Without a careful security policy in place, the benign face of social networking could turn quite nasty.
Facebook is an archetypal internet success story, one of those ‘why didn't I think of that?' websites that has grown to monstrous (and valuable) proportions almost overnight. While a few years ago it seemed that social networking sites would be just a passing interest, the rise of Facebook from a small academic site in 2004 to a global empire with more than 400 million subjects today has proven otherwise.
On the face of it (excuse the pun), Facebook is a benign site, offering a straightforward way for people to have a simple web presence. Typical pages provide a drip-feed of users' thoughts, activities, family photos and cat pics.
The security community has a love-hate relationship with Facebook and similar sites. Facebook is a handy way to keep track of security groups and projects, but it also provides a convenient channel for information to leak out to potential attackers.
These days, most pen testers and computer criminals won't waste time chipping away at firewalls when a well-targeted phishing attack will be simpler and more likely to succeed. And what better way to profile your potential targets than by befriending them on Facebook and similar sites such as LinkedIn, a business-like Facebook for grownups?
Perhaps most worrying is that typically the default option is ‘let everyone in'. It's interesting to note how many users leave permissive Facebook settings in place, allowing ‘friends of friends' – or even everyone – to access images and profiles. And due to Stanley Milgram's ‘six degrees of separation', you're unlikely to be many Facebook friends away from a criminal.
Facebook supports custom applications, which cover everything from the vaguely useful to the banal. By adding an application, you grant its developer unrestricted access to your ‘private' data.
While the majority of applications are innocent, there's no guarantee that they all are. In similar fashion, joining a Facebook group may get you more than you bargained for, granting other members access to your data.
To make matters worse, Facebook has a track record of rather dumb security issues. While you can log in via SSL, once in, the session is unencrypted and session-stealing a Facebook connection is pretty easy. Several colleagues have tried and failed to get sensible action, having reported security vulnerabilities; to describe Facebook's security model as ‘porous' would be a compliment. Recent errors have temporarily revealed private chat sessions to the public, and it is almost impossible to truly delete data from a Facebook account.
Some critics have gone so far as to suggest quitting Facebook altogether (http://bit.ly/aUffsS). While I wouldn't go this far, my standard advice on Facebook et al is that you should assume anything published there will at some stage become public knowledge. This may be pessimistic, and I certainly haven't seen a ‘get access to anything' script for Facebook, but it does at least ensure you won't end up with nasty surprises if the worst happens.
It has been argued that people's attitude to privacy is changing, and that all that sites such as Facebook are doing is going with the trend. This may be true, although I've yet to find a Facebook user who is happy with what I tell them about the privacy of their information, and recent US research shows that young internet users are actually quite sensitive about privacy concerns (http://bit.ly/9O6Mkv). Regardless, this assumed attitude to privacy by Facebook is no excuse for the use of ‘wide open' defaults. ‘Default deny' should apply to social information as much as it does to network access.
Social networking is likely to remain popular, but without careful privacy controls the network could become antisocial very quickly.