Are social media platforms the Jurassic Park of computing?
— Kevin Prince is chief technology officer of Perimeter E-Security. The views expressed are his own. —
Social Networks have grown out of control. Literally. Today, neither users nor social networking companies can control the monsters they have created. Think Jurassic Park: where John Hammond wanted to build something no one else had ever done, a fun theme park combined with a zoo of cloned dinosaurs. He built what he thought would be adequate security, but in reality, didn’t understand nearly enough about the environment he was trying to control. People naturally trusted that proper security was in place and that they would of course be safe. Quickly things spiral out of control, and nearly everyone gets eaten by the end of the movie.
The creators of social networking sites — yes all of them — are just like John Hammond. Their unique ideas caught on in such a viral way that just keeping up with the bandwidth, processing power, storage, development, and everything else required to keep the system online is an amazingly complex, never-ending task. For most of these sites, security is – and has always been – an afterthought. Some of them try, but it’s a bit like closing the amusement park gates after the Tyrannosaurus has bolted.
The users of social networking sites also contribute to the problem. Most are absolutely reckless when it comes to behavior on the sites. A while ago, I ran a social networking experiment on Facebook. I created a new user profile based on a free Google mail account. I chose the name Rebecca Johnson, made her 26, and used a profile picture of a three-year-old girl in a dress that I snagged from a department store website. No other information was in the profile. I wanted to see what would happen when I invited random strangers to be friends with this fictitious person.
Lucky for me, Facebook presents you with people it thinks you might know. Due to a lack of information in my profile, Facebook presented me with people of all ages that live in my county (obviously they were looking at my IP address and correlating that with my city). I of course knew none of these people but went ahead and invited them and others. In all, I invited 250 totally random people to be my friends. The only criteria I used: they had to have profile pictures. My logic: if you don’t have a profile picture, you’re probably not a serious or frequent user. Here’s a timetable of what happened next.
8:00am – Invite Friends
8:02am – My first friend accepts the invitation
9:00am – 6 Friends
10:00am – 12 Friends
3:00pm – 28 Friends
After one week, I had 140 friends. Forty-seven people ignored my request; three questioned me via email saying, “I am kind of embarrassed, how do I know you again?”; I had 60 “pending” requests; and one friend invitation with an email saying, “Hey, I must know you because we know three of the same people.”
If you remove the pending requests, nearly 75 percent of requests ended in the person accepting me as a friend. And it got worse: after one month, I had 187 friends out of that initial 250 friend requests. In other words: A staggering percentage of people will accept a friend request from someone they don’t know.
So, does that really matter? What harm can come from it, right? Well, let me tell you: Rebecca Johnson now has an intimate knowledge of her 187 friends’ lives:
Most have posted recent photos of themselves and their loved ones. One took pictures of every room in her house after a recent remodel and then began “a much needed vacation” to California and announced she wouldn’t be back for two weeks.
Several were young kids still in high school. Facebook is a cyber-stalker’s dream come true. For many friends, you can know their every move. For others, you know the major events in their lives. Even a mildly creative person can come up with hundreds of ways this information could be exploited. Think of the information that most of us have entered into Facebook.
Name, sex, birthday, relationship status and interests, political views, religious views, email address, schools, employment, location, other friends, photos, videos, not to mention whatever comes into our heads and gets posted on our walls. Rebecca Johnson knows when people are coming, when they are going, who they will be with, and much, much more.
Another huge problem is passwords. All-to-often people use simple passwords that are either easy to guess, short, or they use the same password on many different systems. Further, the processes that protect these systems are often flawed. For example, to do a password reset you might have to answer some questions about yourself that you entered when initially registering (like your fathers middle name, or what elementary school you attended). Today, most of these questions are not difficult to discover when combining social networking sites and other Internet resources. This is how Sarah Palin’s email was breached during her campaign.
So it’s no surprise that naive, trusting, apathetic, and unsuspecting users, who don’t think about security, are often the same that become victims of identity fraud.
But there’s another culprit: “cloud computing” providers. Last summer, a hacker broke into the personal Google Mail account of the spouse of an executive at Twitter. And because that account was linked to shared documents in Google Apps (a cloud computing system), hundreds of sensitive company documents were exposed. Is the user to blame or the cloud based services? In the aftermath of the breach, fingers were pointed at a lack of policies and procedures prohibiting links of personal email to corporate resources, the cloud computing service, and everything in between.
And Twitter is not alone: Monster.com, Lexis-Nexis, Facebook, MySpace, and many others have all been compromised at some point. That’s because social network sites make it easy to register, login, remember your login credentials, and even reset your password. They also make it very easy to spoof other users, install malware, send SPAM, or conduct any number of other nefarious acts. Plus, these sites have a growing number of third-party applications and service providers that interact with these services – with little in the way of what most security professionals would consider adequate security.
The combination of weak security procedures, third-party interactions, a user culture of “ease of use” trumping security, and the blending of corporate and personal lives is a formula for disaster. And although social networks have one of the biggest targets on their back, they’re just one type of cloud computing service.
The harsh reality: Cloud-based application providers think application first, and somewhere down on the list is security.
So what can be done?
First, cloud computing services need a ground-up overhaul of their security. They need to build their systems with security and privacy as the top priority rather than an afterthought. They need to stop blaming the “other guy” and shore up their own code and networks. They need to protect themselves from unauthorized access, data manipulation, data exposure, and a myriad of other threats.
Meanwhile, users need to take responsibility for their own identities and information and stop flaunting it on the Internet. They need to assume that if they post something on the Internet, everyone in the world can see it. They shouldn’t connect personal accounts to corporate resources. They need to use strong (long and complex) passwords that change periodically and are different for each service they use. There are many secure applications for smart phones that can store credentials.
Anything less and the risk of identity theft and fraud will only escalate.