Social networking sites are a security minefield, so we have created some exercises to test for vulnerabilities.
Given recent high-profile data losses such as the HMRC and HSBC
incidents, personal data loss has received a great deal of attention
recently. How ironic then that most of us have data out there for all
to find on social networking sites, forums and job sites.
Ofcom's
report on social networking, published last month, states that users
"may be aware of the risks, but this awareness ... is not always
translated into action". Reasons cited for user inertia include a lack
of awareness of security issues; the assumption that the social
networking site had taken care of any privacy and safety issues; and
the fact that privacy and safety information was difficult to find and
to use.
The report was followed by a lengthy tome of guidance
from the Home Office. Much of the advice is welcome, but the report
failed to make recommendations for dealing with forged friend requests,
a likely growth area for identity theft. It's relatively easy for an
attacker to view your contacts and hijack the identity of one of them
to find out more information about you. One of the most positive
aspects of social networking is the ability to make contact with old
friends, so how is one supposed to authenticate them as genuine?
So just how vulnerable is your profile to attack? The following exercises will help you find out.
Exercise 1
Enter
your corporate email domain name into Google Groups, for example
'@companyname.com'. (You'll need to click 'more' on the search page to
find the Groups search function).
How many hits did you get? Now
try your full work email address. Has anyone in the business made
postings using their work email address? This is not a good idea, as it
facilitates targeted email-borne attacks.
Exercise 2
Did
you ever set up a profile on Friends Reunited? Everyone forgets these,
now we're in the age of Facebook and MySpace. Search for yourself using
the basic search on the homepage. How many hits were there? The more
the merrier, as it will make it harder to find you. You might want to
strip out unnecessary info from your profile. Keep it to the bare
minimum of the school you attended.
Exercise 3
Try
Googling yourself. See if you can find out anything about yourself
searching only for your name. Has Google indexed content that would be
useful? Would someone be able to find out the name of the town where
you live?
Exercise 4
Try an online
directory search such as 192.com. Search by your name and, if you found
it, the town where you live. Did it come back with your address, others
living in your house and your phone number? This is scary stuff.
Exercise 5
Do
an upgraded search of an online register of births, deaths and
marriages: 192.com and many others have interfaces to the register. See
how long it takes to find your mother's maiden name. By this stage,
without even touching a social networking site, you've probably got
hold of the majority of your identity.
Exercise 6
Search
for yourself on Facebook, assuming you have an account. Can you access
your profile without becoming a "friend"? If not, can you see your list
of friends? Ask yourself how useful that information could be.
Exercise 7
Secure
your Facebook account! You log in over HTTPS, but once you have done so
the session drops to HTTP for performance reasons. Facebook users often
access their account at least every other day, making it a common URL
on open networks such as WiFi hotspots. It would be relatively easy to
sniff a session and browse someone's account at leisure given that
Facebook sessions do not expire, even after a period of inactivity.
- Ken Munro is managing director of SecureTest. He can be contacted at ken.munro@securetest.com.