Social Networks: Trustworthy?

For some it has become a daily routine to check one's Facebook, Myspace, Twitter, or other social networking sites. The draw to these sites is simple. Connect with friends both old and new within an atmosphere that comes with plenty of bells and whistles allowing a variety of engaging ways to keep each other informed and entertained.

These social networks allow you to search for friends, add them to your inner circle, and offer the ability to upload photos, music, share birthdays, share platform specific applications (send a hug lately?) etc. Most folks are inclined to include lots of great details regarding their current and past jobs, where they live, where they went to school, their birthdays, and all kinds of other personal details that are seemingly harmless when shared amongst friends, right? I mean, after all, you can set up your profile to share only the minimum of information and only to those who you have accepted as friends (read: not friends of friends).

This is why social networking sites are so great for attackers. There are tons of people, in a single environment, dolling out oodles of information that can be used in countless ways to aid in identity theft, or any variety of account masquerading or spoofing. How can this be? Here are some very simple examples.

1. Friends do not have to prove themselves to you. Think about when you log in to your bank's website. You need to provide multiple factors of authentication to prove to the bank that you are who you say you are. You provide a user name, password, sometimes a PIN, an answer to a secret question, etc. Only after jumping through those hoops does the bank trust you enough to share the data for that account. In Facebook, you see that a new fan page has been added for your favorite author. To show your support for the writer, you submit a friend invite and cross your fingers that they accept you, so you can keep tabs on them and share juicy little tidbits from time-to-time. Did you ask for proof that the person is who they claim to be? Was there any authentication to prove identity? No, of course not. But now that you are officially a "fan," the clever hacker that created the fan site now has any information you choose to share amongst friends. Moreover, your friends will see that you are a fan, and they might join in too! Very simply, the hacker just attained a plethora of personal information that can be used to steal your identity.

2. Applications have security settings right? Yeah, but applications don't protect themselves from other applications. The really cool thing about these sites is that you can create and submit an application to share with friends. The really bad thing is that these applications can very easily be designed to extort information from other applications (read: legit ones) without you ever knowing about it. True, you can limit what each individual application might share about you, but there is no way for you to prevent an application from stealing data for another application.

3. Your information is not private! All of the social networking sites have disclosures within their terms/license agreements (that you read and accepted), explaining they can use your info (including your photos) in any way they see fit. Mostly they see fit to sell the demographics of their registered users to a wide variety of companies that wish to develop targeted advertising campaigns on your Facebook page. For example, suppose you disclose in your profile that you are single, gay, and male between the ages of 20-30. In the not so distant future you will likely see ads in the page that appeal to gay men in their twenties. To some, that might not seem like that big of a deal. To others, this is an invasion of privacy. Who knows how many companies now have the skinny on me, and to what extent they "know" me. Who's to say those companies won't sell their databases to other, less scrupulous companies who try to mine data in that will yield much more intimate details about you and your life. Remember, even if you delete your account and never visit the site again, it's too late. Your data has been recorded in a database that will never go away, and you have no right to do anything about it.

Scared a little? You should be! Should you become an internet hermit and never put even so much as your gender on a website ever again? No, I don't advocate that either. What you need to remember, is that anything you put out there, no matter how harmless or secure it seems to be, is always going to be the target of people who have nothing but time and resources to try to mine for that data. If you want to minimize (and I say this because I don't believe you can hide entirely) the attack surface for the bad guys, be extremely vigilant with regard to the information you share about yourself. Reputable companies, banks, etc are compromised daily, which leaves you as the only person that can truly keep your data secure.