picture from inside your house. A team of scientists dicovered that with some smartphones, a user’s latitude and longitude can be attached tothe picture you post in the metadata. That’s pretty scary. See the news story ” Tips to Turn Off Geo-Tagging on Your Cell Phone”  (http://abcnews.go.com/Technology/celebrity-stalking-online-photos-videos-give-location/story?id=11443038) “Many people are not aware of the fact that there are geotags in photos and videos,” said Gerald Friedland, one of the scientists.

A website that has been setup to show the dangers of this capability is www.icanstalku.com. So what can you do about this? Do you want to be stalked?  ON the IPhone, go to Settings, General, then Location Services and disable the applications you do not want to use Geo-tagging, such as Camera.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

888-572-2911

Related articles

• How to handle a cyberstalker (cnn.com)
• Cyberstalking threat hits UK (lv.com)
• Teen Charged With Cyberstalking After Creating Fake Facebook Account (dreamindemon.com)
• Geo-Tagging: The Dangers Of Posting Pictures Online (newyork.cbslocal.com)
• The Dangers Of Geo-Tagging In Harlem (harlemworldblog.wordpress.com)
• GeoTag Photos with GeoSetter (jakeludington.com)

Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use these applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors of communication, some type of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines.

For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes!

In the case of company documents or patient information, if it isn’t found on the company’s web page it probably should not be posted elsewhere. There are sites that exude a feeling of privacy and security, but are far from it. Allowing one’s corporate information security team to determine what sites are acceptable is the best option.

Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public.

Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on.

So in one’s personal endeavors, it is most beneficial to all involved if confidential information, or information that could be considered secret, stays out of the hands of the public. Follow practical posting guidelines and do not share more information than is necessary in corporate social media activities.

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Social Media Policy

Social Media Policy Infrastructure

 2) Information Classification – You have to explicitly define what information can be shared and what information should not be Tweeted, FaceBooked, BlibbedBlabbaded (I made that up)about. If your employees do not know how valuable information is that you cannot blame them for inadvertently being sucked into the blogosphere. (I am not sure blogosphere is yet a word, but who cares)3) Keep It professional – If you allow your employees to Socialize (that a word with any meaning here?) information about your company, you have to give them standards to follow. Things like cursing, grammar mistakes, casual conversation style discussions might not be the image you want to portray when discussing anything related to your company.

4) Tracking and Monitoring – If you are going to have a policy for anything, you have to have a mechanism for tracking compliance, reporting on activity and have consequences for breaking that policy. How much tweets that are over the line makes you bring an employee before HR? What is a firing Facebook picture offense?

This is a very abbreviated start. In later posts I will define more aspects of a social media policy. But let’s get the conversation started about the necessity for this as a standard policy in every organization, both large and small.

Related articles by Zemanta

• HOW TO: Pick the Right Social Media Engagement Style (mashable.com)
• Social Media Strategy Lessons From Pepsi (businessinsider.com)
• Social Media Costs UK Economy $22 Billion a Year (penn-olson.com)

When you join a company, you relinquish certain rights. The workplace is not a democracy. Yet many people still think that their corporate email, their corporate computers and the data they use is “theirs”. Who owns that data? Well the answer is the company. Companies are concerned with data loss prevention. A company can fire you for mis-using company data, that is obvious. A company can fire you for portraying a poor image such as drunkenness, poor behaviour, saying negative or derogative things about your boss or company,  public displays of nudity, well I could go on about why you can be fired.

One example is a young woman who got fired from her job because she said she ” thought her job was boring. So she said so on her Facebook page.  Her employer, Ivell Marketing and Logistics of Clacton, U.K., gave her this update: “Following your comments made on Facebook about your job and the company we feel it is better that, as you are not happy and do not enjoy your work we end your employment with Ivell Marketing & Logistics with immediate effect” as stated in this CNET article, http://news.cnet.com/8301-17852_3-10172931-71.html

So the question is, can a company can fire you for your out of office activities, should they have the right to monitor your activity? Should an employee be required to register all their social media profiles with their employer so that the reputation of the company can me monitored? It would obviously make it easier to know if an employee is damaging the reputation of the company.

The biggest challenge Social Media plays for a company is damage to reputation. A silly yet powerful example of Social Media affecting a company’s reputation is United Airlines breaking a musician’s guitar and refusing to pay for it. The musician Dave Carroll had a YouTube hit with his song about the poor airline response to him (http://www.boston.com/travel/blog/2009/07/song_over_guita.html) This viral video caused reputation damage. So this is a bit different from an employee posting something, but it has the same end result, reputation damage.

So when you start a new job, you have to take a drug test, get a background check, so why not register all your social media profiles? What are the pros and cons? Is it to much “Big Brother” or is it becoming a relevant reality of doing business in the Social Media age?

Gary Bahadur

CEO KRAA Security,  baha@kraasecurity.com

http://www.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Related articles by Zemanta

• How Social Media Can Revolutionalise Your HR Department (gautamblogs.com)
• Social Media In, Common Sense Out (socialmediatoday.com)
• Managing Both Objections and Reputation Through Social Media (debbieweil.com)

 The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship.

How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss.  Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity? 

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development 

*PGP Security

*FREE Website Security Test 

Related articles by Zemanta

• The Seven Deadly Sins of Social Media (markevanstech.com)
• The Age of Social Networks (briansolis.com)
• Facebook Roundup: FTC, Design Changes, Nestlé, URLs and More (insidefacebook.com)
• Cloud Computing Elasticity Drives Social Media (web2.sys-con.com)
• Use Google Analytics to Track Inbound Links from Social Media Profiles (thecustomercollective.com)
• 13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
• Social Media Engagement Starts with Monitoring (bettercloser.com)

One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements.  This is really encouraging people to do things that are not security conscious activities. Social media encourages:

• Lack of privacy
• Encouraging information sharing
• Giving away answers to security questions
• Social engineering

As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably recieved a 100 requests to be my friend on Facebook from people who I do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering.  Relationship building is easier through social media which can easily lead to phishing attacks.

With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.

What does the Social Media user to protect their information?
No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address or your mothers middle name or any really personal data.

Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users.  Remember you can’t retract information you put out there. 

Don’t trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.

Trust no Profile – People lie, it’s sad but true. So profiles lie, they might say they went to your college or high school.  They might be interested in your groups, so don’t take anyone at their word.

Restrict your privacy – There are some configuration setting in all the social media applications that can allow you to turn on some restrictions on your privacy. Take a minute to actually look at them. One easy example is in Facebook you can create groups that you can place friend in; you don’t want business people seeing what your friends are posting.

Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically.

Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.

Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test 

Related articles by Zemanta

• Half of Online Adults Use Social Networks at Least Monthly (seekingalpha.com)
• Firms worry about social networks, but don’t block access (arstechnica.com)
• Google Buzz proves problems with single online identities (thewayoftheweb.net)
• Are Consumers Becoming More Suspicious of Social Networks? (marketingvox.com)
• Seven Steps to Safe Social Networking (dominica-weekly.com)
• 13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
• Social Media for CEOs (slideshare.net)

Information Devaluation Through Phishing

The value of information has been decreasing over time. How do you see this isn the real world? There are two ways, one can be seen from the user perspective and the other from the attacker/bad guy perspective.

From a user point of view, the most obvious method to see information devaluation is Facebook, Twitter, MySpace, Linkedin etc. These may be seen as good ways to keep in contact, but look at all the personal data stored in these sites. Enough to authenticate to your bank account with such pieces of data as Name of Dog, Elementary School, Parents Lastname. Everything for secret question authentication. There was just a theft from a bank (http://www.networkworld.com/news/2009/092409-construction-firm-sues-after-588000.html) where the challenge questions were successfully answered.There are many Network security assessment tools to prevent such  phishing ways to get the answer to these challenge questions.

The attackers are focusing Phishing efforts on Twitter and Facebook much more these days. Its pretty obvious why, so much information is available here. KRAA Security a Network security audit tool provider twitters, but we try to keep personal things off there. But many people lives their lives on twitter so much, its a mind boggling concept.

The Washington post just had an article where the list Facebook as the top phished site (http://voices.washingtonpost.com/securityfix/2009/04/facebook_among_top_phished_web.html). Part of this is the information people post and the Applications developed for it have many ways of phishing your information. Thus a Information security risk assessment is a necessity.

So is there is a solution the phishing problem in Social Media? Probably a security penetration test for such websites. Even though the phishing problem will probably get such more extensive as Social Media expands, takes over more aspects of our lives and invades every information dissemination media. Doomed I say.

This was a cheerful post.

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*PGP Security

*FREE Website Security Test

Interesting that these are the same questions your online back account asks you as challenge questions. How long until some really cool tool gets released by the underground that can scan a Profile, and ctageorize data into all the fields a bank usually asks as a challenge question? (I should trademark the concept)

Stop the madness. That includes all these Blogs! Down with Blogs!

Gary

baha@kraasecurity.com

www.kraasecurity.com

Managed Security Services

++++++++++++++++++++++++++++++++++++++++++

Gartner have published a document (in PDF format) on their analysis and recommendations on the above subject:

Twitter’s recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site’s business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are “sprinkled on.”

This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are “business-strength.” Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work.

Recommendations

All enterprises:
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies
The document can be downloaded from http://www.gartner.com/DisplayDocument?doc…;ref=g_homelink