Are social media platforms the Jurassic Park of computing?

By Kevin Prince
March 5, 2010

Kevin Prince is chief technology officer of Perimeter E-Security.

– Kevin Prince is chief technology officer of Perimeter E-Security. The views expressed are his own. –

Social Networks have grown out of control. Literally. Today, neither users nor social networking companies can control the monsters they have created. Think Jurassic Park: where John Hammond wanted to build something no one else had ever done, a fun theme park combined with a zoo of cloned dinosaurs.  He built what he thought would be adequate security, but in reality, didn’t understand nearly enough about the environment he was trying to control.  People naturally trusted that proper security was in place and that they would of course be safe. Quickly things spiral out of control, and nearly everyone gets eaten by the end of the movie.

The creators of social networking sites — yes all of them — are just like John Hammond. Their unique ideas caught on in such a viral way that just keeping up with the bandwidth, processing power, storage, development, and everything else required to keep the system online is an amazingly complex, never-ending task. For most of these sites, security is – and has always been – an afterthought. Some of them try, but it’s a bit like closing the amusement park gates after the Tyrannosaurus has bolted.

The users of social networking sites also contribute to the problem. Most are absolutely reckless when it comes to behavior on the sites. A while ago, I ran a social networking experiment on Facebook. I created a new user profile based on a free Google mail account. I chose the name Rebecca Johnson, made her 26, and used a profile picture of a three-year-old girl in a dress that I snagged from a department store website. No other information was in the profile. I wanted to see what would happen when I invited random strangers to be friends with this fictitious person.

Lucky for me, Facebook presents you with people it thinks you might know. Due to a lack of information in my profile, Facebook presented me with people of all ages that live in my county (obviously they were looking at my IP address and correlating that with my city). I of course knew none of these people but went ahead and invited them and others. In all, I invited 250 totally random people to be my friends. The only criteria I used: they had to have profile pictures. My logic: if you don’t have a profile picture, you’re probably not a serious or frequent user. Here’s a timetable of what happened next.

8:00am – Invite Friends
8:02am – My first friend accepts the invitation
9:00am – 6 Friends
10:00am – 12 Friends
3:00pm – 28 Friends

After one week, I had 140 friends. Forty-seven people ignored my request; three questioned me via email saying, “I am kind of embarrassed, how do I know you again?”; I had 60 “pending” requests; and one friend invitation with an email saying, “Hey, I must know you because we know three of the same people.”

If you remove the pending requests, nearly 75 percent of requests ended in the person accepting me as a friend. And it got worse: after one month, I had 187 friends out of that initial 250 friend requests. In other words: A staggering percentage of people will accept a friend request from someone they don’t know.

So, does that really matter? What harm can come from it, right? Well, let me tell you: Rebecca Johnson now has an intimate knowledge of her 187 friends’ lives:

Most have posted recent photos of themselves and their loved ones. One took pictures of every room in her house after a recent remodel and then began “a much needed vacation” to California and announced she wouldn’t be back for two weeks.

Several were young kids still in high school. Facebook is a cyber-stalker’s dream come true. For many friends, you can know their every move. For others, you know the major events in their lives. Even a mildly creative person can come up with hundreds of ways this information could be exploited. Think of the information that most of us have entered into Facebook.

Name, sex, birthday, relationship status and interests, political views, religious views, email address, schools, employment, location, other friends, photos, videos, not to mention whatever comes into our heads and gets posted on our walls. Rebecca Johnson knows when people are coming, when they are going, who they will be with, and much, much more.

Another huge problem is passwords. All-to-often people use simple passwords that are either easy to guess, short, or they use the same password on many different systems. Further, the processes that protect these systems are often flawed. For example, to do a password reset you might have to answer some questions about yourself that you entered when initially registering (like your fathers middle name, or what elementary school you attended).  Today, most of these questions are not difficult to discover when combining social networking sites and other Internet resources. This is how Sarah Palin’s email was breached during her campaign.

So it’s no surprise that naive, trusting, apathetic, and unsuspecting users, who don’t think about security, are often the same that become victims of identity fraud.

But there’s another culprit: “cloud computing” providers. Last summer, a hacker broke into the personal Google Mail account of the spouse of an executive at Twitter. And because that account was linked to shared documents in Google Apps (a cloud computing system), hundreds of sensitive company documents were exposed. Is the user to blame or the cloud based services? In the aftermath of the breach, fingers were pointed at a lack of policies and procedures prohibiting links of personal email to corporate resources, the cloud computing service, and everything in between.

And Twitter is not alone: Monster.com, Lexis-Nexis, Facebook, MySpace, and many others have all been compromised at some point. That’s because social network sites make it easy to register, login, remember your login credentials, and even reset your password. They also make it very easy to spoof other users, install malware, send SPAM, or conduct any number of other nefarious acts. Plus, these sites have a growing number of third-party applications and service providers that interact with these services – with little in the way of what most security professionals would consider adequate security.

The combination of weak security procedures, third-party interactions, a user culture of “ease of use” trumping security, and the blending of corporate and personal lives is a formula for disaster. And although social networks have one of the  biggest targets on their back, they’re just one type of cloud computing service.

The harsh reality: Cloud-based application providers think application first, and somewhere down on the list is security.

So what can be done?

First, cloud computing services need a ground-up overhaul of their security. They need to build their systems with security and privacy as the top priority rather than an afterthought. They need to stop blaming the “other guy” and shore up their own code and networks. They need to protect themselves from unauthorized access, data manipulation, data exposure, and a myriad of other threats.

Meanwhile, users need to take responsibility for their own identities and information and stop flaunting it on the Internet. They need to assume that if they post something on the Internet, everyone in the world can see it. They shouldn’t connect personal accounts to corporate resources. They need to use strong (long and complex) passwords that change periodically and are different for each service they use. There are many secure applications for smart phones that can store credentials.

Anything less and the risk of identity theft and fraud will only escalate.

10 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

This was an awesome read and for the most part I have to agree. In addition to identity theft, these social sites are plagued with viruses that continually threaten your computer. It is a big problem for corporates whose employees open to social sites at work… but as anything in our society we usually dont close the barn door and incorporate proceedures till long after the horses ran loose….. unfortunate as it is!

Posted by chickmelion | Report as abusive

now that’s just nasty..how do u expect to find someone honest and loving on the lovers website u joined when u are being sneaky yourself? u need to get smart and start living life

Posted by mandy198 | Report as abusive

Brilliant article by Kevin Prince.

Absolutely appropriate and secure thought, i am small business who is interested in going online, and also espouse my many causes in environmental management and habitat protection for the dwindling tiger in Karnataka South of India.As a saying goes the Lucre(cash,coin) has two sides to it.
The article is very thought provoking and Brilliant.

Posted by Ismailtaimur | Report as abusive

Are social media platforms the Jurassic Park of computing?
You have really let the cat out of the bag?
From a corporate and government point of view these site are a major security risk.
From the individuals point of view it is someone to talk too! The catch is what are you being drawn into. As you can wind up being cleaned out financially, physically abused or murdered.
These programs are a little like rolling a snow ball down hill and starting an avalanche.
The concept of every one being able to communicate is excellent; however one needs to be aware you may be the hunted not the hunter.

Posted by The1eyedman | Report as abusive

Thank You for this information. Back to basics for me

Posted by flycatcher | Report as abusive

Kevin,

I’ve repeatedly asked Twitter Security if they might work on some way of an individual’s removing an entire Botnet based on a keyword or phrase, instead of having to eliminate a suspected Botnet “person by person” – actually, Bot by Bot! So far, no luck. But if more people agitate for it, maybe they’ll someday allow it.

Meanwhile, you and your Readers might enjoy reading my serious humor piece about Twitter, “My Life With a Dastardly Twitter Stalker” http://wp.me/pycK6-L

(Dr. Ellen Brandt is founder of the BoomerNetwork, Centrists, and IvyLeague Twibes at Twitter and the Media Revolution and Centrists Groups at Linked In.)

Posted by Venerability | Report as abusive

The only real problem with your comparison is that it’s flawed fundamentally.

Jurassic Park – A. Wasn’t open yet B. The visitors were in no way responsible for their own safety.

Internet – Everyone knows perfectly well that they should make a good password. They’re just lazy and think “oh, it won’t ever happen to me.” It would be like if every visitor to JP was responsible for closing the Raptor cage when they used it. Of course the Raptors will get out, because people are stupid and lazy.

Posted by Jarlent | Report as abusive

Splendid analysis. I just happened upon this article and found the read compelling. My account was also compromised on Hi5—another social networking site. Hi5 offered fancy widgets and creative backgrounds—a somewhat childish theme—while Facebook offers gaming and commerce-oriented applications that surpass generational gaps. Social networking allows participants to be as generous or as stingy as they wish with the truth. It allows the imagination to run wild and most are apt to develop alter-egos—as Prince rightly demonstrated. It allows an avenue for self-expression—and the ability for one to assume a totally different identity. Some people have capitalized on the anonymity that this affords. The temptation to assume another identity altogether as a form of escape is great. The study also underscores some truths about the sexes in terms of priorities—financial and academic stature for men, physical stature for women. Formulated based on impression; whatever improves their chances.

Posted by JayTee1180 | Report as abusive

Caravanning is a very popular vacation choice for many. Allowing holidaymakers the freedom of the road, whilst also providing a cost-effective holiday solution.

Camping and Caravan Club
http://campingandcaravanclub.com/

Posted by jimamily | Report as abusive