Social Media Security 101

Tuesday, April 24, 2012

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

Recently a friend shared that his password and ID on an online website was compromised. 

This is why I specifically told him the other day “use a different User ID and password” on every different website.  Seriously!  That could be a lot of passwords and user IDs, but it doesn’t have to be too painful.

A friend of mine didn’t change his password for years and had the same one for most of his accounts.  Then he noticed his account was hijacked on one site.  Well, duh, one of the system administrators probably was human and the temptation was too great, so he ‘borrowed’ my friend’s account and a bunch of others.

Perhaps someone hacked the site and stole a bunch of IDs and passwords. The crooked SysAd or thief guessed, as most smart people do, that my friend was too lazy to come up with new IDs and passwords and wondered where else my friend had used them.  Ergo, his accounts were hijacked, borrowed or stolen and he was playing the part of Forrest Gump.

I was at his house and we noticed some strange activity on his accounts so we changed all his accounts using my ‘sentence passwords’, which I’ll describe in the next paragraph.  

Voila, problem solved.  ”My name is Forrest Gump and I’m a dumb chit” was very close to one of the passwords I gave him…  This was my subtle reminder to him every time he logged onto a one website. I think he learned his lesson.

Sentence passwords. I love these things.  I had a SysAd give me a password for one of the WiFi systems and the 64 character number, symbols, upper and lower case password took me about two minutes to type in – every time – and I swore I’d get even. 

Yes, Justin, I’m talking about you. But this system is much easier to remember and use.  “My name is Bill and I am 32!” That is an example of a password that is easy to remember and can be changed quickly and easily anytime.  “I like football, especially the Quarterback, #12!” “My name is Darlene and I have three kids, 12, 10 and 2.”

Now, a lot of sites do not allow spaces in a password – so just remove the spaces.  “MynameisDarleneandIhavethreekids,12,10and2.”  If the commas offend the system, take them out.  Keep going until you find something the system likes or find the SysAd and shove it up their…  oops. You get the picture.

Recently I ran across a site that didn’t allow passwords longer than 12 characters.  I think I’ll have a little chat with their folks at my first convenience – their system is not very secure.

Okay…  let’s talk about the evils of social media, social networking or Web 2.0, according to your security folks.  In my opinion security people discourage the use of social media sites because they are lazier than my two cats (who sleep 2/3 of every day). It is easier to say ‘don’t use Social Media’ than actually writing an educational program and teaching you. 

I gave this as a briefing recently and actually had to devote a few hours to putting together a professional briefing.  While I was putting this briefing together I came to the conclusion that not only would security professionals have to become proficient at using Social Media, but then they would have to put it into a briefing, schedule a session with you and then actually give you a briefing.  

Second, most professional security folks are not the sharpest sticks in the box.  Admit it.  To them avoid, avoid, avoid is the only way to address something they do not understand. Nay, I say to you, my fellow online friends, we want to use Social Media, our leaders are all using Social Media, so why shouldn’t highly intelligent people be allowed to have an online presence?  Are we too stupid?  Can we not be trusted? 

The President of the United States sees the most highly classified intelligence in the world but somehow he is allowed to have an online presence. I’ve even heard rumors that he is occasionally trusted to do some of the typing himself!

Yes, we read about compromised social media sites all the time, about malicious code and such…  Hey, security folks – deal with it. It is what it is.  Teach us what not to click. Do your job. Oh, I am available to teach on your behalf, for a fee.

You get out of Social Media only what you put into it. If you avoid it completely, you will get nothing out of it. When I first started in Social Media, I thought it was a fad that would never benefit me personally or professionally.  When I finally began learning some rules of the road, then I began noticing trends, then I began reaping the benefits.

Now I am usually one of the first to hear about current events using TweetDeck for my Twitter account.  I get instant notifications of publications in my field, and people sometimes cite me in online forums. I’ve had strangers contact me for advice and I’ve been invited onto teams solely because I use Social Media.

I’ve participated in online forums and I publicly express my opinions on things which I know about (and some I don’t!). Somebody in the US Department of State asked a question, just this morning, what was the utility of LinkedIn. He asked it on Facebook. He is teaching a class at a nearby university and wanted to talk about it. 

So I made an online comment which can be read by all his friends. I have a huge list of contacts in LinkedIn and anytime I need any help, I have close to 1,000 people with whom I can confer on a wide variety of issues.

I can also look through the list and find someone by geographic area, by specified niche areas of expertise, by rank or by any of a wide variety of distinctions.  I download my contact list about once a month into a spreadsheet and can use all the tools embedded in modern spreadsheets.

I can also judge a person’s experience, based on their LinkedIn profile.  I’ve had people want to work in senior level positions, who are frankly way too junior.  LinkedIn is a quick and easy way to judge their background if you don’t have their resume. If I have their resume in my hand I also sometimes review their LinkedIn profile, noting discrepancies and abnormalities.

If I speak or write to the person, I ask them about the things which drew my attention.  I’ve uncovered some really neat things about some good people.  One huge gap was when a job applicant took one year off to care for their mother.  Hired. I want someone on my team that has that kind of caring and human compassion.

EVERYTHING is compromised. Every web site, every data base, every place that touches the web – I assume this at all times. There is not one among us whose network has not been compromised.  The security mantra in the past was “Risk Avoidance”. That is no longer the case.  

With adversaries and competitors who are willing to go to great lengths to infiltrate, exploit and steal our data, with sometimes unlimited resources at their disposal, we must assume they are, to borrow an old Vietnam phrase, “inside the wire”.  I have a great friend, whom I love like a brother, but there is no way I’m going to give him my ID and password.  So, if I won’t give it to someone who I know and trust, why would I give it to an adversary?  

So…  I use a different ID and password on every different system.  I have a little cheat sheet but I never write down the whole password – never. I know my systems (notice, I don’t use the same system of developing a password on every system), so I only need to write down one symbol and perhaps one or two words. I assume my passwords will be stolen but it will not benefit the thief whatsoever.

Second, I never give out information on any site which will I would not tell them in a public setting.  Third, I never disclose more personal information than I want them to know.  If I am married, if I have a sister or brother and what they do, I never disclose this information. I do not want that information to be easy to find.

I say easy to find because you can actually hire folks online to do those inquiries for you, just using public records and it is perfectly legal. There is no such thing as true anonymity anymore.

The security tactic used in Social Media can no longer be risk avoidance, it must be risk mitigation.  We manage how much damage can be done to us because we may no longer assume our systems are invulnerable.  Protect yourself, protect your future and protect your family.

Cross-posted from To Inform is to Influence

Possibly Related Articles:
6939
Impersonation
Information Security
Passwords Authentication Social Networking Social Engineering Security Awareness Access Control Social Media Login Password Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.